Transition:
Internal Audit to Internal Assurance
Slide 1
Welcome to the Tongren & Associates Seminar Series. This seminar is Transition: Internal Audit to Internal Assurance. Please make sure your speakers are on or you are using a headset so you can hear the narration. The text of the narration is available in an accompanying Word document.
I’ve been involved in Internal Audit for many years both as a practicing internal auditor and a consultant, and have taught graduate level courses on management and accounting and information technology. My teaching provided continual exposure to new developments in my fields of expertise, and every day there seemed to be significant changes occurring which demonstrated that many of the business practices we considered “tried and true” had actually been replaced by better alternatives and rather than “tried and true” had become more like ‘tired and past due!” As I developed my consulting practice I began to realize just how out of touch some auditors were with what was going on in the world, especially with changes that were taking place in management theory and practice.
Perhaps since I began my business career in manufacturing management rather than as a financial auditor I brought a perspective to internal audit that was a bit different – well actually very different than internal audit functions that were modeled after public accounting firms. Rather than looking at things as a financial auditor, I looked at them from a business perspective. I have long been an advocate for asking the “What can go wrong?” question during my audits, and had developed an approach where the actual audit plan was not defined until after meeting with the audit client. From discussions with many internal auditors at conferences and seminars I learned some felt this approach was almost disgraceful! They thought that Internal Auditors should do audits as they had been done the year before – and that was that. Anything else would be heresy!
As I thought about starting my own consulting practice I began thinking about Internal Audit from a Business Process Reengineering perspective. If we never had Internal Audit before, if we were asked to design Internal Audit today, what would it look like? What objectives would it have? How would it accomplish its objectives? The first thing I realized was that most internal auditors thought their primary objective was to focus on internal control. Some thought their objective was to report on the status of internal control within the organization – and they did that by testing to see if internal control problems existed. Other Internal Auditors thought their objective was not only to report on current status but also to improve internal control – and they did that by understanding processes well enough to evaluate whether internal controls were in place where they should be and that they worked. And a few internal auditors were going beyond internal control issues to work on management and operational and quality issues. Most internal auditors thought a secondary objective was to ensure the organization was in compliance with laws and regulations and policies and procedures by performing compliance audits.
The most interesting thing to me was that almost all internal auditors thought they should reach their objectives by performing audits. It didn’t matter whether the objective was to evaluate control status, to improve control, or to improve operations – the only way to accomplish the objective was to do an audit. After all, internal auditors were auditors and by definition auditors did audits.
The objective of my research was to develop a more effective model for internal audit resources. Operational Audit had been accepted as a viable activity for internal audit so the objective had already grown beyond a basic financial internal control orientation. Some internal auditors had begun thinking about using risk assessment not only to develop annual audit plans but also to drive individual audits, as in risk based auditing. Yet something was still missing. The most obvious question to me became – “If you want to improve a process why don’t you get the most qualified people you can and focus directly on improving the process? And if you don’t have qualified people why not educate them so they are qualified? Why should Internal Auditors be the only ‘control experts’ in the organization”? And answering those questions is what prompted my development of the CoActive Management Model, the CoActive Control Principles, and CoActive Auditing. And CoActive thinking laid the foundation for Internal Assurance.
Slide 2
Internal Audit has changed over the years, with the last redefinition of Internal Audit by the Institute of Internal Auditors being the most drastic and significant.
“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Very interesting – the new definition says nothing about auditing financial statements, nothing about doing compliance audits, and nothing about even doing audits! Instead it focuses on assurance and consulting activities that will add value to the organization. And rather than a financial orientation, the new definition focuses on risk management, control, and governance processes. The new definition of internal audit provides the foundation for internal auditors to reinvent themselves and their profession – and begin a deliberate transition to Internal Assurance.
Slide 3
“Why do we do Internal Audits?”
That was my lead off question for a seminar I developed for a company that desperately needed to reenergize its internal audit department. The Director of Internal Audit had called me and explained that they were “in a rut” and he didn’t know how to get them out. He felt his auditors were just going through the motions – they were doing audits but didn’t seem interested in what they were doing. The audit findings had become very predictable, and the Director felt his auditors were probably missing some important things. He wanted a session that would wake up his staff, challenge them to dig deeper and reach higher, and become a truly progressive internal audit department. So my opening question was designed to get them thinking.
Well, it didn’t seem that they were very interested in thinking as the room turned very quiet after my question. But, after a pause that seemed like ten minutes or so, one of the senior staff members spoke up. I’ll never forget the exchange that followed. He said:
John D Tongren Page 5 12/18/2007