Richard F. Chambers, CIA, QIAL, CGAP, CCSA is president and CEO of the Global Institute of Internal Auditors (IIA), the global professional association for internal auditors. He has spent more than 40 years in internal auditing and association management, serving as inspector general of the Tennessee Valley Authority, deputy inspector general of the U.S. Postal Service, and director of the U.S. Army Internal Review at the Pentagon. Richard is a prolific blogger and speaker and has been featured in numerous major media outlets, including The Wall Street Journal, The New York Times, Bloomberg Radio, CNBC, and CNBC Asia. Accounting Today selected Richard as one of the 100 Most Influential People in Accounting in 2013, 2014, 2015, 2017 and 2018 and the National Association of Corporate Directors (NACD) named him one of the most influential leaders in corporate governance in 2014, 2015, 2016 and 2018. Richard authored the award winning book, Lessons Learned on the Audit Trail in 2014 and Trusted Advisors: Key Attributes of Outstanding Internal Auditors in 2017.
A few months ago I had the privilege of sharing with him some ideas about the challenges of internal audit. These are some highlights of our conversation.
Q. Everybody is talking about disruption, radical change and transformation. However, this is nothing new. A professional such as yourself with a long career must have heard many similar things before, but from the point of view of the profession of internal auditor, what makes it different this time?
A. As I’ve experienced over more than 40 years in the internal audit profession, change is the only thing that is constant. But I think what is extraordinary now is the pace of that change. It is especially difficult when something new emerges before you have had time to acclimate to and master the previous “something new.” Internal auditors must be keenly attuned to the risks associated with each new advancement. A significant part of internal auditors’ job is helping the organization identify and mitigate risks quickly, efficiently, and effectively. When that does not happen, there can be significant ramifications to the organization and its stakeholders.
Probably the most tangible effect internal auditors are experiencing from the pace of change is the way annual audit plans are developed and managed. Risks emerge too quickly to rely on one plan for the entire year; internal auditors need to ensure that audit plans are constantly and consistently reviewed so they can audit at the speed of risk.
Q. How much of this transformation can also be attributed to a change in the expectations of the internal auditor’s stakeholders?
A. Stakeholders are not immune to the upheavals of constant, rapid change. They experience their own pressures and challenges and those may alter their expectations of internal audit. In fact, studies show a widening gap between what stakeholders expect of internal audit and what internal auditors believe they should deliver and have the capability to deliver. This means that those in the profession must consistently ramp up their knowledge, skills, expertise, and awareness of what is going on in the marketplace — which ties into something I always urge internal auditors to do: provide insight and foresight, not just hindsight. That is what trusted advisors do.
Q. A change after the crisis has been the rotation of financial auditor. How is the internal auditor’s relationship with the external auditor evolving? Have any changes been observed?
A. Rotation of the external (financial) auditors is not being universally mandated around the world, as there are both benefits and detriments of implementation. The institutional knowledge of a client firm comes partly from developing a strong, yet controlled, relationship between internal and external audit. My opinion is that the relationship between internal and external auditors should be arm’s length in order to keep an appropriate level of independence. However, there must be communication, and the external auditors should rely on the work of the internal auditors when appropriate.
Q. Some regulators consider that if the external auditor is subject to mandatory rotation, then perhaps it might be a good idea for the Chief internal auditor to rotate as well. What is your opinion on this matter?
A. I understand the rationale behind the rotation approach and I see the pluses to it. On balance, though, I think the minuses outweigh the pluses. Internal auditing is a profession that requires a specific set of hard and soft skills, and I believe the function is best led by those who have spent the necessary time, experience, and training in developing them.
With rotation, not only is the head auditor’s lack of experience troubling, but objectivity and independence issues are also of concern. In fact, I would suggest to organizations that use rotation to be especially vigilant about bias. Do not have the chief audit executive report directly to the area where he or she previously worked or plans to return; in fact, if possible, do not allow a return to the previous organizational department. Also, give the rotation time — five or six years, at least. This gives the individual time to grow into the position and reduces the risk of perceived or actual reporting bias.
A. Almost a decade after the publication of the three lines of defence model, this concept, although widespread, has not yet achieved the unanimous support required within a profession to build principles. What is needed to achieve a broader consensus? Is there something to change in the 3LoD model? More knowledge, more flexibility, perhaps progressive thinking?
A. While there are differences of opinion on the model, The IIA has leveraged the 3LoD to help illustrate the vital role internal audit plays in organizations. We believe, based on research and the collective insights of our global network of experts, that the 3LoD has provided a reasonable illustration of how the key players contribute to the protection of the organizations they serve.
Still, attention needs to be paid to the possibility that stakeholders will believe the second-line functions, such as ERM and corporate compliance, provide all the assurance they need on the effectiveness of risk management and internal controls. They may perceive internal audit as being “redundant” with the second line and, therefore, a place to cut costs. Internal auditors have some work to do to help them understand and appreciate that the objective assurance internal audit provides is vital to effective governance. Not only must internal audit demonstrate to stakeholders the value of independent assurance, we must also communicate and collaborate effectively with second-line functions to avoid any duplication.
