"Follow the Risk" - Tips from Richard Chambers, President of the Institute of Internal Auditors
In an exclusive interview, Chambers discusses:
Chambers began his career in 1976 with the U.S. General Accounting Office, where he first became an internal auditor. He firmly established himself in government internal auditing and was named Worldwide Director of Internal Review for the United States Army in 1993. He later served as Deputy Inspector General for the United States Postal Service and Inspector General for The Tennessee Valley Authority. In 2001, Chambers joined The IIA staff as vice president, Learning Center. After a brief tenure as "acting president," he left The IIA in 2004 to join PricewaterhouseCoopers, where he most recently served as national practice leader, Internal Audit Advisory Services.
Throughout his career, Chambers has served on numerous boards and panels, including the U.S. President's Council on Integrity and Efficiency, the City of Orlando Florida Audit Board, and The IIA's Internal Audit Standards Board. He has served in various leadership roles at The IIA since 1994.
TOM FIELD: How have internal auditors maneuvered through the financial crisis? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today about internal audit, and we are fortunate to be talking with Richard Chambers, the President of the Institute of Internal Auditors.
Richard, thanks so much for joining me.
RICHARD CHAMBERS: Thanks, it is good to be here.
FIELD: Richard, before we get started here, maybe you could just tell us a little bit about yourself and your role with the IIA?
CHAMBERS: Well again, I am the President and CEO of the global Institute of Internal Auditors. We are an organization with 170,000 members in 165 countries. We provide guidance and standards and certification programs for internal auditors around the world. I have the responsibility here at the global headquarters of overseeing both the operations of our global institute as well as the operations to support North American members, which comprise of about half of our total membership.
FIELD: Very good. Now we don't need to talk to our audience about the financial crisis -- they certainly have lived through it -- but what I would be interested in hearing from you is how, if at all, organizations have changed their approach to oversight and governance in light of the crisis?
CHAMBERS: Well, that is a very good question, and obviously anytime you endure a crisis, I think it was Kierkegaard who observed that all change is preceded by crisis, and so certainly we are undergoing another one of those post-crisis periods of change in internal audit, and other oversight functions are no different.
I would say that perhaps in terms of internal audit, the thing that is characterized and changed in the last two years the most is a return to a more diversified coverage of risks in organizations. In the past decade, there was a period certainly following the last round of corporate failures where internal auditors were being channeled very specifically into looking at financial risks and the risks of financial misstatements in the financial system.
So what we have seen over the last two years, particularly in the wake of the crisis, is that internal auditors are now being used to look at a broad range of risks -- not just financial risks, but also operational risks, business and strategic risks, compliance risks, technology risks. I think from that standpoint that is the most compelling evidence of change from my experience.
FIELD: Well, that is interesting then, Richard. How would you say then that the actual role of the internal auditor has changed in recent years in light of this realignment?
CHAMBERS: Well, you know I think we have gone through, over the past decade, a period of exciting change in the profession. We went through the sort of the post-Sarbanes-Oxley era here in the U.S., in particular where our stature as elements of corporate governments and corporate systems of oversight and compliance, the stature of internal audit rose dramatically. The number of internal audit executives who reported that the audit committee almost doubled in the past decade. So I think we saw a very strong surge in internal audits place in the organization.
Now in the past couple of years I think we have complemented the work that we were doing in financial controls by starting to demonstrate for those same stakeholders, particularly audit committees, how we can add value in a range of other areas. Certainly, as you get into the depths of a recession like our country has been in, you will start to find companies who are under a great deal of pressure in terms of the bottom line.
Internal audit is naturally positioned as a resource to help companies identify ways to shore up the bottom line, cut costs, reduce expenses. And so I think that has been one of the ways that an internal audit has really sort of returned to its roots and added some great value in the past two years.
FIELD: You know I come back to a point that you made a few minutes go when you were talking about the response to the previous crisis. We are, as a nation, good at pointing fingers and casting blame, and we have talked about what regulatory agencies could have or should have done to avoid the current crisis. What, if anything, do you think internal auditors could have done to maybe not prevent the crisis, but prevent us maybe from getting to the level of crisis that we did?
