Companies want the "compliance police" to get more involved with process improvements and enterprise risk assessment, but they may be unprepared to make the change, E&Y research suggests.
David McCann, CFO.com | US
December 4, 2008
One has to wonder at the survey E&Y did---the results are certainly self-serving--coming to the conclusion that internal auditors can't do operational auditing. So--oh, guess what?--the external auditors now do internal auditing. Was there ever a better oxymoron? And the IIA (which is unlike the AICPA--members don't vote on changes) was complicit in making the change that allowed the externals to be both the internal and external auditors. The SEC put an end to the extreme Enron-style incest that resulted when the IIA redefined internal auditing (having been infiltrated by Big firm money), but outsourcing to external auditors is still alive and well as long as the same external CPA isn't doing both. As if that meant external auditors could do the job their johnny-come-lately "internal auditors" have magically learned how to do in the last decade. Any truly experienced internal auditor who was raised on Larry Sawyer has operational auditing in his/her bloodstream. You Big 4 internal auditors have read Sawyer, right? RIGHT???
Posted by Fred Keys | June 02, 2009 03:19 pm
Here one for the IIA Chief Advocacy Officer...Why has the IIA been slow to answer for the sins of the past? Just recently the IIA updated the Professional Practices Framework with a few sentence changes here and there and now it becomes global in scope? Or is this the way of increasing membership/revenue? Are these the tools expounded by the the Chief Advocacy Officer given by the professional organization to their auditors? The IIA for a long time passed on the opportunity to liason with organizations which would have given auditors cutting edge tools/information (i.e. with ISACA) but they chose not to professing the IIA as exclusive membership. Just recently they partnered with the ACFE because fraud was high on the public radar and did not want to miss that opportunity. The emphasis of the IIA is more tunned towards catering to outdated committee professional who are interested in the number of wine bottles ordered and drank at their gathering. IIA View: the name and affiliation of the professional is suppose to lend credibility to the value proposition added in IIA guidance. Isn't this the same value proposition given by the professionals at wall street which lead to their demise? The gist is that the IIA is antiquated and not robust enough to changing enviroments or policies (Is the IIA training auditors on the change to IFRS audits?). The IIA should be at the front of guidance and tools making sure the auditor is well equiped and not agreeing with the findings of an study that auditors fail in delivering to organizations. The individual auditor by IIA standards is left out in the battle field to best interpet IIA guidance and satisfy the organizations they serve. The tools and late enlightment of "auditors should have had this training" is not given by their professional organization. Test under fire is more the professional auditor.
Posted by Guillermo Guiterrez | April 06, 2009 01:03 pm
Internal auditing,corporate governance and fraud risk management is a corner stone of many but a few organisations that would want their systems okayed and monitor for the good of the tax collecter,bankers,shareholders name but a few. Many organisations have employed professionals who are not qualified in internal auditing to which we can not blame the employer's decision to do so, but professional internal auditors should market their own profession and show that they add value to the institutions they serve. Any body can claim to be a professional internal auditor but with no requisite professional and academic degree in internal auditing shall be shallow in performance of audit work. Tone at the top should understand more to utilize internal auditing ,corporate governance and fraud risk management services found in the internal audit department to help organisations become outstanding in proper management of their resources. It has now become knowledgeable that most organisations in Europe,the US and South Africa's corporates should understand well the roles the internal auditing,corporate governance and fraud risk management services bring to their organisations. Professional Accountants have held these positions before,but what is happening is overwhelmingly shameful not with standing the rules and regulations, IFRS standards are well in place but the performance of CFO require alot more. THUS WHY THE PROFESSIONAL INTERNAL AUDITING,CORPORATE SERVICES AND FRAUD RISK MANAGEMENT should be taught moore in universities and colleges at under graduate and higher research degree qualifications to help decisions at the top to be more profitable to the organisations. Legislations have been mooted in many countries. Complimentary laws and regulations towards good management practices are in place, but many have not enacted internal audit laws as a requirement by all institutions including governments to help fight graft,compliances,risks and frauds. Internal auditng and corporate governance,are needed in Institutions to re invent the way they manage their resources from decisions in the boardroom down to the low level staff. Internal auditing would act as the link for the body corporates to understand from the roles of research degrees internal auditing. We hope that research profiles from the academia on these issues above on internal auditing,corporate governance and fraud risk management shall bring confidence in the corporate world to enhance best practices in the willing and good economies,while the third world shall learn from such admirable learning organisations or lag behind in their bid to fighting . Richard Gudoi Gid'Agui
Posted by Richard Gid'agui | February 04, 2009 08:07 am
The problem with surveys is that you can read many things into them. I think that one of the changes occuring in business is the the increasing focus on corporate governance. Internal audit's role in this area is still evolving. However IA should have a greater role in enterprise risk assessment. This will naturally expand their role from being financial statement focused to being more business focused - including strategic, operational, regulatory (in addition to Sarbanes) - and corporate compliance. A payback from looking at new areas with fresh eyes is that potential improvements may be identified - however this should not be the highest priority. I suggest that the maturity level of many internal audit groups in the ERM is low, however I expect more focus in this area in th emid term.
Posted by Christopher Fox | December 09, 2008 11:20 am
No matter the intended focus of the auditor, much of the internal audit approach is often dependent on the maturity of the organization with respect to control structure, present compliance issues, present fraud, etc. It's very difficult to stay with Generation 3 and 4 Risk Based Auditing (Sobel: Auditor's Risk Mgmt Guide)of departments when present fraud or compliance issues are overwhelming the organization. My past experience in one organization was of an internal control and process improvement focus while at another was detecting and preventing widely prevalent fraud and voluminous compliance issues. Over time, we were able to move beyond that as proper internal controls were implemented. Carlos L Holt, CIA, CFE, CGAP
Posted by Carlos Holt | December 08, 2008 10:51 am
A properly organized and managed Internal Audit Department should go way beyond compliance audits. With very talented proactive professionals focused on (positive deliverables) to the organization, I built a successful program and was well rewarded by promotions. Compliance is important but don't stop there. Read about what we did at Phelps Dodge Corp in Managing the Audit Function, (by Cangemi & Singleton) now in a third Edition and Chinese translation. SOX is only focused on risks to financial reporting -- think more like IA should improve a company, control structure and beyond. Staff and train accordingly and there will be an ROI. Michael P Cangemi CPA, CISA
Posted by Michael Cangemi | December 04, 2008 02:13 pm
Most of the auditors I have come across are historical bean counters but when the beans are fried and toasted they are not really prepared to consider stir fry, bake or stew it. Thus, what I am really saying is the training of auditors and the recruitment of auditors with limited variables in the backgrounds make them rather myopic on what is happening on the ground or mainstreet. Further, I would like to include in their training the ability to sell an encyclopedia so that they have an inkling what the ups and downs of a business is like.
Posted by Jon Tay | December 04, 2008 01:34 pm
I have been doing operational auditing across all business functions since 1970. Compliance auditing is for the most part a joke. 15 minutes after you "fix" it. management has the ability to change it right back again or "fix" the policy to make it okay.
Posted by Gerald Miller | December 04, 2008 01:24 pm© CFO Publishing Corporation 2009. All rights reserved.