The Scary New Outlook for Internal Audit
Can the profession seize its rightful role in risk management, governance and compliance? Maybe, but it’ll take vision and guts. Do you have what it takes in the post-meltdown world of the new normal?
April 22, 2010
In the aftermath of the global financial meltdown and the surge of new corporate interest in enterprise-wide risk management, do internal auditors face risks of their own in getting left behind?
Maybe so, according to some prominent thought leaders in the profession.
After surveying more than 2,000 executives across 50 regions of the globe, researchers at PricewaterhouseCoopers report that internal auditors are being challenged “to remain relevant and meet stakeholder demands” in ways like never before.
What’s required today, according to Brian Brown, PwC principal and Internal Audit Advisory Services leader, is a whole new, and somewhat unnerving, concept of the internal auditor, a new vision Brown and his colleagues call “Internal Audit 2.0.” More than simply checking accounts, internal auditors need to adopt a new way of thinking about their job that goes beyond audit as we’ve known it and embraces the fast-developing body of knowledge in governance, risk and compliance. Or else, Brown says, they run the risk of becoming marginalized and obsolete as new risk-management professionals take over.
Directors and top management are crying out for improved risk management operations. But it will take some brave and innovative internal auditors to show the way. “The internal auditor needs to have a vision and to take leadership,” according to Brown, “even though they may not necessarily have the authority.”
Five years ago, after the first round of Sarbanes-Oxley implementations, internal auditors were at the center of the risk-and-compliance universe. But the meltdown proved, according to PwC, that some notable corporate internal audit operations and risk controls were sadly inadequate. The same PwC study five years ago reported auditors squeezed for time and resources in implementing SOX. Nevertheless, as a result of the new internal controls requirements, 79 percent of audit departments found and reported issues to top executives on ways to improve risk management.
Today, Brown says, internal audit is “in danger of being pigeon-holed as a tactical compliance function.” And many internal audit managers are admitting they are unable to meet top management expectations with the same old data set.
To meet today’s top management needs, the role of the internal auditor needs to be expanded, Brown says. Strategically focused auditors can have a huge impact. After all, they are but one of a handful of professionals in today’s global conglomerate that can actually see across all departments, regions and silos of the enterprise.
In the past, internal auditors were being told that so-called “soft” skills were needed — creating a "client-service culture" with stakeholders, "leveraging technology" and "promoting improvement and innovation." All that still may be necessary. But more is needed. PwC researchers say this year’s breed of internal auditor is talking more about identifying “critical risks,” “aligning internal audit’s value position with its stakeholder's expectations” and “matching the staffing model with that value proposition.”
But do today’s internal audit teams have the right mix of skills, training and experience? Many don’t, Brown says. Most lack the diverse broader business experience needed for insightful risk assessment and corporate persuasion.
“We believe internal audit must take a more radical approach,” says Brown, challenging auditors and their C-suite handlers “to change, rethink and redefine” the way internal audit works. It starts with vision and leadership.
COMMENT: Rants, raves, questions or ideas? E-mail Rick Telberg.
Copyright © 2010 CPA Trendlines/BSG LLC. All Rights Reserved. Used by Permission. First published by the AICPA.
About Rick Telberg
Go to the News Center Now