Anyone reading this takes pride in being a professional. Professionals study and become competent and qualified in a skill that others do not have. Professionals keep their skills up to date by investing their time to stay on top of the latest trends. Professionals don’t just mount their certificate on the office wall; they contribute to the discussion and the learning within their community, they may even participate in blogs like this one.
In every other profession I can think of, a statement of professionalism means something outside the profession just as much as inside it. We recently consulted a certified landscape engineer to deal with a problem we have in our yard. It is a risky option to go with a non-professional: we cannot have the wall collapse onto our neighbour’s property and we need someone who knows how to get the permitting process done right. In fact, because the City recognizes the qualification of our engineer, there is a value not offered by others.
It should be the same in our profession but too often we hear examples where the professionalism offered by qualified internal auditors is dismissed by the very people who seek to benefit from it. This comes in many guises, but the most frequent challenge to our credentials comes from people who call themselves “assurance providers” within our own organizations. A medical device manufacturer built its own FDA audit group, housed within a special Healthcare Compliance function in the Division. Because they had this specialist group, there was no reason for internal audit to do any work on FDA compliance risk. It was covered by the “experts”; people who lived every day in the rules and regulations specific to this industry and quite often people who had grown up in the operations. In fact, the FDA audit group insisted that “regular” internal audit was simply not qualified to do this work. Until, that is, warning letters started arriving from the Federal Food and drug Administration (FDA). Now an investigation was under way, conducted under privilege at the direction of the legal department and things took a turn for the worse when it transpired that part of the issue was that the company had not even acted on earlier comments issued by the FDA.
You might look at this example and say this was just a classical “stiff-arm” defense by an operating unit that did not want to be audited and the internal auditor should have had more strength and conviction in his own position. Perhaps he should have forced the issue at the Executive Committee or even the Audit Committee. It may be so. However, what intrigues me is how easy it is to dismiss the internal auditor’s rights and qualifications to be the auditor in favor of other groups, when we would never dream of giving other important jobs to non-professionals. How readily would we, for example, allow a realtor to conduct his own environmental impact assessment or seek to represent ourselves in a foreign court of law? The fact that so many organizations turn to non-professional auditors makes me question what can we, as a profession, do to elevate the special and unique characteristics we bring to the table in such a way that the public consciousness not only accepts our role, but considers it an act of recklessness when the auditor is not called on to carry out all the audits? Have we even understood, among ourselves, what we bring to the table? Or, if we take a deep look at it, do we do enough to demand this role for ourselves?
I recently spoke with the compliance department of a large, international bank who were setting up an anti-corruption program. They had not even considered “outsourcing” the auditing component of the program to their own internal audit group. It just had not occurred to them. This was all part of the same project in their eyes and they thought they had all the tools they needed within the compliance department to not need any “outside” help. Don’t get me wrong, compliance and internal audit functions need to work very closely. We have, after all, the same ultimate goal: help the organization manage risk. However, all too often it is unclear how the separate roles of audit and compliance actually work and the result can be that the audit universe is split between professional auditors and subject-matter compliance experts. This is a recipe for things to fall between the cracks.
In the above example, we have the first clue as to why assurance needs to come from the auditor. A properly constituted, professional audit department must be operationally independent. The very fact that the auditor is in some important ways “outside” must be better understood as a thing of indispensable value to those who want assurance. Auditors must be competent and knowledgeable about the rules of course, but, because we do not write them or implement them, we bring a clear mind to the auditing process, free from bias. The auditor also has the freedom and the power to decide how and where to go deeper in an issue, and when it is appropriate to do so.
I have worked with many large companies and their audit departments. I find that in many cases, there is some level of territorial discussion around who provides assurance over which areas and often there is poor communication across the organization. Fiefdoms can become personal and jealously protected, sub-optimizing what could be learned about an issue. Usually, the expectation is that the CAO will find ways to “co-operate” with other assurance providers. This can often be code for staying out of the specialists way but sharing your work papers, risk assessments and draft reports in areas that might come close together.
While we can make our own, individual efforts to deal with this within our organizations, there is one thing we could do as a profession: we could own the definition of assurance and we could campaign for global acceptance of this as the basis on which professional auditors deliver their work. We can explain what this means in non-technical terms, and we can be clear about the standards that will, and will not, deliver acceptable assurance. If we do not take this on, I believe we will leave it to each individual company, regulator or auditor to come up with their own definition of assurance which dilutes our profession.
There is a starting point. International Auditing Standards govern the delivery of assurance reports and set out a number of very specific criteria that have to be met by anyone seeking to give assurance. It is a certificate that not everyone can offer, and for that reason, it has value. I don’t want to make this discussion a technical one, so I will leave for now the details on how this could work in an internal audit setting as opposed to, for example, external audit opinions, suffice it to say that there are some very specific ideas I have seen that make sense.
What is more important is to establish in the business community at large an understanding of what we offer, not just intrinsically, but through a specific, understandable and widely-adopted end product. I believe this can be done without commoditizing internal audit and I believe that it can be a platform on which we as a profession can help others to understand the benefits of professionalism we bring to the table. We need others to know what it means – and importantly what it does not mean – to have assurance. The simplest way to do this in my view is to offer a tangible deliverable. In some cases, I see professionals already going down this path inside their own organizations. This is fine within a single organization, but when each organization creates its own definition for what is essentially the same product, the more we dilute our offering and confuse our market. This, in turn, leaves us without an external force promoting the use of the internal audit professional except in vaguely-worded, broad standards, such as the New York Stock Exchange Listing Rules that essentially allow many different things to qualify as internal audit.
I believe we have here an opportunity to lead this discussion and also a willing international community that is interested in driving higher standards of practice. We also have an environment where even some of the largest organizations with sophisticated systems and supposedly strong control consciousness have fallen well short, so there is a call to action. The rewards can be to make our role more easily understood, less confused with financial auditors or Sarbanes-Oxley certifications and to remove some of the internal barriers we sometimes face. The cost will be additional investment in our skills and capabilities. But then, that is why we choose to belong to a profession.
As always, I am very interested in your reactions to the ideas expressed here. Where do you feel we stand and what, if anything, is your level of urgency on this topic.