Internal Audit: The 2011 AgendaNow is Time to Step up in Risk Management
This is the theme hammered home by Richard Chambers, president of the Institute of Internal Auditors. In an exclusive interview, Chambers discusses the internal audit agenda for 2011.
"Internal auditors have almost an inherent understanding of key risks to the company," Chambers says. "As companies, boards and managers are under greater pressure to demonstrate their acumen in managing risk, a lot of them are turning to internal audit."
Looking ahead to the New Year for internal auditors, Chambers discusses:
- Staffing and budgeting trends;
- How auditors can better align with senior management's priorities;
- Internal audit's biggest opportunity to add value to the organization.
Chambers began his career in 1976 with the U.S. General Accounting Office, where he first became an internal auditor. He firmly established himself in government internal auditing and was named Worldwide Director of Internal Review for the United States Army in 1993. He later served as Deputy Inspector General for the United States Postal Service and Inspector General for The Tennessee Valley Authority. In 2001, Chambers joined The IIA staff as vice president, Learning Center. After a brief tenure as "acting president," he left The IIA in 2004 to join PricewaterhouseCoopers, where he most recently served as national practice leader, Internal Audit Advisory Services.
Throughout his career, Chambers has served on numerous boards and panels, including the U.S. President's Council on Integrity and Efficiency, the City of Orlando Florida Audit Board, and The IIA's Internal Audit Standards Board. He has served in various leadership roles at The IIA since 1994.
TOM FIELD:Now the last time we spoke, we spoke about how internal auditing was adapting to organizations' changing needs, particularly through the financial crisis. What do you see as having been the most significant impacts the recession has had on the practice of internal auditing here in 2010?
RICHARD CHAMBERS: Well, you know my view is that this profession has always been one that evolves and changes and adapts to meet stakeholder needs and expectations, and certainly those needs and expectations have been very much on the move in the last two years. I think any time an organization or a company is under a lot of pressure in terms of the bottom line, there are plenty of ways an internal audit can step up and add value. We've seen that again in this latest recession.
One of the ways that I would say internal audit has really helped is in helping companies to identify ways to shore up the bottom line, particularly in terms of cost reduction and containment. You know my experience having been in internal auditing for most of my adult life is that I've seen us go through a few recessions. I've seen organizations go through tough times, and there is really no one better positioned in the company to help senior management identify cost savings and efficiencies that the internal auditors because they are out there in the company everyday. And we've seen a significant upturn in the last two years by internal audit looking at ways that a company can reduce costs and contain expenses.
Staffing, Budgeting TrendsFIELD: So, 2011 is the year when we enter the post-recession and the recovery mode. What are your projections for staffing and budgeting for the year in internal audit?
CHAMBERS: We've surveyed on this a couple of times this year. One of the things that I would say that we have noted is that winter 2009 seemed to be clearly the worst year in terms of the impact on internal audit resources. Fully a third of Fortune 500 internal audit departments in the US saw their budget slashed, their budgets and staffs reduced in 2009. 2010 has been definitely better, but we've still seen as many as 20 percent have had further reductions this year. What we're looking at next year, though, is a much more stable level. So if I look at budgets for next year, within the US, about 16 percent still say they're going to have further reductions in the budgets next year. About 50 percent envision that their budgets are going to be stable, and about a third say that they'll actually have larger budgets as 2011 unfolds.
Those numbers are slightly less in terms of the decreases for staffing. Only 12 percent are looking at further staffing reductions next year. That would be fully a third, only about a third of the number that saw reductions in 2009. Meanwhile, about 60 percent are looking to be stable, and about 30 percent actually thinking they are going to have increase staffing levels in 2011. So, those are encouraging signs for a number of reasons.
Risk ManagementFIELD: It sounds like we are still looking at a situation with this somewhat constrained resources and certainly heightened expectations; is that fair to say?
CHAMBERS: I think so. You know, your earlier question honed in on one specific area where internal audit has jumped in and added a lot of value in the last two years, but there certainly are far more ways that internal audits have done so than the expense reduction and cost containment. Where I think internal audit is really starting to make a contribution, and I really anticipate that it will be an important part of internal audit's role in the short-term, is in helping their organizations get their arms around risk management. Internal auditors have almost an inherent understanding of key risks in the company. We've had audit standards in place now for almost a decade. They mandated that internal auditors would undertake an annual risk assessment. So, as companies are under greater pressure, and the boards and management are under greater pressure to demonstrate their acumen in managing risks, a lot of them are turning to internal audit to get some support and some coaching on how you go through a process of assessing those risks and what a sound risk management structure looks like.
FIELD: Well, that is a good topic -- risk management -- and the follow up for me is: How can an internal auditor ensure that he or she is aligning these risk management roles with the priorities that the senior management and the board hold?
