So far we’ve been discussing the rash of outsourcing that internal audit experienced in the 1990s, and the way boards responded when the subject was first broached —
ignore those who wanted to outsource the department because the board understood the value internal audit provided,
outsource the department but realize that value had been lost in the outsourcing and bring the internal auditors back, or outsource the department and never realize what was lost because the department had never really provided any value anyway.
But all that jockeying and selling and outsourcing and bringing back came to a grinding halt — not because everyone suddenly realized how invaluable an effective internal audit department might be, but because of the passing of one little law.
I’m guessing you guessed it by now.
Yes, in July of 2002, the U.S. Sarbanes-Oxley Act became the rule of the land. Also known by some of us as the “Full Employment Act for Auditors,” there was suddenly work sufficient to keep every internal auditor, external auditor, consultant, and Tom, Dick, and Harry, and Associates busy for what seemed to be the rest of our lives.
Now, there were a number of reasons this was a good thing for internal audit.
First, it showed that the world was starting to get serious about risk and control — areas about which we felt we had been preaching in the wilderness for quite a while. For example, suddenly everyone seemed to gain a new appreciation and fascination for all that stuff that COSO was publishing.
Second, it put some real legislative heat behind the ideas of risk and control.
Third, suddenly our knowledge about risk and control was in great demand, and people started listening a little more closely to the auditors.
And fourth, as noted above, there was suddenly great demand for people with even a whiff of internal audit skills.
However, with the good comes the bad. And, in this case, the bad was pretty well hidden. Further, the bad, as it turns out, may have been a lot worse than we imagined.
First, in bringing back all those auditors, it meant bringing back a lot of mediocre and really bad auditors. In other words, all those auditors who deserved to be outsourced — the ones who had no concept of what internal audit could be beyond compliance auditing, checkbox auditing, or being an accountant with an extra green eyeshade and the desire to find something wrong — were brought back, embraced, and put right back to work. Their mindless approach to audit work fit very well with some of the requirements of Sarbanes-Oxley compliance work. And, even if it didn’t, there were a lot of empty spaces to fill — and they had internal auditor on their resumes.
Second, even the good auditors, as they got sucked into the Sarbanes-Oxley compliance machine, began to turn off their brains. Ultimately, once someone understands Sarbanes-Oxley and the key controls and whatever mumbo-jumbo is required to be said before signatures can be signed, there isn’t a lot of additional gray matter needed.
(Note: I recently got in trouble for making a similar statement to a colleague. She took great umbrage at my portrayal of the Sarbanes-Oxley world. Accordingly, I think I should quickly add what you hopefully already know — these are just my opinions — no one else’s. However, from the experiences I’ve had working with internal audit shops, I still stand by my contention that a lot of the work related to Sarbanes-Oxley — work that is done after it is all set up — is … Well, we had a manager who once stated she could train a monkey to be an internal auditor. I never agreed with her, but I came awfully close when I saw how some internal auditors approached Sarbanes-Oxley work.)
Okay, I’m guilty of gross oversimplification.
But here’s why the impact of Sarbanes-Oxley was much worse than we thought (and part of the reason I made those previous statements). Quite simply, auditors forgot how to be auditors.
As the Sarbanes-Oxley tsunami began to abate, auditors, managers, directors, and chief audit executives came out of the woodwork trying to find training on how to perform operational audits. As I talked to auditors for whom I was providing training, and as I talked to those who were being trained elsewhere, they seemed to speak in one voice when I asked them what was going on. The auditors, by doing nothing but Sarbanes-Oxley work, had lost the skills necessary to evaluate operations.
Brief pause to let that one sink in.
That wasn’t one isolated incident; that was a lot of audit leaders.
And I heard similar stories from other trainers.
Good solid auditors — individuals who understood the value that was provided by doing more — succumbing to the siren call of popularity (Sarbanes-Oxley audits … they like us, they really like us) and the promise of continued work, no matter how rudimentary, forgetting the set of skills that had elevated the good internal audit departments to a position of respect and, dare we say, power.
But that is in the past, and we have come back. And internal audit now talks about being a trusted advisor, having a seat at the table, and being a profession that is, indeed, respected.
But have we learned anything? Sure, we fought the outsourcing and, while the outsourcing almost won, we prevailed. But have we forgotten how it all occurred in the first place?
I ask because of the huge volume of ticking and tying, compliance, financial-statement-focused departments I still run into.
And it is about to get nasty out there. If you haven’t understood or sold your unique value — if you think all they want is compliance or whatever brand of run-of-the-mill audit work you provide — a wet fist in the night is about to bring you to a new awareness.
Tonight’s homework. Take a look at that
first post I wrote, the one that was basically introductory, and see what the connection is between a discussion of eliminating regulations and the impact of Sarbanes-Oxley.