Boards Relying on Internal Audit to Protect Against Risk
This headline, taken from an article in Accounting Today, caught my eye. It got me thinking about internal audit training, especially as a result of recent revisions to the International Professional Practices Framework and proposed changes to internal audit standards.
Are internal auditors being properly trained to do their jobs in today’s business environment, an environment filled with ever-increasing risks?
Who is internal audit?
The Institute of Internal Auditors (IIA), the professional organization for internal auditors around the world, defines internal auditing as follows:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Not all public companies have an internal audit function, relying instead on their external auditors. However, this may soon change. The IIA is among many parties urging the U.S. Securities and Exchange Commission (SEC) to require all public companies to maintain an internal audit function. They argue that having an internal audit function is in the best interest of the investing public and is important for effective corporate governance.
Internal auditors have a unique position on the front lines to be able to help companies mitigate risk and deal with an ever-changing business landscape. They are the first line of defense to identify potential misstatements in the financial statements or significant deficiencies in internal controls, fixing the issues before regulators and external auditors make a bigger deal out of it. However, does internal audit they have the proper tools and knowledge to adequately do their job?
A new framework is published to guide internal audit.
Recognizing the increased importance of internal audit to organizations, the IIA recently unveiled enhancements to its International Professional Practices Framework (IPPF)®, which has provided professional guidance to internal auditors worldwide since 1947.
According to the IPPF, the mission of internal audit is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.
However, probably the biggest change to the IPPF is the addition of 10 core principles:
- Demonstrates integrity.
- Demonstrates competence and due professional care.
- Is objective and free from undue influence (independent).
- Aligns with the strategies, objectives, and risks of the organization.
- Is appropriately positioned and adequately resourced.
- Demonstrates quality and continuous improvement.
- Communicates effectively.
- Provides risk-based assurance.
- Is insightful, proactive, and future-focused.
- Promotes organizational improvement.
For purposes of this post, I would like to focus on the second core principle – competence. The AICPA’s Code of Professional Conduct describes competence as follows:
Possessing the appropriate technical qualifications to perform professional services that the member is performing, supervising, or evaluating. It encompasses knowledge of the profession’s standards, the techniques, and technical subject matter involved, and the ability to exercise sound judgment in applying such knowledge in the performance of professional services.
As stated above, auditors must have knowledge of the technical subject matter, which I would argue includes an understanding of the related accounting requirements under U.S. GAAP and IFRS.
Does internal audit have the necessary technical knowledge?
I recently interviewed two former accounting policy managers of public companies and asked them whether internal audit had the appropriate technical knowledge to adequately perform their responsibilities. Both were very complimentary about internal audit’s knowledge of processes and internal controls. However, both believed that the internal auditors they dealt with lacked the technical accounting knowledge needed in certain areas such as financial instruments, fair value measurements, and income taxes. No surprises here as these are areas where we see external auditors struggle as well.
On January 20, 2016, accounting firm EisnerAmper LLP released its sixth Board of Directors survey Concerns About Risks Confronting Boards. The survey found corporate boards rely heavily on the internal audit function to help them mitigate risk. According to the survey, reputational risk ranks as the top risk confronting boards. However, fewer than half of the respondents believe internal audit is “well-versed” in the issues. Furthermore, the survey noted that, despite the growing risks facing companies, the majority of “boards do not appear to be interested in making significant changes to their internal audit function.”
I believe this is a mistake!
In September 2014, PwC published a paper Metrics by design: A practical approach to measuring internal audit performance, noting there are indicators that internal auditors are not keeping pace with the changing risk environment facing organizations and the rising expectations of the function itself. A recent article published by CFO.com asks the question “Does the internal audit staff have the proper mix of process-management skills and topical knowledge that our company will need to sustain itself in today’s uncertain business environment?
I believe they do not!
Being a former external auditor, I have worked closely with internal auditors for many years. They have always acted objectively and with integrity. I also found the vast majority to be very knowledgeable – about processes and internal controls. However, this knowledge will only get you so far. I would argue that, in order fulfill their mission, to provide objective assurance, advisory, and insight in accordance with their mission; they must also fully understand the critical accounting policies and estimates of their organization. In my opinion, auditors, both internal and external, sometimes get so lost in checklists, flowcharts, and memorandums, they can’t see the forest for the trees…that the underlying technical accounting is wrong. And guess what?
Restating financial statements is probably not good for a company’s reputation!
In summary, I agree that the internal audit function is in a unique position to help companies deal with the ever-increasing risk environment in which they operate. However, I believe corporate boards should be investing more, not less, in this function and that a portion of this investment should be spent on quality training tailored to the critical accounting policies and estimates of the organization. Given the proper tools and training, I believe internal audit can fulfill their mission and stand true to their core principles, including demonstrating competence.