I have come to an epiphany, so appropriate for this time of year perhaps, and it is this. That internal audit is at a tipping point.
I’ve written a number of times that internal audit is a young profession, one that is emerging from its accounting and general external audit background. It is one, however, that has an identity crisis. Internal audit is close to so many other things, but it is not those things: consultancy; quality assurance; compliance checking; internal financial controls audit; risk management; governance; and even management. Yet internal audit is none of these. It is a composite of these, but it also has some unique features.
It should have people of high enough quality to be consultants, but has closeness to the business to really deliver on the promise of consultancy (to create real and lasting change with a full and context-dependent understanding of its client businesses). It is dependent on its client organisations enough to care, but independent enough to challenge. It has enough external audit or formally trained auditors to be able understand external and internal financial best management. It should be able to understand governance well enough to be able to ensure its messages and client organisations operate effectively, ethically and legally. It should understand its client’s businesses enough to support top management (though of course it would not want, nor ever, step over that line). It should be technical enough to at least understand specialist risks faced by the business, IT, legal, property, operational etc.
So internal audit should be able to cover the whole business but use its unique overview and position with the board to really push forward business change. To be the key support of the board and top management to really assist them to manage risk, tackle key strategic challenges and deliver on the organisation’s strategic objectives. I was chatting to a person I really respect, who works in IT and has a really good common sense (it is not common) view of businesses. He made me realise that internal audit really is an exciting, challenging, broad-based and rewarding career to work in.
So why the tipping point? Well I think any half decent audit function should not go ignored; it cannot be. Internal audit should be making an impression on the business, it should be engaged in a helpful way to support the board, management team, and challenge both with helpful advice and views. Yet there is a risk of this tipping point. There is a risk that all of this work to define internal audit as a renaissance profession, as something that is about using the uniqueness of independence with the power of its access to the board, and its disciplined approach to risk, to deliver a risk-based assurance opinion through a consultancy style of audit, is thrown away. Thrown away by defining internal audit as external (being delivered externally, which rarely works), or defining internal audit as financially, or Sarbanes-Oxley, obsessed.
This will occur if external auditors get their two dimensional view accepted, if internal audit functions do not prevent outsourcing, if internal auditors do not tackle bigger issues and risks, if we persist in not making each piece of work to a consultancy standard. So as my new year’s resolution and my new year’s exhortation to all internal auditors, is to make 2014 the year of internal audit. Make it the year you use your relevance to really deliver value to your clients. Not two dimensional, so-called, ‘added value’, but just doing good internal audit really, really, well. That will make internal audit better than disappointing consultancy, limited external audit, automaton quality assurance, process-obsessed governance, detailed obsessed risk mangers and align internal audit to the other real heroes of organisations, hard-pressed top management.
Here’s to 2014, the year of ‘internal audit’!