The other day, somebody replied to one of my blogs — and got my blood boiling! So, here is the rant for the week.
Essentially, what they said was while it was good in theory for the CAE to focus on providing assurance, in practice the CAE has to be very conscious of and responsive to management expectations. Management wants to see real value from internal audit, and therefore internal audit needs to demonstrate tangible savings in costs, and such. If internal audit is to get management support for its existence, a reasonable budget, etc., then focusing on providing assurance is not the answer.
Do you remember the Roman Emperor, Nero? He is famous for paying attention to his music and enjoyment while the barbarians were attacking, overwhelming, and then pillaging his capital. He "fiddled while Rome burned."
Well, I think this is a good analogy for those CAEs who focus on building a scorecard that shows how much they have saved their organization (through audits of benefit programs, vendors, etc.) but are not assessing the risk management program. They are doing the fun stuff but failing to address the risks that could (and have in some cases) caused the failure of the business.
It's fine to supplement essential assurance activities with the tangible value-adding programs — and I have done a lot of that in the past. But, the assurance work has to be covered or (in my opinion) internal audit is failing to do its job. When that is a conscious decision, I have to question the ethics — and the courage — of the individuals involved.
When I talk about complacency, I am talking about the tendency for some CAEs to continue the same internal audit program, using the same tools and methods, in the face of new technologies and approaches that can deliver massive additional value. I simply don't understand the reluctance to:
Take advantage of emerging and improving technologies for data analytics, continuous auditing, etc. — including social media.
Provide opinions, both on individual engagements and overall. (As an aside, it is well past time for this to be mandated by IIA Standards. How can you provide assurance when you don't express an opinion?).
I welcome your comments.