In part one of this article, Tim Leech defined the problems facing the internal audit profession. Here, Tim discusses his solution to the problem. 

This is an alternative view of the profession that readers and practitioners should consider in the context of their own approach and behaviours. The views expressed in this article are the author’s and may not reflect those of ACCA.

Executive summary

Over recent decades there has been a series of major corporate governance crises.  After each, post-mortems were convened and efforts made by regulators to identify root causes. The good news – or the bad, depending on your perspective – for the internal audit profession is that rarely were questions raised by those commissions and regulators about the role internal audit should have played to ensure these crises were avoided. 

What the commissions did call for was a massive global focus on the need for boards of directors to better oversee risk in their organisations. As global pressure on directors mounts to improve risk oversight their dissatisfaction with traditional internal audit services is also growing. This article suggests the root cause of the mounting internal audit customer dissatisfaction globally is internal audit ‘paradigm paralysis’ – a strong attachment to traditional ways of conducting internal audits that no longer meet the needs of key customers. Specific recommendations are made to help internal auditors transition past the paradigm paralysis and adopt new methods that better meet the needs of its key customers. 

The way forward: objective centric five lines of assurance

If you are willing to consider the central thesis of the article that the internal audit profession is at, what is sometimes called, a ‘tipping point’; and agree the profession is being crippled – or at least seriously negatively impacted by paradigm paralysis – including a strong attachment to traditional point-in-time direct report audits of internal control effectiveness covering a small percentage of the risk universe each year, a logical question has to be: 

What can be done to prevent the internal audit profession becoming the next BlackBerry?

The first step in an ideal world would be for the internal audit profession, including IIA Global, to candidly acknowledge the failings of the current direct report internal audit paradigm and aggressively call for management to self-assess risk and risk treatments linked to key value creation and value preservation objectives[1] and embark on a radical paradigm shift change strategy.   

Unfortunately, if we accept the premise that IIA Global is simply too invested in the current direct report internal audit paradigm to be the one to drive the changes necessary fast enough, it suggests change must come from what Joel Barker, a noted futurist and paradigm paralysis expert, called ‘the fringes’.  

When Apple was created in 1976 its founders were often referred to as ‘hippies and nerds’, or ‘the fringes’ in Joel Barker’s taxonomy. Today, candidates to lead change in the profession include ACCA’s Internal Audit Network (which has commissioned this article); the Institute of Chartered Internal Auditors in UK which has published ground-breaking guidance for its members, particularly in the financial services sector; blogs and presentations calling for change by Norman Marks and Paul Sobel; IIA Canada members who led the CRSA/CSA movement in the 1990s and have consistently recognised work designed to drive radical change; IIA CCSA and CRSA certificate holders; and other ‘fringe’ participants. 

It is important to note that in an ideal world change would be driven by the customers of internal audit services. For a variety of reasons, this is not likely to happen. Boards and the c-suite simply have bigger things to worry and think about. Unfortunately, excepting the FSB guidance on effective risk appetite frameworks, the majority of national regulators continue to show strong attachment to having internal auditors play the role of ‘controls police’, while at the same time calling on companies to implement more effective risk management frameworks. The views of regulators are a key element of the current internal audit paradigm paralysis. 

As a replacement for the current direct report internal audit paradigm I believe, based on 30 years of studying the evolution of internal auditing  and customer needs globally, that an OBJECTIVE CENTRIC FIVE LINES OF ASSURANCE approach is best suited to meeting the needs of today’s boards, senior management, regulators and society at large.   

Change has to start somewhere. The small body of loyal Apple disciples in the late 1970s were the seeds that grew into what is now one of the largest and most successful companies and support movements in the world. Experts generally agree that changing paradigms is possible, but very difficult. It will take a concerted effort from more than a few to change the current internal audit paradigm.   

Objective centric five lines of assurance – core attributes

Attribute #1 – Senior management, with board oversight and assistance from internal audit and risk specialists, make conscious decisions on the organisation’s top value creation and value preservation objectives and document them in an objectives register – simply put, these are the end result objectives they believe necessary for the organisation’s sustained success. Careful consideration is given to the costs and benefits of requiring more formal and visible assurance methods for each objective that is added to the register.

Attribute #2 – Senior management, with board oversight, assign ‘owner/sponsors’ and responsibility to report upwards on the current residual risk status for each of the objectives included in the organisation’s objectives register (the risk position related to the objective being assessed remaining after considering current risk treatment/responses).

Attribute #3 – Senior management, with board oversight, decide on the level of risk assessment rigour each of the objectives will receive; the level of independent assurance they want on each objective, if any; and the person, department or outside party that will provide the required level of independent assurance. For many objectives included in objectives registers this will be internal audit.

Attribute #4 – Internal audit’s work plan is driven by the assurance requirements defined in the objectives register. Internal audit also provides comments and recommendations if it believes there are objectives that should be in the objectives register that aren’t included. Internal audit may also be asked in the early phases to help owner/sponsors through training and facilitation services to complete risk assessments at the level of risk assessment rigour defined by senior management and the board. In organisations that have an ERM support group, their work plan is driven by helping owner/sponsors complete objective risk assessments on assigned objectives at the level of risk assessment rigour defined by senior management and the board, and helping management respond to quality assurance reviews done by independent assurance providers.

