We previously talked about : Why the CEO listens more to lawyers than the internal auditor. This is the continuation.
Although Internal Auditors talk about value delivery, the value they deliver is not easily visible to management. Consider the following key areas of concerns:
- Information security assurance– this is one of the key things that keep most CEO’s awake at night. Few Internal Auditors have skills to conduct independent and thorough ICT security assessment and penetration testing (white box). An average bank, for example, will spend about US $300,000 annually in IT audit and security investment to external consulting firms or vendors. With this investment, the same company will lose about 5% of her annual revenue to fraud of which over 75% is IT fraud.
Very few Internal Auditors, if any, have the practical skills and knowledge to provide independent assurance and consulting to the company’s board or the bank on the state of their ICT security.
ICT security refers to the confidentiality, integrity and availability of enterprise data classified as non-public information. For example, a bank customer’s account details like account number, bank balance, account signatories are classified as confidential data. The bank risks loss of reputation and being sued incase such data ended up becoming public in newspapers. Such would be a breach of confidentiality requirements for security. If on the other hand, someone’s bank account balance is manipulated and changed to more or less than what the balance was, that is a loss of integrity objectives for security.
An average Internal Auditor writes a predictable report of findings, usually in a table form, thus:
“Observation: No ICT security review or penetration testing has been done in the past one year on the bank’s critical ICT assets like (banking application, HR and finance application, etc.
Risk/ Implication: ICT frauds could be committed thereby occasioning loss to the company.
Recommendation: An external consulting firm should be engaged immediately to conduct a 360o security review of all the company’s ICT assets in line with leading practices especially COBIT 5; the single integrated framework for IT governance.
Management comments: Point noted, and we shall implement as advised.
This kind of Internal Audit report format has been the same for as long as Internal Auditing started. What has changed is the layout, formatting and introducing traffic light kind of coloring to put emphasis on some areas perceived as high risk (red light) or low risk (green light) alongside each point. In my past 10 years as a fraud examiner, I’ve not come across an Internal Audit report highlighting areas where management had done very well and recommended such to be used as a model for replication in other branches or business areas within the company.
Many Internal Auditors have restricted themselves to ‘exceptional reporting” which is very bad as it alienates business leaders from viewing internal auditors as strategic partners.
I know that you are probably thinking about IA independence.
Yes, you can do the right thing and remain independent. Internal Auditors must avoid being involved in the implementation of any initiative. That is management’s role. Any other thing you can do. You can recommend to management anything across the entire organizational spectrum and be viewed as an exceptional expert whom everyone must listen to. For example, how have you evaluated management’s strategic planning process appropriateness and choice of strategies? You need to comment on such areas as strategy and execution effectiveness, including investment in capabilities that drive value and are aligned to strategic choices.
What is wrong with the former approach?
There is little Internal Audit value delivered to management.
In effect, CEOs and senior management view Internal Audit department as ‘nagging’ instead of being problem solvers. IA is seen as abstract; instead of practical. It is more of complainers; instead of business partners. IA is more concerned about exceptions, which after all are necessary for business growth; instead of ‘we are on track, keep doing this and things will be ok’.
The Institute of Internal Auditors has invested lots of resources in redefining the role of Internal Audit and promoting the status of auditors within governments and organizations. But many internal auditors themselves are still stuck in old age. They know in theory the new role of IA; but lack skills and resources to deliver it. Many are still laid back to making an annual audit plan that is more on operational issues; at the expense of the other core business areas. Much as auditors will say that their audit is risk based, the report produced will say little about the key enterprise risks in respect to appropriateness of the risk indicators and application of the same in proactive risk management. For example, for many organisation’s like banks, insurance companies and telecoms, you expect internal auditors to report on things like artificial intelligence and machine learning in proactive risk management. But even if they give you a microscope, it is almost impossible to see anything to do with using machine learning in raising a risk red flag. No case for integrating real time risk analysis in the operations is made by internal auditors.
The areas of concern to many CEOs; include but not limited to:
- Strategy execution and going concern
- Emerging technologies; data privacy and security
- Fraud risk management
- Operations; especially supply chain
- Stakeholder management
- Regulation and compliance
- The right team; avoiding turnover
- Impact to society while making the shareholders smile financially
The above issues are well catered for in the new role of Internal Auditing as defined by the Institute of Internal Auditors, thus:
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
A typical Internal Auditor’s annual work plan covers mostly operational issues. That means their scope is limited to item 4 above for the entire year. There is limited in put by Internal Auditors in the strategic planning, technology optimization and security, fraud risk management and stakeholder involvement.
To get a seat at the top management team level and deserve it, Internal Auditors must change their outlook to the work they do. Focusing on prevention would help achieve this.