as so important that they’ve taken it upon themselves to get the
process started in their organizations and demonstrate to management and the audit committee that it produces positive results.
Then ERM can be moved over to become part of the organizational culture and process. At the end of the day, the ownership
for good risk assessment and good risk management lies with
management, but — as the definition points out — internal
auditing has an oversight role.
James Roth, PHD, CIA, CCSA
President, Audit Trends
BECAUSE THE REVISED DEFINITION REFLECTED
changes that were already occurring in the profession,
internal auditing would have continued to move in that
direction without it. However, the definition compelled a lot
of risk-averse internal auditors, who don’t want to do anything
unless there is firm grounding for it, to move more meaningfully and aggressively in that direction.
After Enron, I was afraid we would be pushed back 20 years
to testing invoices of accounts payable all day long. Fortunately,
the fallout hasn’t had as much of a negative effect on the definition’s value-added directions as I first feared. Certainly audit
departments are focusing more on financial controls than before,
but that’s because it’s the best way for many departments to add
value right now. Once Sarbanes-Oxley and other regulation-related evaluation processes are
put in place, they will become an
integral part of the business, and
this type of work won’t occupy
nearly as much of our time as it
On the other hand, the general
movement of finding ways to
provide assurance beyond traditional audits — through services
such as control self-assessment,
internal control training programs, and various kinds of assur-
ance-related consulting — will continue to expand. Audit
committees need assurance with regard to the control environment. And we are in the best position and have the best
tools to give them the information they need to be able to sleep
at night. We are the only group of professionals who are both
part of the organization and independent of it at the same time,
as well as paid to think critically about the organization.
One aspect of the definition that I would probably change now
is the equal weight placed on assurance and consulting. I completely supported that arrangement at the time the definition was
released, because it made a statement that was needed to raise
our stakeholders’ expectations of internal auditing. It also helped
persuade auditors who were too concerned with being independent to move toward providing those types of services.
Although a lot of people in the organization can provide
consulting, internal auditing is the only group that can give
assurance. That has to be the core of what we do — it’s what
we’re there to accomplish. We should always be trying to
ON THE ROAD OF CHANGE
improve the business as we perform evaluations, and we should
have some room in our budget for pure consulting projects.
But because assurance and consulting are given equal billing
in the definition, consulting could be interpreted as being
afforded the same priority as assurance work, although I don’t
know that this has been applied in practice.
Hans Spoel, CIA, CCSA, CGAP
Internal Audit Expert – European Commission Audit Progress
Director of Group Audit Services
Alcatel SA, Paris, France
FOR THOSE AUDIT SHOPS THAT WERE PROVIDING
advisory or consulting services at the time the new definition came out, I think it legitimized their approaches.
It allowed them to feel more comfortable and to take a more
outspoken position regarding consulting work. But I honestly
don’t think the definition changed the profession in that regard
for auditors who had not migrated beyond operational effectiveness and efficiency. I don’t think it spurred them on to become
more advisory in nature. Audit professionals who continued
to provide traditional audit services did so because of the culture
of the organizations in which their function operated. That wasn’t going to change just because some vision or definition did.
In addition, when the new definition was released, we were
approaching an economic downswing, and in general consulting
wasn’t an option because people were not growing their departments. Once the recent spate of regulations began taking effect,
we were forced into a position of showing management that
we have adequate coverage of the audit universe. For Sarbanes-Oxley, that coverage extends only to controls over financial reporting. But in France, the Loi de Sécurité Financière, the French
equivalent of Sarbanes-Oxley, defines internal control in its broad-est concept to include financial reporting, effectiveness and efficiency of operations, and compliance with laws and regulations.
Demonstrating coverage of the full
scope of internal control has
become the heart and soul of my
business. That makes finding time
to devote to advisory services an
even more daunting task.
To many people, including
myself, the definition is more of
a vision statement than a status
statement. It provides an ideal to
which the profession can aspire.
But the closer you are to that
vision, the more unhappy you
might be because of the shift away from advisory services. I
hear a lot of people say that we’re back in the dark ages, which
I see as inappropriate negativism. Our profession goes through
cycles. Although we are a bit further from our vision today
than we might have been when we wrote the new definition, I consider this merely a consequence of the evolution of
business over time. Ultimately, an organization’s board and
senior management determine what types of services add the
JUNE 2004 INTERNAL AUDITOR