It really is time to reinvent the profession, believes Tim Leech.
In the first part of a two-part article for the Association of Chartered Certified Accountants (ACCA), Tim Leech defines the problems facing the internal audit profession. In the second part, he discusses his solution to the problem.
Over the past decades, there has been a series of major corporate governance crises. After each wave, post-mortems were convened and efforts made by regulators to identify root causes. The good news – or bad, depending on your perspective – for the internal audit profession is that rarely were questions raised by those commissions and regulators about the role internal audit should have played to avoid the current crisis being reviewed.
What the commissions did call for was a massive global focus on the need for boards of directors to better oversee risk in their organisations. As pressure on directors mounts globally to improve risk oversight, their dissatisfaction with traditional internal audit services is also growing. This article suggests the root cause of the mounting internal audit customer dissatisfaction globally is internal audit ‘paradigm paralysis’ – a strong attachment to traditional ways of doing internal audits that no longer meet the needs of key customers. Specific recommendations are made to help internal auditors transition past the paradigm paralysis and adopt new methods that better meet the needs of its key customers.
In 1990 I authored a paper that changed the course of my life and career titled Control & Risk Self-Assessment: The Dawn of a New Era in Corporate Governance. In that paper I called on the internal audit profession to actively support and embrace the need for robust management self-assessment of risk and control. A significantly different role for internal auditors was proposed, a role fostering reliable management risk self-assessment and reporting to the board on the reliability of management’s risk management processes and the risk status information provided by management to the board.
Later in the 1990s, as the number of control and risk self-assessment (CRSA) pioneers grew, the IIA showed support for this new internal audit paradigm by creating the Certification in Control Self-Assessment (CCSA) and hosting an annual international CSA/CRSA conference. Since CSA/CRSA was still a relatively small fringe movement, the IIA continued to base the core internal audit curriculum on the foundation element of internal auditors doing ‘risk-based audits’, and reporting opinions on ‘internal control effectiveness’ on a small percentage of the total risk universe each year.
Read part 1: Is internal audit the next BlackBerry?
The way forward: objective centric five lines of assurance
If you are willing to consider the central thesis of the article that the internal audit profession is at, what is sometimes called, a ‘tipping point’; and agree the profession is being crippled – or at least seriously negatively impacted by paradigm paralysis – including a strong attachment to traditional point-in-time direct report audits of internal control effectiveness covering a small percentage of the risk universe each year, a logical question has to be:
What can be done to prevent the internal audit profession becoming the next BlackBerry?
The first step in an ideal world would be for the internal audit profession, including IIA Global, to candidly acknowledge the failings of the current direct report internal audit paradigm and aggressively call for management to self-assess risk and risk treatments linked to key value creation and value preservation objectives and embark on a radical paradigm shift change strategy.
Read part 2: Is internal audit the next BlackBerry?