Business Trends
GRC Tuesdays: Is It Time for Auditors to Get Out of Control?
Speaking recently at the IIA GRC conference, I began by asking the audience to raise their hands to indicate if they or their departments had provided opinions on:
- Internal control effectiveness
- Risk management effectiveness,
- Compliance effectiveness or
- Loss management practices
With very few exceptions, internal controls were the sole focus.
I began my presentation by suggesting it was time for internal auditors to get out of control—they were adding no value there, and their presence was desperately needed elsewhere.
Audit Resources Wasted, or Worse
A number of recent studies indicate that stakeholders expect more value from internal audit.
Other studies have found that internal auditors focus on core operational activities rather than strategic risks.
It’s hard to come to any conclusion other than audit resources are misplaced.
What’s the mission of internal audit? According to the IIA it is “To enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”
- Is it likely that internal audit can add value by focusing on control intensive business processes?
- Have internal auditors adopted automation, embraced technologies, and transformed their practices for assessing control effectiveness?
- Has the internal auditing profession applied technology in a meaningful way?
- Do audit standards even require the use of technology?
By focusing on internal control effectiveness, internal auditors are 1) contributing to the problem by assuming accountability management should own and 2) preventing progress.
Is it possible that the time has come for internal auditors to step aside from their focus on internal control? Is it possible to meet stakeholder expectations to add value by focusing on non-value-adding activities?
Years ago, when you drove to a gas station, your car was automatically “audited” by the gas station attendant. Your tire pressure was manually tested. Your oil level and possibly your transmission fluid and radiator were visually inspected.
Today these controls are all automated. Can we do the same for controls in business?
Control Is a Management Problem, not an Audit Problem
In his recent blog, How to Do Your Internal Audit Risk Assessment, Norman Marks, a former colleague at SAP and a long time practitioner with whom I often disagree, makes some of the same points and comes to a similar conclusions.
Some years ago I was on the board of a medium-sized public sector organization. Due to the nature of the business, our finance and accounting team could not produce reliable financial statements on a timely basis. The board wrestled with the problem. We had a number of proposals to perform risk assessments and other consulting services. Finally we came to a conclusion.
Yes, there were complexities in producing our financial statements, but they weren’t unusual. We decided that if our finance head could not find a way to meet the board’s needs, we would find someone who could. It wasn’t a control problem or an accounting problem. It was a management problem. We changed the management and the problem was solved in 60 days.
In most of our core business systems (procure to pay, billing systems, payroll), inventory systems and even information technology, I would suggest that greater than 95% of things that could go wrong are known. To me, in those core systems, we have a management problem, not a control problem, if risks can’t be managed.
Dashboards, Not Dipsticks
How can auditors help?
- Internal auditors can consult on practices to automate controls and practices in our core business processes in such a way that traditional audits aren’t necessary.
- Internal auditors can promote and teach control self-assessment and control design practices.
- Internal auditors can provide opinions on the quality of managements control assessments.
Worse yet, is internal audit hampering the automation of controls by continuing its focus?
Are there better things for internal auditors to do?
“Skate to Where the Puck is Going to Be…,”
Wayne Gretzsky used this philosophy to explain his success as a hockey player. It’s apt advice for internal auditors. Internal auditors are skating not to where the puck is, but to where the puck was yesterday.
The focus should be adding value by assessing strategic risks, by providing advice and assurance on compliance, and by assessing loss management practices.
These all require an understanding of and a focus on the future of the business, not the past.
I would add, it’s management’s job to handle the puck today. Let them do it.
What do you think? As always, I’m interested in your comments.
For More on this Subject
At SAP we have developed an experimental and free iOS app for iPads that is intended to assist internal auditors and others develop appropriate strategies and use appropriate tools. You can download the SAP GRC Strategy Selector App.
Finally, I recommend you watch this recent Compliance Week webcast by Honeywell outlining their internal audit department’s “One View of Risk” initiative.
Bruce,
I agree with your larger point of shifting audit focus to more emerging risk issues (strategic and operational). Having said that, making recommendations on control issues can still have tremendous value. The key is to focus on risk first and then deal with the controls that mitigate said risk secondarily. There is no way for IA to "get out of the control" in this context. Assessing key risks necessitates looking at the controls/risk treatments for those risks. In addition, it is the Board/Audit Committee that is often looking for more than "management assurance" on key risks and controls, thus, IA needs to report on these matters.
Karl
I do agree with your opinion that internal audit should focus on all you mentioned, but control evaluation is a genuine role for internal auditors. Why control is designed? Simply to manage risk. And control is also related to strategic objectives, reputation of the company and other important aspets that affect the overall bussiness.
We are looking at risk optimization in our organization since we are three years into a start up and the level of oversight, although warranted initially, is inhibiting our growth. How do other companies ensure that internal audit oversight is at an optimum balance for the business risk and risk tolerance?
Karl, thanks for your comment. One way to look at it is to ask whether internal audit has added any innovative tools, practices, technologies or frameworks to the practice of control evaluation in the past 30 years. When innovation stops, stagnation sets in. Thats how I would size things up today. Time to move on is my view.
Dear anonymous. Interesting comment, but I'd turn things around. Controls are only one response to risk, and usually, for strategic risks, far from the bes. Most auditors have a very narrow view of controls. If auditors did a better job of risk identification and assessment, I think management could handle the controls without much help.
John
Sounds very very interesting. I rarely see internal audit departments ask this question. In terms of balancing and optimizing risk, one of the most fascinating examples is the Strategic Performance DAshboard developed by Exxaro, a south African coal mining company. Look at the illustrations of their dashboard beginning on page 19 of the intehgrated report. Ask yourself how internal audit can participate and add value and insight in this process. Please let me know what you think.
http://www.exxaro.com/ar/2015/Exxaro_2015_Integrated_Report.pdf
Great insight about internal audit. I would assume after so many years practicing internal audit, by now we should at another level but still we are practicing it same way it was before irrespective of the development out there. Some organisations invest more on internal audit while their approach is reactive as compared to investing more on risk management as the approach is proactive. Internal audit ends up wanting assume management's responsibility instead providing assurance to management and board.