CHAMBERS: Well, I think that is a good question. I mean, I think there are always questions after any crisis or after any round of corporate failures as to where were 'you name it' and there have been questions that have been raised about where were their internal auditors. I think perhaps if I were to look very candidly at the internal audit profession, we have to resist the temptation to sort of assume that the next risks will look like the last ones.
I think to a certain extent a lot of us were very heavily engaged, as we probably should have been to a certain extent, at looking at the risks of financial fraud or financial misstatements in the wake of the Enron/WorldCom era. And at the same time we were doing that, of course the real risks that companies were facing was sort of an increased recklessness around risk management itself.
And so what I am hoping that will come out of this for our profession is a lesson that we can't take our eye off of this whole concept of enterprise risk, and that if we focus on just one slice of it, like financial risks, we sort of do so at our peril and at the peril of our company. I certainly don't believe that internal auditors would have been positioned to help prevent the crisis, but there might have been cases where they could have alerted their boards or alerted their audit committees to the fact that management didn't have a very effective risk management practice in place, and in those cases they could have helped those particular companies navigate through this crisis a little better.
FIELD: Richard, I would like to ask you specifically about the recent additional SEC requirements for proxy rule disclosures. How do you think that internal auditors here can better influence risk management in governance under these requirements?
CHAMBERS: Well, we actually responded very, very quickly, and I think favorably to the fact that these new rules were being put in place. We have commented to our members about the fact that we see this as another extraordinary opportunity for internal audit to step up the way it demonstrates value. So, clearly the SEC proxy disclosure requirements, along with a number of other regulatory and legislative initiative that are sort of percolating out there, I think the common thread among them is to increase the pressure on boards to demonstrate their role and oversight risk management.
And so as boards come under greater pressure to demonstrate that role, I think there is an opportunity for internal audit to step up -- because it does serve the boards -- to step up and say for the boards, look, we can help provide you some assurance about how effectively risks are being managed in the company, because certainly management is well intentioned and in almost every case would tell the board yes, we have got our arms around risk management.
I think having an objective, and in some respects an independent voice to reassure the board about how effectively those risks are managed -- I think that is in the spirit of which these disclosure requirements are crafted.
FIELD: Now, Richard, I am hoping you can help us get inside chief audit executives heads maybe; what would you say their perspectives are going forward? Are things getting better in their organizations or is there still a ways to go before things can return to what we might consider normal?
CHAMBERS: Well, that is another good question. I mean obviously you know if you use the analogy that the crisis is like a storm, I think that we are on the backside of the storm, but I think that it remains to be seen just how much longer it is going to play out. I don't think that most companies would consider themselves to have recovered by any means.
I think internal audit would be in the same position as any other corporate operation. I think chief audit executives heave really begun to appreciate what the opportunity is for them to add value so we certainly seeing them shift the coverage of internal audit.
So to sum up I think that chief audit executives are on point here to watch for where the economy is going to take us, and what new regulative and legislative changes are going to come to play.
FIELD: One more question about the chief audit executives. What changes would you say that they have made, and where do you see them focusing their attention most here in 2010?
CHAMBERS: Well, as we have continued to try to keep our finger on the pulse on what internal audit's focus has been over the last year, and we actually asked the question two different times last year in a broad-based survey, and the last time that we asked the question we continued to see that there was an expectation that there would be greater coverage around operating risks, around compliance risks, around the assessment of the effectiveness of the risk management. Those were areas where internal audit executives or chief audit executives said that they expected to see greater emphasis in the coming year.
We are getting ready to update that survey again in the next couple of weeks, so I suspect a month from now we will have an even better picture for what 2010 brings. But right now, I would say that 2010 is shaping up to bring some of the same change as it did a year ago.
