Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​​The ​Sermon With the Soup - Provide Real Value or Die​​

Comments Views

Okay, it’s finally time (about time, many would say) to try and bring this all home. Over a month ago, I started this diatribe by talking about deregulation — how it appears that significant deregulation will be coming to pass in relatively short order — and that internal audit shops need to take a close look at the work they do to understand how such changes will impact their operations, including the potential that they may not be needed anymore. I then provided a historical perspective (starting here) showing how this same thing happened to internal audit in the past. I also addressed ​the potentially false salvation that came about because of Sarbanes-Oxley.

So, with all those words and thoughts under the bridge, let’s come back to the central question: Are you actually prepared for the impact of sweeping regulatory changes? Does your audit department know how to do anything else? And, even if does understand, and even if it is providing true value-added services, do your stakeholders know and understand that value?

And before you answer too quickly, let me ask a few more questions. Is your audit department striving to find new value? Or does everyone assume the kind of work currently done is sufficient? Does the department feel it is unnecessary to look for what may happen in the future because value-added auditing is considered to be nothing more than the department’s ability to positively respond when stakeholders make specific requests for additional work?

Here is my final cautionary tale. There are a number of similar stories I could tell, but I’m going to return to the subject of internal auditors and Sarbanes-Oxley.

When COSO produced the updated Internal Control–Integrated Framework a couple of years ago, I had the opportunity to be one of the people delivering The IIA’s training. I really enjoyed it because: 1) I like these facilitation gigs, 2) I enjoy doing anything that helps strengthen the profession, and 3) I actually felt like this update was an excellent advancement. COSO’s new framework made a whole lot more sense to me than the old one.

But on many more than one occasion I would have a twilight-zone experience. At some point, usually well into the presentation, someone would come up to me during a break and indicate that they were the Sarbanes-Oxley experts for their internal audit department. They would then express their displeasure with the course because it had been their expectation that it would explain what they were expected to provide regarding Sarbanes-Oxley.

Now, let’s skip the part that the description of the course specifically stated that it did not cover Sarbanes-Oxley. (Auditors, as detail-oriented people, should probably have seen the disclaimer, which was capitalized in bold. But, as I say, we’re going to skip that.) No here’s what bugged me.

These people introduced themselves as the experts. Let me repeat that: They claimed to be the experts … on … Sarbanes-Oxley. And yet, they had expected a course that would spoon feed them the answers they needed.

And, in more than one case, they indicated what they were really looking for were details that would allow them to prepare for the external auditor’s requests for information.

Again, think about that one. The experts (again, experts) wanted someone to tell them what they needed to do so that they could fulfill the expectations of someone else their company had hired to do the work.

Self-proclaimed experts looking for someone else to give them answers.

Here is why this story is even more painful than it may first seem. This class provided anyone the information and ammunition necessary to be well-informed to the point where they would not need to kowtow to potentially misleading demands from others who also considered themselves Sarbanes-Oxley experts.

It armed the attendees with knowledge.

If you understand the updates to COSO, and you are an expert on Sarbanes-Oxley, then you should be the one telling others the information that will be required. And if they disagree — if their understanding of the requirements differs from yours — then it is their duty to provide the basis for their understanding. They have to show why your understanding is faulty.

With knowledge, we act from a position of strength.

But these Sarbanes-Oxley experts responded in the same way I have seen far too many auditors react in far too many situations. “Tell me how you want me to test this. Tell me what risks you want me to review. Why don’t you just tell me the name of the movie you’ve selected?” (As I said, I’ve got a lot of stories.)

Some internal auditors (and some internal audit shops) beg to be made the victims. They are most comfortable when they are not asked to change or when they are told exactly what to do.

I know that’s not your audit shop. You’d never act that way. Of course not. But, then again, take a close look. How often are you working to find the answers versus having the answers given to you? How often do others mandate the work that your department will do? How often do you actually think beyond the audit program that has been passed down for generations?

Here’s the ultimate message of all these words — the sermon with the soup.

I have talked to a lot of audit shops that are primarily compliance audit shops, or Sarbanes-Oxley audit shops, or financial audit shops, or any of the myriad other types of audit shops that follow the plan, fill in the blank, or just keep their heads down doing the work they are assigned. They tell me they are providing the service that is required of them and that, by doing so, they are providing real value.

And I look at a political climate that seems to have the pendulum swinging away from regulation.

And it all begs a question: If your work is compliance, and there is no longer as much to comply with, what would you say … you do here?

And it begs one further question. Talk to someone who suffered through the outsourcing of the 1990s and ask them what happened. And then take a long hard look at the work you are doing and ask yourself, can someone else do it cheaper?

In the early 1980s, we had an audit manager (I never worked for her, thank goodness) who used to say that she could train a monkey to be an auditor.

And I look around at fill-in-the-box auditors and checkbox auditors and auditors whose programs are put together by the external auditors and I begin to wonder, just how hard is it to train someone to fill in the box, to check a checkbox, to unquestionably complete an audit program that has been handed to them? And I ask myself if that manager may have been more correct than I realized.

I don’t believe the future of audit is in doing the same thing we have always done. It is about finding innovative ways to provide new and better value to our stakeholders. And, if we can accomplish that, then there is nothing to be feared by a wave of deregulation (at least, for the profession of internal audit).

But, if we stick with the plan and stick with the way we’ve always done it and shy away from looking for unseen opportunities, then … well …

So, what is it you plan to do in the future? If all you have been doing is compliance/financial/Sarbanes-Oxley audits, what is your next act? Or are you a one-trick pony that is about to get a lesson in 1990s outsourcing?

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Idea-September-2020-Blog-1
  • Galvanize-September-2020-Blog-2
  • CIA-September-2020-Blog-3