For internal auditors who haven’t yet seen the writing on the wall calling them to a more modern approach to practice, leaders in the profession have taken measures to make the writing more explicit.
At its recent annual global conference, the Institute of Internal Auditors layered over its entire professional practices framework a new mission and 10 core principles that are meant to point internal auditors in that new direction. The new International Professional Practices Framework emerged at the same time as a five-year IIA study of the profession that suggests many internal auditors already understand the need to steer themselves in that way, lest they be left behind.
“The world is changing at light speed,” says Larry Harrington, the newly elected chairman of the IIA global board of directors and head of internal audit at Raytheon. “Risks are changing on a daily basis. Stakeholder expectations at the board and regulator level are raising the bar. They want us to be an integral part of understanding risk.”
The IIA’s revised professional practice framework is not a regulatory requirement, simply an urging from the profession’s leaders calling internal auditors to a higher level of practice. It states the mission of internal audit as enhancing and protecting organization value by providing risk-based and objective assurance, advice, and insight. It tells internal auditors to embrace core principles that in some cases are already contained in existing standards, but in others are not so clearly articulated.
Core principles focused on integrity, competence, communication, positioning, resources, and due professional care, for example, might already be standard-issue for many internal auditors today. “When you look at the core principles, certainly the first eight, in my mind, are very much what many good internal audit functions do today,” says Hal Garyn, vice president at the IIA.
A handful, however, may stretch the typical internal auditor beyond his or her comfort zone. For example, internal auditors should be “insightful, proactive, and future-focused,” and should “promote organizational improvement,” according to two of the principles.
“That’s an area where some internal audit functions may have to say, ‘I need some guidance on what that might mean,’ ” Garyn says. “That’s not necessarily where every internal audit function is today.”
The IIA’s latest “Global Pulse” study seems to suggest such guidance won’t come as a shock to internal auditors globally. The report says internal auditors around the world recognize that they need to develop more forward-looking risk-management practices and that they need to anticipate the needs of stakeholders.
“The world is changing at light speed. Stakeholder expectations at the board and regulator level are raising the bar. They want us to be an integral part of understanding risk.”
Larry Harrington, Chairman, Board of Directors, IIA
That clearly ties back to the new framework guidance, Harrington says. “It’s about making sure we understand the changes taking place in business and technology and learning to use those to our advantage,” he says. “We must learn to invest in ourselves with the world changing so quickly.”
Sridhar Ramamoorti, associate accounting professor at Kennesaw University, says the enhanced framework directs internal auditors to get more in tune with “leading” indicators of risk rather than focusing on “lagging” indicators. “The leading indicators are extremely important signals of risks that may be coming down the pike,” he says. “Lagging indicators only tell you about risks that have already materialized and hit the financial statements.”
Putting the Practice Framework Into Practice
Tom O’Reilly, director of internal audit at technology company Analog Devices, says he was a bit skeptical at first as he learned about the newly enhanced framework, but changed his mind upon closer examination. Some of the principles can serve as easy benchmarks for how his internal audit department is functioning, he says. “It’s another source to help me tactically verify whether the work my department does is best positioned to enable positive change for our company,” he says.
O’Reilly pointed to the principle saying internal auditors should be insightful, proactive, and forward-looking as a challenge to the way many internal audit departments function. “If internal auditors are performing more management roles such as Sarbanes-Oxley testing, it’s going to be hard to be future-focused,” he says.
Other exercises often performed by internal audit that ideally should be performed by management, O’Reilly says, include verifying inventory or having responsibilities for risk management, security, or monitoring a company’s whistleblower hotline. “The more we do that, reacting to events that have happened, we won’t be future focused,” he says.
MISSION OF INTERNAL AUDIT
Below, the IIA outlines the mission of internal audit.
To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
Demonstrates competence and due professional care.
Is objective and free from undue influence (independent).
Aligns with the strategies, objectives, and risks of the organization.
Is appropriately positioned and adequately resourced.
Demonstrates quality and continuous improvement.
Provides risk-based assurance.
Is insightful, proactive, and future-focused.
Promotes organizational improvement.
Source: Institute of Internal Auditors.
Mark Kultgen, national leader of the internal audit and SOX practice at McGladrey, says audit executives should first use the framework as an educational tool internally. He suggests pointing out that the guidance is consistent with the direction of the 2013 COSO Internal Control—Integrated Framework, which provides a heightened focus on entity-level controls and IT controls.
“Personally, I’d perform a self-assessment around the principles and use it as a discussion point with the audit committee and management,” he says. “Get their sense. Do they see internal audit as having that degree of independence? Are we aligned with strategies and objectives?”
Andy Dahle, a risk assurance partner with PwC, says chief audit executives should react to the new guidance by taking a serious look at what they’re doing and how they could move internal audit further into a leadership role. He suggests using the new guidance as a trigger for new discussion with audit stakeholders about where internal audit can do more, while also using it to ignite the internal audit staff. “Use this as a motivator to drive change within the department,” he says. “Help them buy into the mission that internal audit has to be more than it was yesterday.”
It might be a tough sell either within the department or with audit stakeholders, depending on how bogged down the internal audit staff is with SOX control testing, for example, or how stretched it might be for resources. Sandy Pundmann, a partner in internal audit and strategic risk for Deloitte, advises chief audit executives to use the framework update as leverage in discussions about resources.
“You have to be transparent with senior executives, boards, and audit committees,” she says. “Here are all the risks of the organization. With my current funding and resources, if all I’m doing is Sarbanes-Oxley, all I’m covering are financial risks. I’m not focusing on operational or strategic or compliance risks. That’s a huge white space that isn’t being covered.”
If that’s still a tough sell—after all, the guidance isn’t mandated by any regulatory body with authority to enforce it; it is simply provided by a professional body trying to raise the bar on its practice—then the progressive chief audit executive has a bigger issue to consider, says Warren Stippich, a partner and national GRC leader at Grant Thornton. “Professionalism is at hand here,” he says. “If they say, ‘We don’t care about this because there’s no law,’ that begs higher-level questions for me; then you have to ask: Would I want to work for an organization like that?”