Attribute #5 – Senior management and the board receive regular reports from the CEO and/or his/her designate on the objectives in the objectives register, including concise information on which objectives are considered to have residual risk positions within the organisation and board’s risk appetite/tolerance, those that are not, how serious the situation is currently, and action plans to address those objectives currently outside of risk appetite/tolerance.  They will also be provided with reports from independent assurance providers, including internal audit, where management has indicated in their assessment that the current risk status is within the organisation’s risk appetite/tolerance, but the assurance provider believes that it is not, or is unsure if the current residual risk status is within the board’s risk appetite/tolerance.

Key benefits of objective centric five lines of assurance

Benefit #1 – accountability for managing and reporting on risk status is positioned squarely with the responsible party – management

Benefit #2 – senior management and the board receive timely and reliable information on risk status linked to top value creation and preservation objectives they need to meet escalating duty of care expectations

Benefit #3 – the framework focuses expensive assurance resources, including the time of management and assurance providers, on the objectives most key to the organisation’s long term success

Benefit #4 – the recommended RiskStatusline® risk assessment approach focuses on creating reliable information on the true state of residual risk linked to specific objectives, as well as ‘optimising’ the risk treatment strategy (ie the lowest cost possible combination of risk treatments capable of producing an acceptable level of residual risk), which helps drive continuous improvement and innovation

Benefit #5 – the level of internal audit resources required is defined by senior management and the board when they decide how many objectives will be included in the objectives register, the level of risk assessment rigour required, and the level of independent assurance. Without clearly defined end results there is no defensible way to define whether a company has an ‘effective’ internal audit function. Simply stating the company has an internal audit function, has an audit plan, and completes audits, an element that is currently expected by the FRC via the UK Governance Code, serves little purpose beyond creating the illusion of assurance. This risk was recently commented on by Richard Chambers in an October 2016 blog post

Benefit #6 – the work of all assurance providers, including internal audit, external audit, safety, compliance, environment, quality, insurance, legal services and others is integrated

Benefit #7 – the framework is designed to integrate directly with the organisation’s strategic planning process. New strategic objectives being considered can be risk assessed on a pro-forma basis to determine if they are likely to be achieved operating within the organisation’s risk appetite/tolerance. Independent assurance providers can review and report on those assessments if management and/or the board believe it will add value

Benefit #8 – the approach integrates with core elements of ISO 31000, the global risk management standard and the intent described in the executive summary of the 2016 COSO ERM exposure draft

Benefit #9 – the curriculum necessary to train internal auditors to meet their defined role will be able to focus internal audit efforts on better meeting the needs of customers who are increasingly indicating they are unhappy with traditional direct report internal audit methods (ie where internal is the primary risk assessor/reporter). In the approach proposed in this article customers define what they want and internal audit focuses its works to meet customer defined assurance requirements. It is a ‘demand driven’ not ‘supply driven’ model

Benefit #10 – internal audit’s appeal as a profession will be substantially increased and salaries adjusted to reflect internal audit’s increased stature as a profession focused on helping organisations manage uncertainty linked to their most important objectives.

Are small steps possible?

For many organisations the new paradigm described in this paper will, quite simply, be too radical and not a good fit with the existing corporate culture. My suggestion for those that are in that situation is to start by completing all internal audit and ERM work using this objective centric risk assessment methodology. Over time this will lead to the evolution of a board and management driven corporate objective register and a slow transfer of responsibility for completing risk assessments to those most directly responsible for the objective(s) being assessed – management. 

Can the internal audit profession change or will internal audit become the next BlackBerry?

My honest answer after decades of studying the evolution of the internal audit profession is ‘I’m not sure’. There are many examples of organisations that have been able to reinvent themselves and go on to even greater levels of success.  My sincere hope, particularly as a parent who has a daughter in the internal audit profession, is that the profession can change and go on to even greater levels of success in the years ahead. The ‘fringes’ described earlier in this article will need to play key roles and be doggedly persistent and effective as important paradigm paralysis change agents.   

Tim J. Leech FCPA CIA CCSA CRMA – managing director at Risk Oversight Solutions Inc.

Risk Oversight Solutions focuses on helping companies more effectively manage risk and assurance to meet escalating board risk oversight expectations and add real value.  Tim has over 30 years of experience in the board risk oversight, ERM, internal audit, and forensic accounting fields, including expert witness testimony in civil and criminal proceedings, and global experience helping public and private sector organisations with ERM and internal audit transformation initiatives.  

Tim has provided training for tens of thousands of public and private sector board members, senior executives, professional accountants, auditors and risk management specialists in Canada, the US, the EU, Australia, South America, Africa and the Middle and Far East. He has received worldwide recognition as a pioneer, thought leader and trainer.  His article ‘Reinventing Internal Audit’, featured in the April 2015 issue of Internal Audit, received the Outstanding Contributor award from the IIA.  

[1] Authors’ definition: Value creation objective: Objectives key to the long term success of the enterprise that will create enhanced shareholder value. (Example: Increase market share by 20%).Value preservation objective: Objectives which, if not achieved, have significant potential to erode stakeholder value. (Example: Ensure reliable financial statements/disclosures)