The IIA is committed to reexamining the 3LoD model to ensure it accurately portrays the roles that management, the board and internal audit play in their organizations. We are also committed to exploring how these players contribute not only to protection of value, but to the enhancement of value, as well. Don’t be surprised if The IIA has much more to say on the topic in the coming year.
Q. One of the priorities of the institute that you lead is to offer visibility to the profession. Traditionally our profession does not seem to be among the most popular – among the high performer – at the moment. Is an internal auditor born or made? Let me explain. Should we think of it as a vocational profession or as a business function that can be achieved by different means, but which does not call for a special vocation?
A. I firmly believe that internal audit is a profession that needs to be performed by individuals who are trained in its methods, standards and ethics, and in an array of skills, such as communication, analytical thinking, open-mindedness, and a focus on results. It is not a checklist process that can be handled by a machine or by someone who just performs an occasional audit on the side.
The IIA spends a lot of time studying what makes especially good internal auditors, both now and in the future. By 2030, I believe those leading the profession will need to be innately risk-centric, adept with and unafraid of technology, incessantly curious but also professionally skeptical, creative, cosmopolitan, and intellectually honest. 2030 is more than a decade away, but I believe it will take every bit of that time for current internal audit practitioners to polish those skills and be ready for the challenges that await. To my mind, that level of dedicated focus belongs only to a specific profession, not just a business function.
Q. If you could start your professional career again, would you like to be an internal auditor? How can we convince the most talented individuals to choose internal audit as a profession? What can we tell them?
A. I did exactly that. I started in internal auditing and then left it for a promotion in an accounting role. Less than a year later, I was more than ready to step back into internal audit. I came to understand and appreciate what I really liked about internal auditing, which are exactly the things I describe to people who are considering entering the profession: the holistic view of the organization’s business, opportunities, and challenges; the diversity of the assignments; the chance to interact with different types of people, from varied backgrounds, working in all sorts of positions; and the almost limitless opportunity to grow and evolve in a career.
Q. You also stressed the importance of corporate culture being aligned with the values that should be safeguarded by internal audit. What three questions do you think an auditor should ask a company before accepting a job offer?
A. Three questions are not nearly enough, so in addition to asking questions, I would advise the auditor to use his or her professional skills to observe the organization and draw conclusions. Are awards prominently hung recognizing company or employee achievement? If so, what kinds of achievement are honored? Are there posters noting community or philanthropic work supported by the organization? Do employees seem to be relaxed and enjoying their work, or are the halls silent and empty?
But, if there is time for only three questions to focus on values of special importance to internal audit, I would suggest asking:
- Is there a code of ethics/conduct for the organization and is it understood to apply equally to all levels of employees? This speaks to tone at the top.
- Is there a whistleblower policy and hotline, and what is the organization’s experience with its use? An organization that does not facilitate reporting of wrongdoing may have a culture that does not welcome the contributions of internal audit.
- To what degree is culture included in audit plans? It should be folded into virtually every audit.
5 Questions an Audit Committee Member Should Ask the Internal Audit Director
1. Why is the information you provide us not as valuable as what we receive from the external auditor?
Audit committee members and charters are often skewed toward external audit. Internal audit must better articulate its value to the organization — especially given the growing number of nonfinancial risks threatening organizations — and then deliver that value.
Comments. Audit committee members and charters are often skewed toward external audit. Internal audit must better articulate its value to the organization — especially given the growing number of nonfinancial risks threatening organizations — and then deliver that value.
2. Why do you send us so much written information?
Comments. Audit committee members who are overwhelmed with voluminous written audit reports may overlook or ignore critical information. Internal auditors must consider the quality, frequency, and method of communications, and leverage the benefits of building relationships and communicating in person.
3. What is the full picture you are trying to paint for us? You are not connecting the dots.
Comments. By training, internal auditors take an enterprise-wide perspective to their work, but audit committee members may sometimes prefer a simple, direct picture. Phrases like “This is important because…” and “The consequences of this might be…” can help make the message clear.
4. We see the importance of internal audit focusing on more than just financial controls. Do you have the skills to do so?
Comments. An audit committee’s interest in internal audit expanding beyond financial controls is a great thing for the profession and CAEs must not squander the opportunity. They should assess their staff’s strengths and weaknesses and take steps (e.g., training, new hires, co-sourcing, outsourcing) to raise staff competencies to meet the committee’s expectations.
5. Is this your opinion, or are you simply a mouthpiece for management?
Comments. Boards and other governing bodies receive a lot of information directly from management and may become suspicious if internal auditors consistently repeat the same messages. Internal auditors must remember their responsibility to provide an informed and independent assessment not just on organizational risks, but also on the quality and completeness of information provided by management.