(First of two parts)
This question has been posed to me many times, both in my past life as an internal auditor of private organizations and currently as an advisor on governance, risk and controls to our clients.
During my early years in the profession way back in the 80s, I would arrogantly, but with a smile, respond to this question by saying: “None. This is the reason why I prefer to be an auditor, rather than an auditee; It’s our privilege!” I had believed that we auditors have earned the trust, respect and confidence of management by maintaining our objectivity, competence and integrity, and that through diligence, discipline and continuous professional development, we were “beyond reach” and need not be subject to audit.
‘Rude awakening’ and the ‘new rules of the game’
Later on, I realized that I would have to humbly eat my words when my internal audit department (of a multinational oil company) underwent an “external quality assessment” by a “Big 8” Accounting Firm (before the mergers of “Big 8 firms” and the fallout of a major accounting firm in 2002). This assessment was initiated by our progressive, dynamic and dauntless Regional Audit Manager and sanctioned by our General Auditor who was then based in our Corporate Headquarters in Dallas, Texas. I must say that it was my “rude awakening” that the internal audit profession is fast evolving and that the “rules of the game” are getting to be more structured, more definite, and clearer, hence far more challenging than ever before.
Fortunately, we came out better after the said audit and many of our current practices then were already aligned with the Standards and so-called “leading” or “best practices in internal auditing.” Of course, some gaps were identified and we worked our way to address them, including the need to formally implement risk-based audit planning. I thought we were already applying risk-based audit since we would identify and analyze various risk factors to determine the audit priorities and the significant auditable areas to focus on.
Need for independent review
The demands on the internal audit practitioners were further raised when the Institute of Internal Auditors, Inc. issued in 2000 a new standard – International Standards for the Professional Practice of Internal Auditing (ISPPIA or “the Standard”) – and a new Definition of Internal Auditing.
The standard specifically mandates that “External assessments, such as quality assurance reviews, should be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization.” (1312 – External Assessments). Moreover, the Standard requires that the chief audit executive (sometimes also titled as internal audit head, audit director, chief auditor, general auditor, or inspector general) develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity and continuously monitors its effectiveness (1300 – Quality Assurance and Improvement Program). This program must include both internal and external assessments (1310 – Quality Program Assessments; 1311 – Internal Assessments; 1312 – External Assessments).
The ‘new corporate landscape’
The new definition of Internal Auditing also expanded the scope of the internal audit to cover not only controls but also risk management and governance. This means that auditors are expected to go beyond their traditional roles of compliance-based auditing by reviewing more strategic and riskier areas for the organization (that is, the world of risk management and the realm of corporate governance) which were never before explored and that “only brave souls would dare to tread”. In other words, the internal auditors are ushered into a “new corporate landscape” and are expected to assume a greater role in the “new” governance model.
It became quite clear to me that for corporate governance to work well, everyone in the organization, including the chairman of the board, board members, and so called “sacred cows” or very high officials such as the presidents, chief executive officers (CEOs), and chief operating officers (COOs), should be made accountable and subject to audit or some kind of review. Internal auditors, of course, are no exception.
In the second part of this article, I will discuss the preparation needed to pass the external quality assessment and the essential minimums for internal audit function to comply with the Standard.
(To be concluded)
(Reginald C. Nery, CPA, CIA , CISA, CFSA, CCSA, CISSP, CISM. He is the Head & Partner of Performance and Technology Advisory Services of Manabat Sanagustin & Co., CPAs, a member firm of KPMG network of independent member firms affiliated with KPMG International Cooperative, (“KPMG International”), a Swiss entity.
This article is of general information only and is not intended to be, nor is it a substitute for, informed professional advice. While due care was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances. For comments or inquiries, please email manila@kpmg.com or rcnery@kpmg.com)