​What Does the New Year Hold for Internal Audit?

Comments Views

​Two pieces by Deloitte merit our attention.

The first is Chief Audit Executives: Ready for the Spotlight (PDF).

It makes some interesting points.

  • Stop auditing the past. Instead focus on enabling the future (my words).
  • Convert the little pieces of information (perhaps individual audit reports) into big picture insights.


 

This is good advice.

One of the valuable new pieces of guidance that came out of the project (with which I was involved) to develop The IIA's principles for effective internal auditing was the idea that internal audit:

  • Should be forward-looking, and
  • Provide insights and advice as well as assurance.


 

CAEs in particular need to be willing to take more risks with their opinions, telling management and the board about the bigger issues (such as those I describe in my post on The Real Risks: The Ones Not in the Typical List of Top Risks).

Drilling down to the root cause of risk and control problems often leads to exposure of fundamental problems of leadership and so on.

The valuable CAE is the one who is brave enough to tell (or sing) the story.

With respect to "forward looking," we should remember why auditing controls adds value: when they know the controls are adequate in addressing risk, the board and management know they can rely on them now and tomorrow as they drive the organization to success.

We should assess controls in terms of their effect on today and tomorrow's operations, not on what might or might not have happened in the past. That is over.

The second Deloitte piece is Internal Audit Insights: High-impact Areas of Focus - 2017 (PDF).

It starts with this honest but alarming point:

… ​only 28 percent of CAEs believe their functions have strong impact and influence within their organizations.

It goes on to list eleven areas of focus for internal audit:

  • Strategic planning.
  • Third-party management.
  • Internal audit analytics.
  • Integrated risk assurance/combined assurance.
  • Cyber.
  • Digitalization.
  • Risk culture.
  • Strategic and emerging risks.
  • Sustainability assurance.
  • Media auditsNew reporting methods.


 

​The last is something I have been pressing for a while, with examples in my book (Auditing that matters). They seem to be quoting me (without attribution) when they say:

Tell stakeholders what they need to know, why they need to know it, and what they should do about it.

However, I don't condone their suggested use of heat maps (which fail to tell the true picture of risk) instead of using plain English!

Say what you mean to say (Bareilles). Honestly!

Instead of a list of areas to focus, let me suggest one. A simple one.

Aim to provide an opinion on the overall management (via controls) of the risks that matter to the success of the organization. Now, how can you get to that point? What work needs to be done?

OK, do it in 2017 and deliver the valuable information your board and executives need.

Your thoughts?


 

The opinions expressed by Internal Auditor’s bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.

 

 

Comment on this blog post

comments powered by Disqus
  • MNP_Nov 2017_Blog 1
  • IIA CIA_Nov 2017_Blog 2
  • IIA_Audit-Intelligence_Nov2017_Blog 3