CHAMBERS: Well I say again: I think what we're seeing here is undoubtedly the legacy of this last recession. But one of the legacies that I think is going to be left from the financial failures that put us into this recession was just an overall failure of risk management. Certainly, in the key sectors such as financial services. So as regulators and in some cases legislatures and others are imposing new requirements for boards and management to demonstrate greater acumen and risk management, they're looking at how to effectively undertake that. In some cases, they are turning to the Chief Audit Executive, the head of internal audit, and actually asking them to take on that sort of second hat at least on a temporary basis. And we do think if the internal audit function does support the risk management function in a way, sort of as the chief risk officer in the case of the chief audit executive, that should be a temporary role.
But I think one of the ways that internal audit stays aligned is by having a keen understanding of what management is doing, being there as an advisor in terms of what an effective risk management program looks like. But I think in the long run where internal audit adds the most value is in terms of providing assurance to both the senior management and the board about how effectively risks are being managed. You know, if you ask senior management, I think they are always going to have -- and I think all of us would have a natural inclination to say "Hey, we've got our arms around it, and we know what the risks are." But I would say that the boards will be given some additional comfort by also having the internal audit function provide them some assurance that they've looked at the way risks are being managed and that they would concur with management's assessment in the terms of overall effectiveness of risk management.
The Risks AheadFIELD: Richard, two-part question for you, and the first part is about risk management. What are some of the risks ahead that internal auditors should be looking at?
Well, certainly I think any time you're in a kind of heightened regulatory environment such as the one we're in, where we're getting a lot of very comprehensive legislation, certainly the affordable healthcare act comes to mind, some of the other financial services-related regulations and legislation. Those obviously present key risks to the organization. My sense in looking at some of the survey results and talking to chief audit executives is that a number of them recognize that is a key risk. I think it's important too for internal audit to stop taking just sort of this traditional view of risks. I mean, traditionally internal audit has focused primarily on financial risks, compliance risks and in some cases operational risks. But what I think we're really going to have to be willing to enable to focus on going forward are not only those kind of those core risks that we've traditionally focused on, but in addition I think we're going to have to be willing to look at strategic and business risks. Certainly, and the research that has been done would indicate that strategic and business risks can be far more lethal to a company than even a mistake in financial reporting or compliance. These strategic and business risks can often take a company down very rapidly. So for internal audit to really be aligned where shareholder value is, I think they're also going to have to be willing to address these strategic and business risks when they rise to the level of coverage.
FIELD: Second part of the question, Richard is, in terms of other opportunities outside of risk, what are some of the unrealized opportunities for internal audit?
CHAMBERS: One of the unrealized opportunities is sort of broadening what I call the portfolio of services. So, an internal audit function, if you look at the fundamental definition of internal audit that the IIA has been promulgating now for more than a decade, it is that internal auditors provide value by providing both assurance and consulting services. I think in the late 90's a lot of internal audit departments were starting to step up and provide -- some people are uncomfortable with the term "consulting," so let's substitute the word "advisory." A lot of internal audit groups were stepping up and providing advisory services, and I think we got away from that in the last decade, certainly following the Enron, WorldCom and other kind of implosion scandals. There was a reluctance to see auditors providing consulting or advisory kind of support for management.
Management needs to have the internal audit advice in some instances while they're implementing changes, because there is nothing more frustrating or less value-add than having the auditor sit on the sidelines until a new system is designed and implemented and then come in and tell you that you did it wrong or that there are some key mistakes or key control errors. I think we have to be willing in the right circumstances and with the right safeguards, as internal audit professionals, to wear an advisory hat and provide advice as these changes are being designed and implemented.
FIELD: A final question for you. As you look toward 2011, if you could boil it down, where do you see the biggest opportunity for internal audit to add value to organizations?
CHAMBERS: I think it is still going to be a very much issue of staying aligned to those changing stakeholder expectations. There have been a couple of surveys that have been published recently -- one by a big four accounting firm in particular -- where stakeholders have sort of begun to express a little bit of impatience with the rate of change by their internal auditors. I don't think we're looking at an epidemic here, but I think as internal auditors we've got to recognize that our stakeholder expectations are constantly evolving. They'll constantly be changing, and the most effective way for us to address those expectations is to be able to identify when they're changing and when appropriate, we need to be adapting accordingly.
So, 2011 for me is still yet one more year in this transformational stage we're going through. It started in 2008, and I saw the coverage start to shift away from the financial control work of the mid 2000's, and it has continue through 2009, through 2010, and I expect it continue again even next year. Because as we now move into a recovery phase, hopefully coming out of this recession, the kinds of risks that organizations face won't go away. They will just change.