​​​The Most Important Thing Internal Audit Can Do in 2014 - Part 3

Comments Views
​ ​​
This series of posts all started with a mea culpa about the fact that I was about to embark on another beginning of the year piece (in spite of how much I dislike them). But I explained I felt the subject warranted such a breach.  We then began talking about the fast pace of change and the need for internal audit to embrace similar change. In fact, the need for internal audit to embrace seismic change.

There are two things internal audit must do as a result of the changes that are occurring.   First, if our role is to support the organization (and name any department in any organization where that isn't their role), we must keep abreast of the changes and the risks that are impacting that organization.

Actually, that is nothing more than table stakes. If we are going to (and I'm going old school here; I'm actually going to quote the stodgy old standards) "add value and improve an organization's operations" and help "an organization accomplish its objectives", then we need to not only understand where the organization is right now, but where it will be going and where the opportunities are in that future.

I repeat: It is nothing more than table stakes for internal audit to not only understand the way businesses and organizations currently operate, but to have insights on future operations. (You think you are doing that? Here's a test. How long did it take you before you recognized social media might be a risk for your organization? I'm guessing you didn't necessarily do a good job of forecasting that one. My apologies to anyone who nailed it early on.)

Bad news — that is the easy part. Because the second thing internal audit must do is the toughest. We can no longer slowly evolve. We must reinvent ourselves. As I said earlier, it is time for seismic change. The old (and by old, I mean even within the last few years) concepts and ideas about what internal audit is and does will no longer be relevant.

I keep using the word relevant and, no matter what Inigo Montoya may think, I know what that word means. Relevance for internal audit is maintained by serving our customers in ways where they see our value — where they understand how the investment in our department is providing dividends to overall operations; where they not only recognize the impact of what we do, but also recognize the impact that would exist if we were no longer around.

Relevance is the key.

In the past we made changes because we recognized how our skills and our role within the organization provided us unique opportunities. Using that knowledge, we changed how we worked and we changed the kind of work we did. And, in the process, organizations began seeing a new value in our profession. We became recognized as valuable (not just valued — there is a difference) partners.

We embraced the opportunities to provide consulting services. We embraced the need to help organizations develop their governance and oversight responsibilities. We embraced our role in identifying and mitigating risk. And we embraced the impact of efficiency — of finding ways to make things run better — helping eliminate redundancies and unnecessary controls.

To break out an old saw, we moved from cops to consultants. But has anyone noticed how long we have been bragging about that transition? (Which should be all the proof you need that we have to become something more.)

There is an old joke where two boys are watching a dog chasing a car. One says to the other, "What's he gonna do when he catches it?" 

We now have a seat at the C-suite. We have caught the car and I don't think we quite know what to do with it.

I have this problem. I keep hearing the phrase "trusted advisor." And I think auditors believe our primary role in the C-suite is to be some kind of trusted advisor — to sit with the king at some large table and, as ideas are batted around, provide our incomparable insight regarding which concepts are good and which are bad — that is, good and bad in that they adhere to our personal concepts of risk appetite, risk response, and control activities. And, once our pronouncements are put forth, we then sit back, accepting no responsibility for the final decisions. (To be honest, every time I hear the phrase "trusted advisor" I think of Wormtongue.)

In the fast-moving future that is already here, such an inactive role will lead us right back to irrelevance. Advising is nice, but advice can come from anyone. And if we are going to add true value (and don't talk to me about "value add" because we have used and misused that phrase so much that its meaning has lost any [you'll excuse the expression] value) then we have to be actively involved in the organization and the work it does.

Yes I know we have to be independent. Yes I know we have to be objective. But that doesn't mean we have to obsequiously sit back and hope things work out well. 

Or do we have to be independent or objective?

Tomorrow, the actual point of all this. If we accept the need for seismic change, how do we get there? The answer is with each of us, and our ability to shed our lethargic ways.

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • SCCE_July 16-31_July2018_Blog 1
  • IIA Symposium2018_July2018_Blog 2
  • IIA Quality_July2018_Blog 3