It really is time to reinvent the profession, believes Tim Leech.
In the first part of a two-part article, Tim Leech defines the problems facing the internal audit profession. The second part of this article will appear in the next edition of this eBulletin and will see Tim discuss his solution to the problem.
This is an alternative view of the profession that readers and practitioners should consider in the context of their own approach and behaviours. The views expressed in this article are the author’s and may not reflect those of ACCA.
Executive summary Over the past decades there has been a series of major corporate governance crises. After each wave post-mortems were convened and efforts made by regulators to identify root causes. The good news – or bad, depending on your perspective – for the internal audit profession is that rarely were questions raised by those commissions and regulators about the role internal audit should have played to avoid the current crisis being reviewed.
What the commissions did call for was a massive global focus on the need for boards of directors to better oversee risk in their organisations. As pressure on directors mounts globally to improve risk oversight, their dissatisfaction with traditional internal audit services is also growing. This article suggests the root cause of the mounting internal audit customer dissatisfaction globally is internal audit ‘paradigm paralysis’ – a strong attachment to traditional ways of doing internal audits that no longer meet the needs of key customers. Specific recommendations are made to help internal auditors transition past the paradigm paralysis and adopt new methods that better meet the needs of its key customers.
In 1990 I authored a paper that changed the course of my life and career titled Control & Risk Self-Assessment: The Dawn of a New Era in Corporate Governance. In that paper I called on the internal audit profession to actively support and embrace the need for robust management self-assessment of risk and control. A significantly different role for internal auditors was proposed, a role fostering reliable management risk self-assessment and reporting to the board on the reliability of management’s risk management processes and the risk status information provided by management to the board.
Later in the 1990s, as the number of control and risk self-assessment (CRSA) pioneers grew, the IIA showed support for this new internal audit paradigm by creating the Certification in Control Self-Assessment (CCSA) and hosting an annual international CSA/CRSA conference. Since CSA/CRSA was still a relatively small fringe movement, the IIA continued to base the core internal audit curriculum on the foundation element of internal auditors doing ‘risk-based audits’, and reporting opinions on ‘internal control effectiveness’ on a small percentage of the total risk universe each year.
When Sarbanes-Oxley came along in 2002 the focus of the profession regressed and shifted, at least in many of the world’s largest public companies, to providing heavy support for binary opinions from CEOs and CFOs on whether financial accounting internal controls are, or are not, effective. Following the 2008 global financial crisis, IIA Global again showed support for change with changes to the International Professional Practice Framework (IPPF) standards and the creation in 2011 of a new Certification in Risk Management Assurance (CRMA).
Since the idea of internal auditors focusing on reporting on the effectiveness of risk self-assessment processes maintained by management was still seen by the majority of internal auditors globally as a fringe movement, the IIA continued to position traditional internal audit roles, including completing direct report internal audits, reporting on internal control ‘effectiveness’, maintaining ‘audit universes’ and audit plans, and the traditional curriculum in the Certified Internal Auditor (CIA) designation as the core internal audit paradigm.
The core foundation of internal auditors doing direct report internal audits and reporting opinions to their boards on the effectiveness of internal controls on a small percentage of the risk universe each year is now under siege as more and more customers and stakeholders, including the C-Suite, boards of directors, management, and regulators show increasing signs of dissatisfaction.
This article overviews the growing and ominous signs of customer dissatisfaction and proposes a new paradigm in assurance – ‘Objective Centric Five Lines of Assurance’ as a strategy to prevent internal audit becoming the next Blackberry – an organisation that just didn’t see the warning signs and respond soon enough.
Growing signs of dissatisfaction Pulse of the Profession surveys done by the IIA and major consulting firms in 2014- 2016 paint a picture of growing customer dissatisfaction with traditional internal audit services. An excerpt from the IIA July 2014 report titled Enhancing Value Through Collaboration shown below is illustrative of the growing levels of customer dissatisfaction. The percentage of unhappy internal audit customers reported in these surveys is simply too big to dismiss as ‘a few bad apples in the barrel’.
Following the 2008 global financial crisis regulators from countries around the world banded together to study root causes. The conclusion of the Financial Stability Board (FSB), an oversight body comprising the world’s superpowers, was that a radical shift in the roles played by boards, senior management and internal audit is necessary.
