All in all, I'm a pretty optimistic guy. I'm usually pretty positive that things will work out okay. I'm real positive that internal audit is an important profession that can and will impact organizations in a positive way. And I'm absolutely positive that this whole "semi-retired" thing is a really nifty way of life.
In spite of that positive and rosy outlook, I've been posting some rather pessimistic things lately. (For example, last week's post about how some/way-too-many audit departments handle corrective action.)
So, with this post, I'd really like to turn that around.
Unfortunately, that ain't gonna happen. You see, I've been reading The IIA's 2019 North American Pulse of Internal Audit and permeated throughout is enough to make even the most dyed-in-the-wool optimist begin to seriously think about upping their life insurance. (You can get a copy here, but I believe you'll have to be a member.)
First, in case you don't know, the Pulse of the Profession is an annual publication from the Audit Executive Center of The IIA that provides information on the thoughts and feelings of audit executives regarding some of the most important topics of the day. It's been going on since 2011 and it is always worth checking out.
And, as noted, the topics are always important ones. For example, the most current report — the one issued within the last couple of months — has four sections: Cybersecurity, Third-Party Risks, Emerging and Atypical Risks, and Board and Management Activity. A pretty good cross-section of the things and areas that audit leadership should be thinking about.
But, digging into this report, I see the continuation of an ugly, embarrassing, and dangerous trend within the profession — one that has lurked through almost all previous reports.
Let's start with the introduction. On page 5, the report states, "CAEs must seek out any opportunity to educate themselves about board and executive management views on risk to find proper alignment." An obvious statement that raises the question: why was it included? Apparently, something this fundamental to the success of internal audit is not the normal state of affairs. Its inclusion in the introduction indicates that our worst fears may be true, that we are not aligning with our primary customers. And this is supported by additional content within the report.
In the section on cybersecurity, page 9 states, "…more than 4 in 10 CAEs identified a lack of cooperation or communication from IT and a lack of support from executive management as having an extremely or very significant effect" on internal audit's ability to address cybersecurity risks. (Emphasis mine.) On page 8, while discussing the gap between respondents who feel ready to address cybersecurity and those who feel they should be ready, the report states, "It also suggests that there is a potential misalignment between risk priorities and the audit plan."
In section three (Emerging and Atypical Risks), page 19 contains the statement "About three-quarters of CAEs rated the board as very likely to rely on executive management, but fewer than half said the same for internal audit or the risk management function."
And then we get to section four, Board and Management Activity. Here's a few quotes.
"Nearly 6 in 10 CAEs report that internal audit rarely or never provides assurance on the quality of information given to the board nor does internal audit have formal discussions about the information with the board or management."
"Internal audit has limited ability to evaluate and provide assurance on the quality of information the board receives from [compensation, risk, and IT] committees."
"Analysis of CAE responses about the board and management activities indirectly raises a fundamental question of whether traditional reporting lines are sufficient to ensure that internal audit findings and recommendations are being heard."
"…structure and responsibility…create the real possibility that in some organization internal audit is not involved with committees that handle critical issues…"
Is anyone else seeing a seriously sickening trend here; audit departments that are not listening to the board and executives, not listened to by the board and executives, or not having any kind of effective communication with the board and executives?
Now, in and of itself, this might be troubling. But we all know we can get better, right?
However, this is not our first ride at this rodeo. Go all the way back to The IIA's 2011 report, "Insight: Delivering Value to the Stakeholders," and you will hear the same refrain. Here's just one quote: "…only 57 percent [of executives] indicated agreement that, in general, internal audit provided insight…" Go find the report and see how the world of internal audit has not changed. (Go back and read this one. You should find it eye-opening.)
And one of the issues you will find in every Pulse of the Profession — either stated explicitly or hidden not-so-deeply — is that internal audit is not working with its primary customers; it is not finding ways to make the department valuable, important, and worth its annual salary.
Internal audit is and should be a vital and important part of any organization. But, as long as we do nothing to change the perceptions about the department or the understanding of the value we can provide, we will just find ourselves in the back office behind the cafeteria next to the loading dock listening to the trash collectors empty the dumpsters.
And, it starts with us reaching out and listening. Let me repeat, listening. Let me repeat it again, listening. Not trying to hear what we want to hear, but hearing what they have to say. And then taking action, proving we care about our primary customers and making them the focus of our work.
I'm optimistic our profession can do what it takes to make itself better. I'm optimistic we can live up to the promise of our abilities. And I am optimistic we can make a significant difference.
But it won't happen until we listen and act. That's the only way we can prove the profession really has a pulse.