The concept of the "future" auditor was introduced by Protiviti three years ago.
Brian Christensen and Jim DeLoach have returned to the topic in Internal Auditors: Want To Ensure Your Value And Relevance? Raise The Bar Within Your Profession.
This is a useful piece that merits our attention.
Let me first share and then comment on the primary points from 2014, reprised in Jim and Brian's piece:
[The future auditor]:
Is positioned to be objective with regard to the enterprise's operating units, business processes and shared functions and is vested with a direct reporting line to the board of directors or a committee of the board;
Understands the organization's business objectives and strategy and identifies risks that create barriers to the organization's achieving its objectives and executing its strategy successfully;
Is authorized to evaluate and challenge the design and operating effectiveness of the organization's governance, risk management and internal control processes that address its critical risks and creates value by making recommendations to strengthen those processes and keeping the appropriate executives and directors informed regarding open matters;
Uses a lines-of-defense perspective to ensure that risk management and internal control are functioning effectively;
Articulates the value contributed by a risk-based audit plan to the organization, providing an assurance perspective that the board and executive management can understand;
Maximizes the use of technology to achieve efficiencies in assessing risk, expanding audit coverage, automating critical internal controls, tracking issues, providing exception reports and mining and analyzing data to draw meaningful insights regarding emerging risks and process and control performance; and
Possesses escalation authority and proactively exercises that authority to bring important matters to the attention of executive management and the board on a timely basis.
Each of these points is important, but:
- It is critical for the people running the business to understand the objectives and related risks. Internal audit should determine whether that is the case and, if not, bring that serious matter to the attention of leadership. It is not internal audit's job to identify and assess risk — that's a management function and one of the most important responsibilities they have.
- Internal audit should seek to rely on management's identification and assessment of risks. If that is not reliable, teach them to fish.
- Internal audit should not only be "authorized to evaluate and challenge the design and operating effectiveness of the organization's governance, risk management, and internal control processes that address its critical risks." They should actually evaluate those processes and share their assessment with leadership.
- While technology can be a great tool, emphasizing it instead of other points like having a deep understanding of the business seems more like a marketing point for Protiviti's services.
The rest of the Protiviti points are very good and I won't comment further — please read and consider them.
However, there is an important omission. We addressed this when we (The IIA's task force) developed the core principles for effective internal auditing.
The principles talk about "foresight." I like to talk about "auditing forward."
In other words, worry about the risks that like ahead of us rather than those in our past. Does the organization have the capability to anticipate what might happen and take appropriate action?
Let's not audit history — let's provide advice and insight that helps the organization navigate its way forward to its objectives.
I welcome your comments and observations.