10 Years at the Heart of Internal Audit

10 Years of IAC! How has the world of Internal Audit changed?

IAC has now been at the heart of Internal Audit recruitment for 10 years! As we have grown we have expanded across the Corporate Governance disciplines, but Internal Audit remains a deep focus for our team.

This exciting 10 year landmark has got me thinking about how Internal Audit has evolved over that time.

I’ll start with the positive changes I have seen.

When we started IAC we were still dealing with the huge after effects of the financial crisis. One aspect of which was the awareness that business culture had been a big impact on the behaviours that led to the worst aspects of the crisis.

Therefore, there was a very intense conversation ongoing regarding ‘culture audits’, should they be done, could they be done? Did Internal Audit teams have the right skills to do audits such as these?

Fast forward 10 years we can say that in some teams they have been done, and in some places, they are having a real value add impact.

To add to this, we have seen the development of audits covering diversity and inclusion, and sustainability and the increasing importance of data security, cyber security and a general awareness that the risk landscape upon which the audit universe is built has changed substantively.

We have also seen the start of a serious conversation about diversity and inclusion within the profession itself. There have been the beginnings of a recognition that there is a need to be more flexible and reduce travel as a way of creating more opportunities for parents. Both men and women are less fond of travelling when they become a parent, and this can impact progression and diversity in the profession. Covid and global lockdowns have of course accelerated this conversation.

The impact of technology was being discussed on a daily basis back in 2011, and still is… However, despite many of the more ambitious predictions on audit automation yet to come to pass there is increasing prevalence of data analytics, continuous monitoring of controls, and some automation of more basic control testing.  

We have also seen increasing regulation across many areas and a form of UK SOX is looking increasingly likely day by day. This has led to an increasing awareness of the importance and value of Internal Audit and associated roles, and we have seen an increasing likelihood that those starting their careers see IA as a good career path.

However, as ever, challenges remain.

Financial controls still rule the internal audit world.

When you consider that a risk based internal audit function is by definition looking at the processes and controls that mitigate the risks to the business as a whole, it begged the question 10 years ago and still begs the question, why are most internal auditors still spending so much of their time on financial controls? Is that really the key risk to business?

And when it demonstrably is the key risk to the business this is more often due to fraud, or a toxic culture that allows for ‘creative use’ of grey areas and loopholes in accounting rules. Within a culture such as that it is highly unlikely that an Internal Audit team is going to make much headway.

That was the case 10 years ago and remains the case today.

If we consider the broad set of risks that can seriously damage an organisation, we would include, on top of financial controls, the likes of reputational risk, cyber risk, fraud, culture, staff retention, supply chain, climate change, etc.

The next question you might then ask is what skills do I require to provide assurance against these risks?

The answer we are given by 90% of the FTSE100 / 250 is a Big 4 trained ACA. I would ask that we again review the list of risks, and consider does the skill set of a Big 4 trained ACA provide the skills necessary? I would suggest that self-evidently it does not.

I am not by any means suggesting that Big 4 ACA’s should not be a part of a highly skilled Internal Audit team, rather that they should be a minority of a broad based, multiskilled, multi specialism team, focussed on delivering assurance to the board across the key risks to the business.

There remains the key challenge, that a more broadly skilled IA team requires more investment. That investment is signed off by the CFO, and they will generally be loathe to do that unless they can understand the value, which brings up back to why most IA teams are focussed on financial risks…

I remember discussing this issue many years before IAC started and the issue appears to be exactly the same today.

In conclusion, the last ten years has seen big steps forward for IA and a real change in the risk landscape. Much of which has raised the profile and value of IA. However, some of the historic challenges remain, and these challenges continue to hold IA, and many organisations, back from achieving all they could be.

Nevertheless, the profession continues to be populated by hard working, driven, determined, high calibre people who are sincerely trying to make a difference. It is a privilege to work with them all, and we are looking forward to the next decade of IAC!

Please contact me anytime if you would like any help or if you would like to challenge any of the points I have raised!