One thing that I am noticing that is a marked difference from a year ago, however, is that chief audit executives are starting to reinvest in professional development for their staffs. We are seeing an extraordinary attendance at some of our conferences and some of our other training events, and that is a good sign. It tells me that they are starting to look forward and identify kind of the leading trends and best practices that they can emulate in their own departments.
FIELD: You know, that is interesting because that corresponds to what we have seen in our own research in looking at information security and risk management is that professionals and organizations alike are investing in this, and organizations, contrary to what some people might think, are very much footing the bill for this.
CHAMBERS: Well, you are right. I think we are still going through this kind of metamorphosis, if you will. I think it will be interesting to see how the next year plays out, but I am very optimistic about the short and long-term future of our profession. I think we are continuing on kind of a growth trajectory in terms of how we provide support and how we serve as stakeholders of internal audit organizations around the world.
FIELD: Richard, I know you are going out on the road and you are going to have some speaking engagements, so I am curious as to what your message is to organizations. How could they maximize the value of their internal audit activity?
CHAMBERS: Well, you know when I think about what is the secret to success, and you know I have been an internal audit professional for almost 35 years ... I have seen organizations in almost every sector and almost in every place on the maturity curve, if you will, and I think the one thing that characterizes the most successful internal audit departments are two things.
Number one is that they are aligned with the needs and expectations of their stakeholders. An internal audit department that sort of stops checking the pulse of what its stakeholders needs are, (that is, when I talk about stakeholders I am talking about boards audit committees, senior executive management of the organization), when you stop checking on that you will find that it won't take long before you are out of alignment. So the one thing that I would say is you have got to stay in alignment with those needs and expectations.
And the other thing is that if you are really for where and how an internal audit department can add the most value, I just have three words: Follow the risk. If you, as an internal audit department, are constantly monitoring where the risks are in your company and you are focusing your internal audit efforts closely to those risks, I think you are going to generate value almost every time.
FIELD: Now, how about the message to internal auditors themselves? What can they be doing to ensure that they are providing the most benefit to their organizations?
CHAMBERS: Well, I think that if I talk to sort of the rank and file internal audit professionals, the one thing that I am always advising them is to keep tabs on what it is that will enable them to become even more proficient in providing internal audit support.
As we have seen a number of studies done about what the future of the profession looks like, the one thing, for example, that jumps off the charts is that the profession has got to become and continue to become more proficient in leveraging technology and the way it conducts its work; data mining and analysis. As we continue to become such a data rich society, the ability to mine untold amounts of data and determine where key trends are or key anomalies. These are the things that internal audit professionals need to be able to do. And I would tell you that a lot of them still lack those skills.
So I just advise internal audit professionals to define a personal strategy and invest in your own personal development.
FIELD: Richard, one last question for you. As we know, the tone starts at the top, so if you could sum it up what would be your message to chief audit executives, their executive management and their boards of directors?
CHAMBERS: Well, if I start with the board, I guess my advice would be to take seriously the new pressures that are being imposed on them. There is clearly a sense that boards didn't do everything that they could have done in terms of monitoring risk management in their companies, and calling out management practices that were incurring unacceptable levels of risks.
For management, I would encourage management to recognize that while they have an important role to play in managing the risks of the company, that there is an oversight function that the board has to play, particularly when you are talking about setting the appetite for risk.
And then finally for internal auditors and for chief audit executives, I think we have to recognize that we can play a much greater role in helping to provide that assurance that our boards and management are going to need about how effectively risks are being managed.
So I think the real lesson learned out of the current financial crisis is that if you don't manage your risks, you are incurring an extraordinary level of risk in its own right. Because then you don't know where you are driving; you don't know if you are going off into the dark or what might be around the next curve.
FIELD: Well said. Richard, I appreciate your time and your insight today.
CHAMBERS: Very good, I enjoyed talking with you. Thank you.
FIELD: The topic has been internal audit. We have been talking with Richard Chambers, President of the Institute of Internal Auditors.
For Information Security Media Group, I'm Tom Field. Thank you very much.