Okay, it’s finally time (about time, many would say) to try
and bring this all home. Over a month ago, I started this diatribe by talking
about deregulation — how it appears that significant deregulation will be
coming to pass in relatively short order — and that internal audit shops need
to take a close look at the work they do to understand how such changes will
impact their operations, including the potential that they may not be needed
anymore. I then provided a historical perspective (starting here) showing how
this same thing happened to internal audit in the past. I also addressed the potentially
false salvation that came about because of Sarbanes-Oxley.
So, with all those words and thoughts under the bridge, let’s
come back to the central question: Are you actually prepared for the impact of
sweeping regulatory changes? Does your audit department know how to do anything
else? And, even if does understand, and even if it is providing true value-added
services, do your stakeholders know and understand that value?
And before you answer too quickly, let me ask a few more
questions. Is your audit department striving to find new value? Or does everyone
assume the kind of work currently done is sufficient? Does the department feel
it is unnecessary to look for what may happen in the future because value-added
auditing is considered to be nothing more than the department’s ability to positively
respond when stakeholders make specific requests for additional work?
Here is my final cautionary tale. There are a number of
similar stories I could tell, but I’m going to return to the subject of
internal auditors and Sarbanes-Oxley.
When COSO produced the updated Internal Control–Integrated Framework a
couple of years ago, I had the opportunity to be one of the people delivering
The IIA’s training. I really enjoyed it because: 1) I like these facilitation
gigs, 2) I enjoy doing anything that helps strengthen the profession, and 3) I actually
felt like this update was an excellent advancement. COSO’s new framework made a whole
lot more sense to me than the old one.
But on many more than one occasion I would have a
twilight-zone experience. At some point, usually well into the presentation, someone
would come up to me during a break and indicate that they were the Sarbanes-Oxley experts
for their internal audit department. They would then express their displeasure
with the course because it had been their expectation that it would explain
what they were expected to provide regarding Sarbanes-Oxley.
Now, let’s skip the part that the description of the course
specifically stated that it did not cover Sarbanes-Oxley. (Auditors, as detail-oriented
people, should probably have seen the disclaimer, which was capitalized in bold.
But, as I say, we’re going to skip that.) No here’s what bugged me.
These people introduced themselves as the experts. Let me
repeat that: They claimed to be the experts … on … Sarbanes-Oxley. And yet, they had expected
a course that would spoon feed them the answers they needed.
And, in more than one case, they indicated what they were
really looking for were details that would allow them to prepare for the
external auditor’s requests for information.
Again, think about that one. The experts (again, experts)
wanted someone to tell them what they needed to do so that they could fulfill
the expectations of someone else their company had hired to do the work.
Self-proclaimed experts looking for someone else to give
Here is why this story is even more painful than it may
first seem. This class provided anyone the information and ammunition necessary
to be well-informed to the point where they would not need to kowtow to
potentially misleading demands from others who also considered themselves Sarbanes-Oxley
It armed the attendees with knowledge.
If you understand the updates to COSO, and you are an expert
on Sarbanes-Oxley, then you should be the one telling others the information that will be
required. And if they disagree — if their understanding of the requirements
differs from yours — then it is their duty to provide the basis for their
understanding. They have to show why your understanding is faulty.
With knowledge, we act from a position of strength.
But these Sarbanes-Oxley experts responded in the same way I have seen
far too many auditors react in far too many situations. “Tell me how you want
me to test this. Tell me what risks you want me to review. Why don’t you just
tell me the name of the movie you’ve selected?” (As I said, I’ve got a lot of
Some internal auditors (and some internal audit shops) beg
to be made the victims. They are most comfortable when they are not asked to
change or when they are told exactly what to do.
I know that’s not your audit shop. You’d never act that way.
Of course not. But, then again, take a close look. How often are you working to
find the answers versus having the answers given to you? How often do others
mandate the work that your department will do? How often do you actually think
beyond the audit program that has been passed down for generations?
Here’s the ultimate message of all these words — the sermon
with the soup.
I have talked to a lot of audit shops that are primarily
compliance audit shops, or Sarbanes-Oxley audit shops, or financial audit shops, or any of
the myriad other types of audit shops that follow the plan, fill in the blank,
or just keep their heads down doing the work they are assigned. They tell me
they are providing the service that is required of them and that, by doing so,
they are providing real value.
And I look at a political climate that seems to have the
pendulum swinging away from regulation.
And it all begs a question: If your work is compliance, and
there is no longer as much to comply with, what would you say … you do here?
And it begs one further question. Talk to someone who
suffered through the outsourcing of the 1990s and ask them what happened. And
then take a long hard look at the work you are doing and ask yourself, can
someone else do it cheaper?
In the early 1980s, we had an audit manager (I never worked
for her, thank goodness) who used to say that she could train a monkey to be an
And I look around at fill-in-the-box auditors and checkbox
auditors and auditors whose programs are put together by the external auditors
and I begin to wonder, just how hard is it to train someone to fill in the box,
to check a checkbox, to unquestionably complete an audit program that has been
handed to them? And I ask myself if that manager may have been more correct
than I realized.
I don’t believe the future of audit is in doing the same
thing we have always done. It is about finding innovative ways to provide new
and better value to our stakeholders. And, if we can accomplish that, then
there is nothing to be feared by a wave of deregulation (at least, for the profession
of internal audit).
But, if we stick with the plan and stick with the way we’ve
always done it and shy away from looking for unseen opportunities, then … well …
So, what is it you plan to do in the future? If all you have
been doing is compliance/financial/Sarbanes-Oxley audits, what is your next act? Or are
you a one-trick pony that is about to get a lesson in 1990s outsourcing?