The latest is a blog by the managing editor of ComplianceWeek on the role of the CAE in the future. Unfortunately, this piece confuses the role of the internal auditor — assessing management's processes for addressing risks — with management's role of identifying and responding to risks, and running the business.
Here are some excerpts and my comments:
- "First, we discussed internal auditing's shift away from inspecting a company's controls, toward scrutinizing the company's risks. Then we pondered whether that shift changes the CAE's role in helping senior management make strategic decisions about the company."
o Comment: the role of internal audit is to provide assurance on management's governance, risk management, and internal control processes. It is not our role to "help senior management make strategic decisions." If management needs help, that should be provided by the board.
o Comment: the shift is from auditing controls to assessing whether management's processes and controls are sufficient to address the risks. But we are still auditing the process, not whether the decision was correct.
- "Through most of the 2000s, internal audit departments were overwhelmed with the Sarbanes-Oxley Act, where they had no time for anything but testing controls over the company's financial reporting."
o Comment: this is a massive overstatement. While many audit functions spent a large part of their time auditing key SOX controls, in no way was that all they did. In the last few years, there has been a significant rebalancing of internal auditing and a return to including risks across the enterprise.
- "A funny thing happened, however, on the way to reliable financial reporting: risks proliferated around your company anyway."
o Comment: the risks always existed, including the ones given as examples in the blog, and have been included in the internal audit risk assessment process.
- "The internal auditing department's job should be about (1) identifying the company's risks; (2) helping to reduce the likelihood of those risks; and (3) helping to ensure that when a risk does strike, it will cause the least disruption possible to the business."
o Comment: absolutely not! Management is responsible for all of these activities. Internal audit's role is to provide assurance that management has reasonable processes to do so. This demonstrates a fundamental failure to understand the role of internal audit.
- "Two particularly hair-raising statistics: 32 percent of the CAEs surveyed reported "no involvement" in discussions about mergers and acquisitions, and an astonishing 47 percent said the same for discussion about expansion into new geographic markets. Considering that most CEOs count M&A and emerging markets as the two primary sources of revenue growth in coming years, this is not good."
o Comment: this observation comes from PwC. It is true that internal audit may provide consulting services that help ensure effective risk management, security, and controls relating to specific M&A and expansion into emerging markets. We should also consider risks relating to the processes for strategy-setting and management, M&A, new products and projects, etc in our risk assessment process. But, I don't see any particular reason for internal audit to be involved in every new initiative as part of the management team. Management is responsible for strategic investment decisions with oversight from the board. It is not our job to second-guess management decisions.
- "Several of the CAEs in the room, however, weren't entirely comfortable with the idea that they should advise on a company's strategic direction. That puts you more in the role of counselor, far from the traditional internal auditing jobs of improving efficiency or assuring that employees follow company policy."
o Comment: they are right to be uncomfortable with taking on a management or board responsibility.
- 'I'll offer my advice on what a process should be to implement a decision, sure,' one woman said. 'But is it really my place as the internal auditor to participate in what the strategic decision is? I'm not sure about that.'"
o Comment: no, it is not.
In my opinion, the lady quoted above gets it 100% right and ComplianceWeek is 100% wrong. We provide the board and top management with assurance that the processes supporting a management decision are OK. It is not our job to second-guess management or the board.
I welcome your views and comments.