Half a century ago, the land underlying the municipalities of Lake Buena Vista and Bay Lake, Fla. was a largely unpopulated patchwork of cattle ranches, citrus groves, scrub forests, and alligator- and snake-infested swamps. But that’s not what the late Walt Disney saw in his mind’s eye when he overflew those 47 square miles, just south of Orlando, in November 1963. Instead, Disney saw a prime location for a family vacation mecca.
Disney died before he could savor the first fruits of his fertile imagination, the 1971 opening of the Magic Kingdom theme park. But his vision still is very much alive. The Walt Disney World Resort’s theme parks, golf courses, hotels, restaurants, retail stores, and other attractions now bring joy to nearly 30 million visitors each year.
This lore came to mind while I was on stage during The IIA’s 2013 International Conference — held a mere 10 miles from the Disney resort. I mused that although the practice and stature of internal auditing have advanced significantly since the Magic Kingdom’s grand opening, many of those gains are by-products of transcendent events. As I looked out at the roomful of internal auditors from around the world, it struck me that our profession is too important to the well-being of organizations and the global economy alike to leave its future direction to chance. So, I concluded, what better time than now for practitioners to channel their inner Disney and focus not on what internal auditing is, but rather on what it might be. Thus, as I assume the role of IIA chairman of the board, I have made my theme the challenge and rallying cry, Imagine the Possibilities!
A Lengthy Era of Transition
The first formal Standards for the Professional Practice of Internal Auditing, approved by The IIA’s Board of Directors 35 years ago when I was still a college student, defined our profession as “a control which functions by examining and evaluating the adequacy and effectiveness of other controls.” The words risk, governance, and consulting were nowhere to be found in those pioneering standards. This expansion of our profession’s services portfolio came only in 1999, during my stint at Arthur Andersen’s Business Risk Consulting practice, when the IIA board approved the contemporary definition of internal auditing. Specifically, that new definition requires practitioners to help their organization achieve its objectives “by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Imagining The IIA's Future
During my year as The Institute’s board chairman, I plan to work diligently with my fellow senior volunteers, global institute leaders, and IIA staff to complete and implement numerous initiatives that I imagine will shape the profession for years to come. Among these are:
Executing institute/chapter agreements. I expect every global institute and North American chapter to sign a new agreement with The IIA to better articulate the roles and responsibilities of each. Fulfilling this initiative will help ensure institutes and chapters will focus on best serving their membership, while The IIA supports those needs and advances the global profession.
Sharpening the board’s focus on risk. As we redefine the various governance roles within the IIA volunteer structure, we will be able to better tap into the broad experiences and diverse perspectives of members of our board to help advance the profession in an increasingly complex world.
Advancing advocacy. I will work to advance the International Integrated Reporting Council’s agenda for making financial reporting more comprehensive, get ourInternational Standards for the Professional Practice of Internal Auditing (Standards) recognized by the global Financial Stability Board, and build close ties to associations that represent boards and audit committees.
Recasting the International Professional Practices Framework (IPPF). The foundation of our profession, the IPPF, may need to be restructured to meet our future practice needs. The study of this matter will require, in part, assessing whether theStandards are minimum requirements or aspirational, again reconsidering the definition of internal auditing, and evaluating whether there should be different levels of “strongly recommended” guidance.
Emphasizing certification. With the rollout of the new three-part Certified Internal Auditor exam and the new Certification in Risk Management Assurance exam, and further progress with the Certification Suite, I expect renewed emphasis on enhancing professionalism of internal auditors around the world by getting more internal auditors certified.
Identifying learning pathways. With the issuance of the new Competency Framework, focus now must turn to ensuring the availability of training and other global and local developmental pathways to help internal auditors achieve necessary competency levels.
Not long thereafter, internal auditors were thrust into the role of transforming the board’s vision of the profession into workplace actions. The governance debacles at Enron Corp., WorldCom Inc., and a host of other organizations roiled world financial markets just as I was assuming the chief audit executive (CAE) role at Aquila Inc., an energy company in Kansas City, Mo. These senior management-led financial reporting frauds, in turn, prompted many governments to enact remedial legislation such as the U.S. Sarbanes-Oxley Act of 2002.
These statutes — which, in general, require management to assess, attest to the adequacy of, and publicly report on the organization’s system of financial control — enabled our profession to showcase its control expertise. In fact, for several years, many internal audit activities were all but consumed by the tasks of helping guide management through its process of identifying and testing key financial controls and by providing independent, objective assurance that management’s test results were accurately reported. In 2004, my first full year as CAE at Atlanta-based energy company Mirant Corp., 75 percent of our internal audit hours were spent on Sarbanes-Oxley related activities.
The failures of numerous large financial institutions in 2008 triggered a global financial crisis that sparked a recession from which some nations still are struggling to emerge. Once more, many governments scrambled to enact systemic reform legislation, such as the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. And again, internal auditors gained prominence as regulators, audit committees, and other stakeholders began tapping our profession’s expertise in assessing the adequacy of organizations’ risk management processes and governance. I found that many of the risk management practices I learned at Arthur Andersen and honed at Aquila and Mirant were valuable in helping Mirant’s board and management become comfortable that they could weather the financial storm.
