Speaking recently at the IIA GRC conference, I began by asking the audience to raise their hands to indicate if they or their departments had provided opinions on:
- Internal control effectiveness
- Risk management effectiveness
- Compliance effectiveness
- Loss management practices
With very few exceptions, internal controls were the sole focus.
I began my presentation by suggesting it was time for internal auditors to get out of control—they were adding no value there, and their presence was desperately needed elsewhere.
Audit resources wasted, or worse
A number of recent studies indicate that stakeholders expect more value from internal audit. Other studies have found that internal auditors focus on core operational activities rather than strategic risks.
It’s hard to come to any conclusion other than audit resources are misplaced.
What’s the mission of internal audit? According to the IIA, it is “to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.”
- Is it likely that internal audit can add value by focusing on control-intensive business processes?
- Have internal auditors adopted automation, embraced technologies, and transformed their practices for assessing control effectiveness?
- Has the internal auditing profession applied technology in a meaningful way?
- Do audit standards even require the use of technology?
By focusing on internal control effectiveness, internal auditors are 1) contributing to the problem by assuming accountability management should own, and 2) preventing progress.
Is it possible that the time has come for internal auditors to step aside from their focus on internal control? Is it possible to meet stakeholder expectations to add value by focusing on non-value-adding activities?
Years ago, when you drove to a gas station, your car was automatically “audited” by the gas station attendant. Your tire pressure was manually tested. Your oil level and possibly your transmission fluid and radiator were visually inspected.
Today these controls are all automated. Can we do the same for controls in business?
Control is a management problem, not an audit problem
In his recent blog, How to Do Your Internal Audit Risk Assessment, Norman Marks, a former colleague at SAP and a long-time practitioner with whom I often disagree, makes some of the same points and comes to a similar conclusion.
Some years ago I was on the board of a midsize public sector organization. Due to the nature of the business, our finance and accounting team could not produce reliable financial statements on a timely basis. The board wrestled with the problem. We had a number of proposals to perform risk assessments and other consulting services. Finally, we came to a conclusion.
Yes, there were complexities in producing our financial statements, but they weren’t unusual. We decided that if our finance head could not find a way to meet the board’s needs, we would find someone who could. It wasn’t a control problem or an accounting problem. It was a management problem. We changed the management and the problem was solved in 60 days.
In most of our core business systems (procure to pay, billing systems, payroll), inventory systems, and even information technology, I would suggest that greater than 95% of things that could go wrong are known. To me, in those core systems, we have a management problem, not a control problem, if risks can’t be managed.
Dashboards, not dipsticks
How can auditors help?
- Internal auditors can consult on practices to automate controls and practices in our core business processes in such a way that traditional audits aren’t necessary.
- Internal auditors can promote and teach control self-assessment and control design practices.
- Internal auditors can provide opinions on the quality of management control assessments.
Worse yet, is internal audit hampering the automation of controls by continuing its focus? Are there better things for internal auditors to do?
“Skate to where the puck is going to be…”
Wayne Gretzsky used this philosophy to explain his success as a hockey player. It’s also apt advice for internal auditors. Internal auditors are skating not to where the puck is, but to where the puck was yesterday.
The focus should be adding value by assessing strategic risks, by providing advice and assurance on compliance, and by assessing loss management practices.
These all require an understanding of and a focus on the future of the business, not the past.
I would add, it’s management’s job to handle the puck today. Let them do it.
What do you think? As always, I’m interested in your comments.
For more on this subject
At SAP we have developed an experimental and free iOS app for iPads that is intended to assist internal auditors and others develop appropriate strategies and use appropriate tools. You can download the SAP GRC Strategy Selector App.
Finally, I recommend you watch this recent Compliance Week webcast by Honeywell outlining their internal audit department’s “One View of Risk” initiative.
This article, GRC Tuesdays: Is It Time for Auditors to Get Out of Control?, originally appeared on the SAP BusinessObjects Analytics blog and has been republished with permission.