This article was reprinted with permission from the April 2015 issue of Internal Auditor magazine, published by The Institute of Internal Auditors, Inc., InternalAuditor.org.
Recent governance-related developments require the profession to revisit some of its long-held paradigms.
For at least the past decade, internal auditing has been in a state of growth and progressive change. And while it has evolved and advanced significantly, many practitioners nonetheless remain bound by some fundamental, confining paradigms. These paradigms include:
- Internal auditors plan, execute and report results of point-in-time audits.
- Internal auditors assess internal controls and report opinions on whether they believe controls are effective.
- Internal auditors report what they believe to be control deficiencies, material weaknesses, significant deficiencies or opportunities for improvement.
- Direct-report auditing is the primary approach used globally. In a direct-report engagement, the auditor evaluates the subject matter for which the accountable party is responsible. The accountable party does not make a written assertion on the subject matter.
- The profession has been primarily supply-driven rather than demand-driven, as Boards and C-suites have often not specified their assurance needs, leaving internal audit departments to form their own views regarding which objectives/topics to focus on.
- Internal audit often does not know (or require that management and Boards define) the type and amounts of residual risk the company and its Board are prepared to accept.
Many internal audit departments have not assessed and reported on risks to the organization’s top strategic/value-creation objectives or the effectiveness of its overall risk management framework. According to Enhancing Value Through Collaboration, an IIA Pulse of the Profession report, internal auditors surveyed dedicated a mere 8 percent of resources to their company’s strategic objectives in 2014.
The profession’s long-established practices have generally been viewed as adequate — even good to excellent — but their relevance to today’s stakeholders has begun to diminish. A shifting governance landscape places the profession’s traditional methods in jeopardy and points to the need for radical change. As stakeholder expectations evolve, internal audit must revisit existing paradigms and rapidly adjust to maintain its relevance.
Key developments over the last several years have significant implications for Boards, senior management and, in particular, internal auditing. The changes they’ve brought span across industries and geographical boundaries and are far-reaching in scope.
Increased Board Risk Responsibility
Following the 2008 global financial crisis, commissions were convened around the world to help understand what had gone wrong and prevent destabilizing events in the future. From these efforts, consensus emerged that Boards and, to a lesser degree, regulators, had not adequately discharged their duty to oversee what is increasingly being called management’s “risk appetite and tolerance.” Consequently, Board responsibility for overseeing management’s risk appetite and tolerance has risen significantly.
Creation of the Financial Stability Board
Shortly after the onset of the global financial crisis, the Group of Twenty, an assembly of representatives from the world’s largest economies, created a new international regulatory advisory body — the Financial Stability Board (FSB). The board currently includes government officials and financial sector and securities regulators from around the world. With unprecedented speed, it has formulated and disseminated paradigm-shift guidance that could effectively spur the re-engineering of corporate governance globally.
Among the FSB’s most significant contributions to date is a November 2013 guide for national regulators, companies and auditors titled “Principles for an Effective Risk Appetite Framework.” The guide’s authors define new and bold proposals for management, Boards and internal auditors. Details of the role proposed for internal auditors are shown in “FSB’s Guidance for Internal Audit” on page 48. In essence, the FSB calls on practitioners to transition from providing point-in-time, direct-report, subjective opinions on control effectiveness for a small percentage of an entity’s risk universe to reporting on the reliability and effectiveness of an organization’s entire risk appetite framework. The scope of reporting would include the reliability of enterprise risk status reports provided to the Board by senior management. Although the FSB framework was aimed primarily at the financial services industry, the core concepts it promotes are relevant to all sectors.
Adoption of FSB Guidance
Regulators around the world have started to enact regulations that reflect key FSB recommendations — particularly the need to assign primary responsibility for risk management and reporting to management and risk appetite and tolerance oversight to Boards. The revised UK Corporate Governance Code, issued in September 2014, provides one of the most notable illustrations of this activity. It positions responsibility for risk oversight squarely with Boards of Directors; calls on management to design, implement and maintain effective risk governance frameworks; and asks Boards to seek independent assurance that management has designed, implemented and maintained effective risk governance frameworks. Other countries that want to improve the integrity of their capital markets are expected to follow the UK’s lead.
Reduced Audit Client Satisfaction
As these regulator-driven developments gain traction globally, PricewaterhouseCoopers’ 2014 State of the Internal Audit Profession Study paints a picture of a significant decline in Board and senior management satisfaction with traditional, direct-report internal audit services. One of the report’s most disturbing findings is that half of senior management and nearly 28 percent of Board members say internal auditing adds less than “significant value” to their organization. Moreover, only 49 percent of senior management and 64 percent of Board members say internal auditing is delivering on expectations.
FSB’s Guidance for Internal Audit
In its Principles for an Effective Risk Appetite Framework, the Financial Stability Board proposes specific responsibilities for internal audit and other independent assessors. The framework states that internal audit should:
- Routinely include assessments of the risk assessment framework (RAF) on an institution-wide basis, as well as on an individual business line and legal entity basis.
- Identify whether breaches in risk limits are being appropriately identified, escalated and reported, and also report on the implementation of the RAF to the Board and senior management as appropriate.
- Independently assess the design and effectiveness of the RAF periodically, as well as its alignment with supervisory expectations.
- Assess the effectiveness of the implementation of the RAF, including linkage to organizational culture, as well as strategic and business planning, compensation and decision-making processes.
- Assess the design and effectiveness of risk measurement techniques and management information systems used to monitor the institution’s risk profile in relation to its risk appetite.
- Report to the Board and senior management in a timely manner any material deficiencies in the RAF and report on alignment (or otherwise) of risk appetite and risk profile with risk culture.
- Evaluate the need to supplement its own independent assessment with expertise from third parties to provide a comprehensive independent view of the effectiveness of the RAF.
Click here to view a preview of Tim Leech’s presentation this summer at The IIA’s 2015 International Conference.