Time to Imagine Our Possibilities
Many longtime practitioners and observers of our profession conclude that internal auditors have so capably seized the many opportunities to shine afforded them during the last 15 years that our profession is more widely respected today than ever in its modern history. Although I too observe this generally is the case, practitioners cannot afford to sit contentedly by and wait to see what hand others will deal them next. Instead, the time has come for us to imagine our profession’s possibilities and begin taking giant steps toward realizing them.
Merely beginning this process likely will have a salutary effect on internal auditors and their stakeholders — notably, senior executives and audit committee members. For example, imagining future professional possibilities should help auditors find ongoing fulfillment in their work and gain confidence that they can become indispensable to their organization. Stakeholder witnesses of the process should become more comfortable that internal audit is striving to provide the assurance and advice they need to help the organization achieve sustainable success.
IIA President and CEO Richard Chambers says internal auditors worldwide have five “must dos” during the rest of this decade and possibly beyond. These imperatives are a solid foundation on which to base imagined possibilities for our profession:
- Embrace and leverage a continuous focus on risks. Risk assessment tends to be an annual activity; new risks often come to internal audit’s attention only after they have adversely impacted the organization in some way. I imagine it is possible to have more foresight than that, to be prescient enough to see risks emerging and alert management to their existence and implications before they cause harm. I imagine, for example, that auditors can find creative ways to tap into management’s monitoring of the external business environment, do their own research and monitoring, develop diagnostic tools, and brainstorm highly improbable “black swan” events.
- Provide assurance on risk management. Organizations cannot achieve their objectives merely by reporting financial information accurately and complying fully with the laws and regulations that have sprung up around the world in response to financial reporting frauds and financial crises. They also must manage key strategic and operational risks effectively. I imagine internal audit activities are capable of providing executives and directors with assurance related to those and other key risks and even going one step further by providing assurance on the adequacy of the risk management system as a whole.
Although this latter activity may seem somewhat daunting and professionally risky, I envision that simply providing negative assurance — that is, being content telling the C-suite and the audit committee that “during the limited number of audits conducted this year, nothing has come to our attention to indicate risk management is not effective” — will be insufficient in the future. Instead, I imagine we must position internal audit as providers of positive assurance to stakeholders that “risk management activities are designed adequately and operating effectively to provide reasonable assurance that risks are managed to an acceptable level and objectives can be achieved.”
- Enhance proficiency with data mining and analytics. The data being created, stored, and analyzed for business purposes is proliferating at an incredible rate — a phenomenon commonly referred to as big data. I imagine all internal auditors, not just the IT specialists among us, will begin learning how to access their organization’s data trove whenever they need it, creatively mine and analyze that data, and develop dashboards that not only will facilitate the audit process but also serve as continuous monitoring and strategic decision-making tools for management.
- Secure a “seat at the table” during pivotal strategic and operational discussions by management. This imperative does not entail internal auditors making strategic and operating decisions; rather, it is about giving executives confidence they can make such decisions. Auditors must earn their seat at the decision-making table, and I imagine they can do so by sharing knowledge that will help management fully understand the risks inherent in its various strategic and operational action plans. This goes beyond understanding the “what could go wrong” risks. It also includes embracing and pursuing the “what must go right” risks. I further imagine internal auditors can provide assurance that their organization has the people, processes, and systems capabilities needed to successfully execute those actions and manage those risks.
- Develop expertise in addressing key risks. The skills of many of today’s internal auditors are insufficient to meet the preceding four imperatives. I imagine all CAEs will ensure their staff possesses the diverse set of competencies now needed for success. These capabilities most notably include business and industry knowledge, risk acumen, technology skills, critical thinking skills, and creative problem-solving capabilities. I envision that fulfilling this task may require looking for new sources of talent, adopting different training sources and methods, and embracing novel ways of coaching and mentoring staff.
This list is far from comprehensive. Imagine, for example, the opportunities presented to internal audit by emerging technologies. Imagine carrying around only a tablet device while conducting an audit to access data anywhere — whether on a factory floor or in the C-suite. And imagine software capable of depicting every step in a business process, thereby enabling internal auditors to visually rearrange that process to enhance controls and improve efficiency.
There are undoubtedly many other good ideas for advancing the practice and stature of internal auditing that are beyond my own imagination. I look forward during my tenure as chairman to hearing from creative members of our profession around the world about the possibilities they imagine. I promise to share those thoughts with you periodically.
Dare to Dream
Anthropologists and psychologists tell us humans tend to feel comfortable and safe performing familiar rituals in familiar places. So it is not surprising many internal auditors are quite comfortable practicing as they always have. But I cannot imagine how those who choose this approach can continue succeeding professionally in today’s dynamic business world. Conversely, those who dare to imagine possibilities can help create a future in which internal audit is viewed by stakeholders and society as an enabler of sustainable value. As Walt Disney once said, “All our dreams can come true if we have the courage to pursue them."