Renaming internal audit to better represent its stature

Internal audit. The name leaves something to be desired, in my opinion, and unless you’re familiar with IA, it could be a bit confusing.

It also creates this false dichotomy with external audit that really doesn’t exist. Within the IA context, the audit of financial statements is supplemental and focused on only one risk: reporting risk. Granted, reporting risk holds a special place in the pantheon of enterprise risks, critical to obtaining and maintaining financing, but still.

Why is internal audit content with naming itself only in terms of where its practitioners reside in relation to the organization under audit? Seems quite narrow and vague. Given that IA concerns itself with all enterprise risks, it makes more sense to me to called it Enterprise Audit. This would also dovetail nicely with Enterprise Risk Management. ERM and EA, two sides of the governance coin.

Better branding in this manner would attract more and higher quality people to the profession as well. It sounds far more interesting and rewarding to be in the business of enterprise auditing than internal auditing.

What do you think? Is it too late in the game to make a change like this? Does it matter, so long as those in business understand the role and responsibilities of the auditors?

I need to be Certified

Having spent the past 3+ years in internal audit, first for a global building materials manufacturer and now with a Canadian retailer, I figured I ought to go for the certification and make it official.

So, a couple months ago I committed to earning the Certified Internal Auditor (CIA) designation. The first step was to register with the IIA as a candidate, which is done entirely online.

The next step was to select and acquire study materials. The IIA has their own package, which they’re quite fond of based on some phone conversations I had with one of their representatives, and Gleim is another popular one, as far as I can tell from cruising the various LinkedIn internal auditor group discussions.

I went a different route. I had attended an IIA social event for new members (Toronto chapter) back in April, where I met a fellow CA who had more recently achieved her CIA as well, and she recommended Hock as a cost-effective alternative. So far I’m liking it, having worked my way through the textbook for Part 1 of the exam. I’ve begun to use their software (ExamSuccess) to take even more practice questions. (The textbook also has them, sprinkled throughout.)

The CIA exam is four parts, but if you’re a CA or CPA you can apply to be exempted from the final part. Part 4 covers strategic management, global business environments, organizational behaviour, management skills and negotiating.

I’m quite a nerd, so I actually enjoy studying and answering practice questions. Now that I’ve begun the process, I’m surprised I didn’t start it sooner!

Update (Dec. 6, 2011): The budget dropped out for training for the rest of the year and the CIA fell by the wayside. Maybe in 2012!

IIA and ISACA pool resources and expertise

At the end of September the IIA and ISACA announced they had reached an agreement to “create a basis for cooperation and collaboration” between the organizations.

The agreement is formalized in a Memo of Understanding that has been signed by both parties. The MoU lists a few areas where this agreement makes cooperation possible:

  • Speaking and exhibiting at each other’s conferences, seminars and events
  • Conducting jointly sponsored events
  • Mutually recognizing, where appropriate, each other’s continuing education programs for continuing education credits to satisfy requisite certification requirements
  • Participating in training and educational programs offered by either association where such collaboration benefits the attendees
  • Encouraging similar cooperation and collaboration among local chapters of ISACA and The IIA (an activity that already thrives in many places throughout the world)
  • Identifying opportunities for joint projects that advance the global internal audit profession and the professional standing of its members
  • Engaging in periodic discussions on matters of public policy that impact the internal auditing profession
  • Where appropriate, coordinating and promoting unified messages and responses to standards setters, regulators, and legislators globally, and providing them with information regarding best professional practices

In order of value to each organization’s members, the top 3 in my mind are:

  1. Joint projects to advance the internal audit profession
  2. To me this is going to have the biggest impact on stakeholders because the combined knowledge and experience in both groups should lead to higher quality standards and improved best practices. Perhaps a combined set of standards down the road?

  3. Recognizing each other’s continuing education
  4. For members of both organizations this is huge. Program content frequently overlaps (e.g. the IIA’s GTAGs) and internal audit departments generally have staff with CIA and CISA designations (as well as CA and CPA, and others), so significant cost savings may be realizable.

  5. Collaborating on continuing education
  6. This could open up each organization’s continuing education programs to the other one’s members, which immediately introduces fresh topics and facilitators to both groups. Synergy here will allow members to broaden their training, and provide an easier transition from one to both certifications.

The agreement should work out to be a win-win-win — for the organizations, members, and stakeholders. What do you think?

Outsource internal audit for greater objectivity

That’s the recommendation from the Institute of Chartered Accountants of India (ICAI), as reported by The India Express:

“In the high-powered committee report on Satyam scam, we have proposed that internal audit should be outsourced and not be in house so that there is more independence. If the auditor is from the organisation, it is as good as being an employee of the organisation and the chances of remaining unbiased decline. Market regulator Sebi through clause 49 and the corporate affairs ministry through the Companies Law should make it mandatory that the internal auditor should be from outside the organisation,” ICAI president Amarjit Chopra told The Indian Express.

I can’t really argue with the logic, but the feasibility of the idea is fair game. The logistics of putting this into place is giving me a headache, and it does seem like an overreaction to a single instance of fraud.

The voice of reason comes from the director of KPMG in India:

“More important [than outsourcing] is the communication between head the of internal audit and CEO or chairman of audit committee. The success depends more on how freely and directly the internal auditor can discuss the shortcomings in a firm with the CEO of audit committee.”

Boards should be ensuring that the lines of communication between the Chief Audit Executive and the Audit Committee are direct and communications frequent and frank. That applies even if IA is outsourced as well.

I blogged a while ago about the Satyam scandal.

E&Y: Internal Audit should drive strategy

BusinessDay, a South African business news website, published a recent article referencing an E&Y study involving “more than 100 industry analysts from more than 20 disciplines”:

Organisations need to break out of the compliance cocoon and evolve into a fully fledged leadership role that delivers real value to the business. In the current economic climate, the biggest risk for most companies is not a failure to meet compliance requirements, but a failure to meet strategic targets.

The study also assessed last year’s top 10 business risks. In it, the analysts ranked the aftershocks of the credit crunch and the deepening global recession as the most important business risks, displacing regulation and compliance from the top spot.

Still more evidence that the Internal Audit profession demands an expanding skill set and well-rounded people with experience in more varied aspects of business. Auditors are going to have to continue to push themselves outside of their comfort zone in order to provide the greater value that shareholders require of the function.

How does your IA department stack up?