Are you aware of internal audit?

This month, the IIA has been promoting May as International Internal Audit Awareness Month.

I’m conflicted, because as an internal auditor, I favour people being aware that my job exists. On the other hand, it has always seemed a little silly, or maybe crass even.

Another word that comes to mind is tone-deaf. Don’t we generally recognize awareness months for diseases or good causes or peoples’ heritages?

For instance, Wikipedia helpfully lists diseases or causes that are competing with internal audit for your awareness this month. Just a few:

  • Lou Gehrig’s Disease
  • Asthma
  • Lyme Disease
  • Guide Dogs

In Canada, various groups are trying to raise awareness for:

  • Cystic Fibrosis
  • Hepatitis
  • Multiple Sclerosis
  • Food Allergies

Maybe some might consider being audited akin to having a disease, but should the IIA be inviting the comparison?

There’s a hashtag, #IIAMay. On top of that, there’s a logo which proclaims to all: Proud to be an Internal Auditor. The lady doth protest too much, methinks.

Look, I get it. Internal audit isn’t as well known as practitioners would like. They’re building a business here, the IIA, and trying to grow demand for the services of their members, and their influence in management circles. But that’s the type of thing that’s best accomplished within organizations, by bringing your A game consistently and effectively as an auditor and a function.

Happy End of Internal Audit Awareness Month everyone!

Top traits of an effective internal auditor

The President of the IIA shares what he sees as the top seven attributes of an effective internal auditor, and in general I agree, with a few distinctions.

The most important attribute is referred to as business acumen, but the description that accompanies it has more to do with having an in-depth knowledge of the business the auditor works for. Splitting hairs I guess, but acumen is the ability to make good decisions and exercise sound judgment. A strong understanding of what is driving the success of the business is important to cultivate, as is staying on top of developments within the industry in which it operates. I think both are important, but one is easier to develop than the other.

Communication skills come next, and I would broaden that to be people skills in general. The ability to read people and adapt to any given situation and personality is very helpful, so both the outward skills like communicating clearly and succinctly and the inward skills like listening actively and processing information quickly will come in handy when dealing with people within the organization.

Integrity comes in at 3rd, and is critical to establishing and maintaining your reputation as a professional. Being consistently honest and forthright in your interactions with your “customers” will allow you to build strong working relationships across the business.

Experience is next, and it’s not a subject I feel especially qualified to discuss, since I’m only in my third year as an internal auditor, sixth as an auditor. What I will say is that each day I strive to learn and get better at my job, and working with staff that have, among them, decades more experience than I provides a constant reminder of the value of that experience.

Number five on the list is a solid grasp of business risks, which to me means the exact same thing as the first item. Let’s just put them both together at the top and shorten the list to six, shall we? After that is talent development skills, which is important to have once you reach a certain level and have people reporting up to you. I could make the case that this is essentially a subset of people skills.

Last (but not least in my opinion) is courage and that’s important for auditors whether they’re external or internal. Part of the job is being the bearer of bad news and you’ve got have the stones to deliver it straight!

IIA and ISACA pool resources and expertise

At the end of September the IIA and ISACA announced they had reached an agreement to “create a basis for cooperation and collaboration” between the organizations.

The agreement is formalized in a Memo of Understanding that has been signed by both parties. The MoU lists a few areas where this agreement makes cooperation possible:

  • Speaking and exhibiting at each other’s conferences, seminars and events
  • Conducting jointly sponsored events
  • Mutually recognizing, where appropriate, each other’s continuing education programs for continuing education credits to satisfy requisite certification requirements
  • Participating in training and educational programs offered by either association where such collaboration benefits the attendees
  • Encouraging similar cooperation and collaboration among local chapters of ISACA and The IIA (an activity that already thrives in many places throughout the world)
  • Identifying opportunities for joint projects that advance the global internal audit profession and the professional standing of its members
  • Engaging in periodic discussions on matters of public policy that impact the internal auditing profession
  • Where appropriate, coordinating and promoting unified messages and responses to standards setters, regulators, and legislators globally, and providing them with information regarding best professional practices

In order of value to each organization’s members, the top 3 in my mind are:

  1. Joint projects to advance the internal audit profession
  2. To me this is going to have the biggest impact on stakeholders because the combined knowledge and experience in both groups should lead to higher quality standards and improved best practices. Perhaps a combined set of standards down the road?

  3. Recognizing each other’s continuing education
  4. For members of both organizations this is huge. Program content frequently overlaps (e.g. the IIA’s GTAGs) and internal audit departments generally have staff with CIA and CISA designations (as well as CA and CPA, and others), so significant cost savings may be realizable.

  5. Collaborating on continuing education
  6. This could open up each organization’s continuing education programs to the other one’s members, which immediately introduces fresh topics and facilitators to both groups. Synergy here will allow members to broaden their training, and provide an easier transition from one to both certifications.

The agreement should work out to be a win-win-win — for the organizations, members, and stakeholders. What do you think?

Survey says: IA feeling the squeeze

A survey conducted at the recent Institute of Internal Auditors annual conference by Protiviti has revealed that ⅔ of IA professionals believe their department is under-resourced and therefore unable to adequately carry out their duties.

Protiviti’s take is that due to increased expectations of the assurance Internal Audit can provide on an ever-widening spectrum of enterprise risks, auditors feel under-resourced. Sukhdev Bal, Director of Protiviti says:

This survey is a clear indication that internal auditors themselves believe that prior to the recession, they were not fit for purpose in terms of focus, skills and capabilities. Audit committees, Internal Audit leaders and management need to work more closely and collectively to agree the role of audit, objectives, criteria for audit and the overall approach of the internal audit function required to meet current and future evolving needs. Importantly, having agreed these, they need to ensure that the function is staffed with the right skills, capabilities and experience to meet these objectives.

There is evidence that spending on governance, risk and compliance didn’t decrease in 2009 compared to 2008, so I think Protiviti is correct with its assessment. IA is being asked to expand their risk coverage beyond traditional areas of expertise. It’s only natural to feel a little overwhelmed by the expectations. The key to adapting in my opinion (and experience) will be support for training in non-traditional areas.

The survey is available on Protiviti’s website (if you give them some personal information first).

IIA: Keep internal and external audit separate

AccountancyAge is reporting that the UK and Ireland IIA’s chief executive Ian Peters recently made a statement on the contentious issue of having external auditors provide internal audit services:

Internal auditors answer to management and the non-executive directors… external audit reports to shareholders. Merging these two important functions has the potential to cause serious conflicts of interest and reduce the effectiveness of internal controls and the management of risk.

The statement was made in relation to the KPMG-Rentokil deal.

I think if the two parties gave us more details about the work performed around independence it was assuage many of the fears stakeholders are having.

KPMG has said they believe the provision of both functions “is perfectly feasible to do in the spirit and letter of the law.” If that’s so, how long before more of these arrangements are made by KPMG or other firms?