Prologue
To understand contemporary issues, it is necessary first to look back
If we wish to adequately understand contemporary issues, it is necessary to look back at historical developments and to review the way the currently existing situation emerged. It seems appropriate that we follow that approach also for understanding internal auditing more broadly.
Organisations differ from one another and therefore internal audit functions are varied. Each situation involves a response to its own environment in a distinctive manner. Nevertheless, it is still useful to review the past to assist in understanding the present and for predicting what may lie ahead for internal audit.
Internal audit as a function of an organisation emerges
It has been long road for internal audit to develop into value adding function.
Year 1941 marks as the major turning point when the Institute of Internal
Auditors was established, and Victor Z. Brink authored the first book on
internal auditing published internationally.
In 1941 usually several internal auditing departments existed in a single
organisation, but they existed only in a small proportion of the organisations.
These internal audit departments concentrated on compliance with lower-level accounting and operational
procedures, protection of assets, and detection of fraud.
There was however already at that time an increasing awareness of the growing size and complexity of all kinds of operations by business, government, and other types of organisations. The external auditor was in parallel becoming increasingly concerned with those same problems, and especially how they incorporated to the responsibilities of that profession. In simple terms there was a growing recognition that internal auditing departments could make an important contribution to coping with complexities that any organization faces.
From internal observer to some value adding operational internal auditor role
During 1950s and 1960s internal auditors was seen merely as internal observers who did not have material value added to the organization. The main function of the internal audit was to assess the correctness of transactions and to help organisation to perform tasks as efficiently as possible. Internal auditors were expected to work under supervision of external auditors and to facilitate them to perform their audit as efficiently as possible.
Moving into 1970s and 1980s, internal audit function was seen to add some value to organisations. Internal audit was mostly focused on operational audits. Internal audit function was about ensuring that controls and processes are in place and working, as well as identifying weaknesses in systems.
Adding value via risk-based audit approach and industry specialisation
In 1990s internal audit was seen to generate clear value to an organisation. Internal audits were performed risk-based and activities were directed into major risks of organization, which internal audit strived to give recommendations to mitigate risk occurrence and impact. It was well-understood already then that internal auditors worked in several areas such as compliance, transaction cycles, investigating fraud and other irregularities and other assurance and consulting activities. Internal auditors performed a combination of financial reviews and audits, operational reviews and audits, management audits, and compliance audits. They also made extensive use of sophisticated technology applications in carrying out audits.
Gradually, internal auditors began to develop "industry specialisation" in terms of their domain knowledge of specific industries such as health care, oil, financial services and government. Internal auditors started to have also diverse backgrounds, including a large proportion of them having non-accounting majors. At the same time women gained prominence within the profession and became much more internationally oriented. In many cases, internal auditing became rather opportunistic, and internal auditors began to participate in and contribute to "special projects" via role of risk officers, ethics officers, or compliance officers depending on each situation.
Where we are today - value adding partners to board of directors and executive leaders
In the past 20 years, internal audit has developed into proactive direction. In parallel, internal audit is expected to generate services to an organisation and to assess and advance organisational management and implementation of values and ethics. Internal auditors have become partners to board of directors and executive leaders, helping them in decision making and in achieving the organisation´s objectives.
After the financial crisis in 2008 data analytics emerged increasingly also to internal audits. The ongoing fourth industrial revolution can be seen to set new requirements to internal audit development. I believe that the ability to adapt and keep pace with changes in the external environment is necessary for internal audit to remain relevant. In order to be successful, internal audit needs the support of the executive leaders for performing its enlarged role and mandate.
In the past twenty years there has been a lot of discussion about the purpose of internal audit and its de facto role within an organisation. The role became more significant and thus got more interest from the senior leadership - to its activities, know-how and resources. Internal audit functions were established among others to ensure business process effectiveness, risk identification and assessment as well as financial information reliability and securing its assets.
In my view internal audit is expected to demonstrate agility. Any internal auditor is expected to showcase digital skills and understanding of IT and cyber security matters. Developing and ever changing environment creates simultaneously opportunities and challenges to internal audit. The changed and developed role of internal audit function means that changes are needed also in internal audit processes and methodologies, and in the skill-set and qualities of a good internal auditor.
I believe that while the expectations of the skills and qualities of an internal auditor increase, internal auditors need to reflect and assess their current profile against this backdrop, and dare to admit if there are gaps in competence and know-how which are needed to audit successfully complex business areas and environments. Only when resources and know-how is allocated properly is the internal audit even theoretically able to generate value to each organisation. It goes without saying that this may create pressure for internal audit function in its daily operations.
Having said that, it is at the same time important and perhaps relieving to remember that the core function of the internal audit remains the same as in 1941: produce assessment, assurance and consultancy services to the organisation. From value added perspective it is thus important that internal audit function understands in each situation to select the right approach and service that generates the most value to the organisation.
Next blog will be published at the end of January.
Sources:
Victor Z. Brink, Internal Auditing: A Historical Perspective and Future Directions
Sridhar Ramamoorti, Internal Auditing, History, Evolution and Prospects
Daniela Petrascu, Internal Audit: defining, objectives, functions and stages