PwC has published the 2014 edition of their
State of the Internal Audit Profession.
The stated theme is bland: "alignment of stakeholder expectations, and matching skills and capabilities to those expectations, helps internal audit enhance the value delivered to the organization."
But there is a clear message to internal audit leaders, as well as to audit committee members and others with oversight responsibility for internal audit.
About half the internal audit departments around the world are failing to deliver the assurance and advisory services their stakeholders need — and know they need.
As I reported in January, a KPMG survey of Audit Committee members found that "Fewer than half of the 1,800 respondents are satisfied that internal audit delivers the value to the company it should (45%), and that the internal audit plan properly focuses on the 'critical risks to the enterprise' (49%)."
Now, PwC is reporting similar results:
- "Nearly 30% of board members believe internal audit adds less than significant value." (This is an increase from the 20% PwC reported from their 2013 survey)
- "More than half (55%) of senior management told us that they do not believe internal audit adds significant value to their organization."
- "Even CAEs are critical of their function's performance, with just 65% believing on average that their function is performing well."
- Only 53% of respondents believe internal audit is focusing on the "critical risks and issues the company is facing"
I highly recommend downloading and absorbing the content of the PwC study. You might first want to read
what I said about PwC's 2013 report, as this year's is in many ways a continuation of the same theme. In that report, PwC said:
"The overwhelming opinion of 1,700 executives participating in the 9th annual PwC State of the Internal Audit Profession Research is that internal audit needs to reach for new heights and contribute to the organization in a more meaningful way. Our research clearly indicates that internal audit must continue to evolve in its focus and significantly improve its performance — or risk losing relevance as other risk functions become more vital contributors to the organization's risk management."
I commented that:
For the first time that I can recall, PwC has (appropriately) put part of the "blame" on audit committees: that they do not demand that internal audit perform at necessary levels and instead are, as PwC says, settling for what they get. As the authors say, " Audit committee members must ask more questions and reevaluate their criteria for satisfaction with the value internal audit is delivering." The report includes a section with good questions for the audit committee to ask.
I like a quote from Randal Early, CAE at Cox Enterprises:
"'Stakeholders don't understand that they can expect more. There's an education of boards and audit committees needed. At the end of the day, basic blocking and tackling has to happen and run efficiently, but there is a lot more that audit can and should do to help you sleep better at night.'"
My concluding remarks were:
I differ from PwC in that I don't believe they have placed sufficient emphasis on (a) the need for an audit plan that is designed to provide assurance on the management of the more significant risks to the organization, and (b) the provision of a formal report to top management and the board on the overall condition of governance, risk management, and related internal controls. I believe they understand this, and the report includes a quote from Michelle Stillman, CAE at Hewlett-Packard. She says her audit team is "moving away from a historical coverage model with a heavy emphasis on validating mature controls and processes to a risk-based model that gives us the ability to consider emerging risks and processes, which may be a more valuable use of our time."
The 2014 report has some excellent content and builds on the 2013 study.
I believe that the state of the internal audit profession is not as good as these numbers imply!
I believe that many if not most of the 70% of board members who say internal audit is adding significant value do not have a sufficient understanding of the full range and depth of assurance and advisory services that internal audit
should be providing. I agree with PwC and Randy Early when they say that audit committee members "do not demand that internal audit perform at necessary levels" and "there is a lot more that audit can and should do to help you sleep better at night."
Assurance is what helps boards "sleep better at night."
Let's talk about assurance using an example from outside internal auditing.
You are considering buying a used car from a neighbor. Wisely, you take it to your mechanic and ask him to inspect the vehicle and tell you whether it is in good condition, safe, and worth buying at the named price. He takes the car for a few hours and calls you back when he is finished. He says:
"There are a number of dents and scratches that need to be repaired and the tires will need to be replaced soon. Otherwise, the exterior is in reasonable condition for a car of this age. Everything under the hood is in satisfactory condition, but the air conditioning and heating systems seem to be working poorly."
Has he answered your questions? Has he provided the assurance you need? Has he provided the advice you wanted?
He has behaved like many internal auditors: he has told you what is wrong, given a "satisfactory" rating to a key risk area, and not given an overall opinion on whether the car is safe and worth the money it will cost.
I hate "satisfactory" ratings. What does "satisfactory" mean? Why can't an auditor provide a professional opinion, using the full range of the English (or whatever language he writes in) to communicate whether the stakeholders should be reassured or concerned?
A few years ago, I said that internal auditors who don't provide assurance on the effectiveness of risk management deserve a seat at the children's table. I still believe that.
I will go further now and say that internal auditors who don't provide the assurance that their stakeholders need (primarily the audit committee of the board, or equivalent, and executive management) so they can govern and direct the organization with confidence, do not deserve a seat at the top table.
When the captain of a ship tells his first officer to steer a course for Hilo and to set speed at 20 knots, he expects the people, organization, and systems of the ship to respond. Internal audit can provide assurance that they will.
This week, an old friend called me for advice and an opinion (knowing that I always have an opinion!) She was talking to a CAE who had told his audit committee chair that he didn't want to provide an opinion on whether the issues he had found (access to accounts payable and a failure to report as income the spousal travel of executives) might be material to the financial statements. He said it "isn't my job." The CAE was terminated soon after. I told my friend that if I had been chair of the audit committee and heard that from my CAE, I would have fired him as well.
As internal auditors, and especially as CAEs, the board and top management have a right and we should expect them to demand that we provide a professional opinion on whether the risks that matter to the organization are managed within desired levels.
This CAE was concerned about accounts payable. How many organizations have failed due to failures in accounts payable? Yet the majority of internal audit departments not only continue to audit the area but invest scarce resources in data mining for duplicate payments and so on.
I will close with two questions:
Are you auditing areas where deficiencies will never matter to the board? They would never materially affect the success of the organization or lead to a change in enterprise strategies. If so, why?
Are there issues on the agendas of the board and/or top management that you have not considered for inclusion in your audit plan? If not, why not?
I welcome your comments.