In the FSB’s November 2013 guide to national financial and securities regulators around the world titled Principles for Effective Risk Appetite Framework, the FSB painted new and significantly different roles for boards, CEOs, risk specialists, and internal auditors. Internal audit’s main role, as envisioned by the FSB, should be reporting on the effectiveness of risk management processes, including the ability of the company’s risk management framework to identify risks, assess risks, treat risks, and deliver reliable information on residual risk status to boards.
Unfortunately, in many organisations today, internal audit still serves as the primary group that completes formal documented risk and control assessments and reports results upwards to the board of directors. A key roadblock to actualising the new FSB vision is that internal audit is often the primary risk/control assessor and reporter to board, not management. As a result, internal audit lacks the independence required by IIA standards to report on the effectiveness of the company’s risk management processes.
The 2014 IIA Annual Report shown below called on internal auditors to be agents of change. In February 2016, sensing the profession was not responding fast enough, IIA President, Richard Chambers, blogged that To Be Agents of Change Internal Audit Must Embrace Change and focused on the theme of the 2016 Pulse of the Profession report – ‘Time to move out of the comfort zone’. While recognising the need for and importance of change, the IIA has been reluctant to aggressively endorse a radical change agenda for the profession.
The survey’s key findings – taken from 1203 respondents in 29 countries and across eight industry sectors – are:
almost all heads of internal audit expect their organisations and their functions to change substantially in the next few years
internal audit currently lacks the impact and influence that it wants and needs within the organisation
key gaps in certain skills, including analytics, IT and communications, must be addressed in order to increase impact and influence
stakeholders’ expect more forward-looking reports as well as insights regarding risks, strategic planning, IT and business performance
almost all internal audit budgets will remain flat or increase slightly, which may not be enough to fund needed enhancements to the function
Fortunately, for many in-house internal audit groups, external providers of internal audit services (read competitors) are also still largely wed to the traditional direct report audit paradigm where auditors form subjective opinions on whether they (the auditors) think controls are effective/ineffective. Be warned. however: a major risk to the profession is that one or more ‘APPLE-like’ competitors may yet emerge to seize on the opportunity presented by the current paradigm paralysis in internal auditing and ERM.
What does history suggest? In the face of steadily dwindling customer satisfaction what does history say the internal audit profession will do? Research done over many decades provides insight in to one of the greatest risks today to better governance globally – paradigm paralysis in internal audit and ERM.
The greatest barrier to a paradigm shift is the reality and incredible inertia of paradigm paralysis. A paradigm paralysis can be defined as the inability or refusal to see beyond current models of thinking. There are countless examples of paradigm paralysis in the history of mankind.
In Europe, up until the seventeenth century, physicians used to draw out substantial amounts of blood from their patients to ‘purify’ their bodies from some imaginary ‘miasma’. It would, of course, make patients weaker and quicken their death. The first physicians to challenge this absurdity were dismissed and banned from the profession. A better known example of paradigm paralysis is the rejection of Galileo’s theory of a heliocentric universe which revolutionised the field of astronomy.
If paradigm shifts are the mega-phenomenon of ‘thinking outside the box’, paradigm paralysis is the enemy of progress and can be defined as the sclerosis of ‘thinking inside the box’. In today’s world of social turmoil, constant fast pace change, globalisation, communication revolution, overpopulation, shrinking resources and growing ecological threats, paradigms are double-edged swords.
On one hand, they give us a structure and the illusion of permanence, which is a false sense of security. On the other hand, current paradigms, which often fall into the category of paradigm paralysis, prevent us from tackling challenges and major problems to keep life sustainable on this planet for future generations. In other words, we need to step out of the ‘illusion box’, both individually and collectively, of established thought paradigms, and jump courageously and resolutely into an uncharted and unknown reality unfolding each time a significant paradigm shift takes place. The second part of this article, in which Tim discusses his solution to the problems identified, will appear in the next edition of this eBulletin.
Tim J. Leech, FCPA CIA CRMA CCSA CFE is managing director at Risk Oversight Solutions Inc., based in Oakville, Ontario, Canada and Sarasota, Florida. He has over 30 years of experience in the risk governance, internal audit, IT, and forensic accounting/litigation support fields.
Leech has provided training for tens of thousands of public and private sector board members, senior executives, professional accountants, auditors and risk management specialists in Canada, the US, the EU, Australia, South America, Africa and the Middle and Far East. He has received worldwide recognition as a pioneer, thought leader and trainer. His article ‘Reinventing Internal Audit’, featured in the April 2015 issue of Internal Audit, received the Outstanding Contributor award from the IIA.