Each year, I look forward to PwC's important report on the state of the internal audit profession. Their 2007 report, which had a forward-looking perspective and called out for internal audit to move its focus from controls to risk, was one of the best I have read over the last 20 or more years.
2013 report, PwC rightly challenges internal audit to raise its level of performance. I agree with this strong statement:
The overwhelming opinion of 1,700 executives participating in the 9th annual PwC State of the Internal Audit Profession Research is that internal audit needs to reach for new heights and contribute to the organization in a more meaningful way. Our research clearly indicates that internal audit must continue to evolve in its focus and significantly improve its performance — or risk losing relevance as other risk functions become more vital contributors to the organization's risk management."
For the first time that I can recall, PwC has (appropriately) put part of the "blame" on audit committees: that they do not demand that internal audit perform at necessary levels and instead are, as PwC says, "settling" for what they get. As the authors say, "Audit committee members must ask more questions and reevaluate their criteria for satisfaction with the value internal audit is delivering." The report includes a section with good questions for the audit committee to ask.
I like a quote from Randal Early, CAE at Cox Enterprises:
"Stakeholders don't understand that they can expect more. There's an education of boards and audit committees needed. At the end of the day, basic blocking and tackling has to happen and run efficiently, but there is a lot more that audit can and should do to help you sleep better at night."
Sleeping better at night is a metaphor I use frequently to describe the assurance that internal audit can and should provide top management and the board: the ability to sleep through the night, knowing that the processes and controls the organization relies on to manage the more significant risks are in place and operating effectively.
The study reports that "56 percent of board members and 37 percent of management rated internal audit's performance as strong." Clearly, neither of these numbers is acceptable. PwC is concerned about the gap between board and management assessments. I am less so, as internal audit should seek first to satisfy the needs of the board. Trying to show value to management without adequately addressing the assurance needs of the board is, in my opinion, the route to failure. Internal audit's primary role is to provide assurance to the board and management, and additional value-adding activities should be just that: additional to their primary job.
This statement surprised me but also gave me hope that internal audit leaders realize there is a problem, which is the first step on the path to recovery: "On average, 48 percent of CAEs rated internal audit performance as strong." Hopefully, those that self-assessed as less than strong are taking actions to improve.
PwC identifies three areas where there is a need for improvement: Quality improvement and innovation; leveraging technology; and, obtaining talent that matches the organization's risk profile. While each of these is important, leveraging technology and obtaining talent have been challenges for as long as I have been in internal audit — and that's a long time. The interesting twist is the point that you need to design the staffing model (including co-sourcing) to have the talent to address all areas of significant risk, not just the traditional financial and compliance areas.
I differ from PwC in that I don't believe they have placed sufficient emphasis on (a) the need for an audit plan that is designed to provide assurance on the management of the more significant risks to the organization, and (b) the provision of a formal report to top management and the board on the overall condition of governance, risk management, and related internal controls. I believe they understand this, and the report includes a quote from Michelle Stillman, CAE at Hewlett-Packard. She says her audit team is "moving away from a historical coverage model with a heavy emphasis on validating mature controls and processes to a risk-based model that gives us the ability to consider emerging risks and processes, which may be a more valuable use of our time." However, PwC makes the mistake (in my view) of saying that "A fundamental role of internal audit is to be an assurance provider, delivering objective assurance of the effectiveness of organizations' internal controls" — falling from the lofty risk-oriented position they took in 2007.
I welcome your comments. What do you think of the report?