The Evolving Role of Internal Auditors

Houston IIA Annual Conference

I recently attended the Houston IIA Annual Conference. Conferences are a great way to learn what’s new in our industry or profession, new ideas that our peers have implemented, and new technology that is going to make us more efficient and effective (or at least that’s what the vendor said). It is easy to leave a conference with a wealth of information that sits on the shelf once we get back the office and returns zero value for the time and cost of the conference we just attended. To ensure I receive some value from each conference I attend, I focus on identifying 2 – 3 “take-a-ways” that I believe will benefit me, my team or my business. I have found trying to implement much more than 2 or 3 “take-a-ways” is unrealistic based on the many other responsibilities, projects, tasks, etc. my job requires on a daily basis.

In this newsletter, I will share with you some of the insights I gained from one of the keynote speakers at this conference. I hope you will find a”take-a-way” or two from these insights.

Liz Meyers, CPA, Lead Instructor

The Evolving Role of Internal Auditors

Janet Clark, Executive Vice President and Chief Financial Officer at Marathon Oil, provided many great insights during her keynote speech: The Evolving Role of Internal Auditors. The following are the highlights I took from her presentation:

Internal auditors must understand the need to strike a balance between good controls and perfect controls.

This ties back to the “value” discussions we cover in Risk Based Integrated AuditingTM (RBIA). Internal auditors frequently recommend controls that could prevent risks without consideration of the cost/benefit of the recommended control. For example does it make sense to implement a control to send back an expense report that is off by $1.50 when it costs $5.00 to rework it?

Focus on how the company can be more resilient after devastating (black swan) events in order to survive.

By definition, a black swan event is beyond our realm of regular expectations1, such as the recent Japanese earthquake, tsunami and nuclear disaster; therefore it would be impossible for us to develop controls that could address the risks that we don’t know that we don’t know. Having discussions about black swan events with audit customers and identifying options that can make the company more flexible (e.g., addressing single points of failure) can make the difference in an organization’s survival or collapse.

Internal auditors must recognize and utilize the business owners’ (i.e., executives and business/ process/project managers) knowledge of their business, their processes and where the weaknesses (risks) exist.

This is a basic tenet of RBIA and why we believe in the 2-Step Risk Assessment. Step 1, the Business Function Audit Executive does a high level risk assessment with their audit customer to identify key risks, and Step 2, a more detailed risk assessment is conducted with the audit team. Additionally, understanding and assessing how executives and managers know that their controls over these risks are working and if the controls stopped working is a key focus of RBIA.

Internal auditors need to learn fundamentals of the business, like an owner. They should strive to understand the broader aspects of business and industry. Some ways to do this include reading trade journals and listening to quarterly earnings release meetings.

To truly add value to the business, internal auditors must understand their organization and industry. They must continue to educate themselves in areas that matter most to their organization.

1 The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb, 2007, defines a black swan event asone that is rare, has extreme impact, and retrospective (though not prospective) predictability.

“To know that we know what we know,

and to know that

we do not know, what we do not know,

that is true knowledge.”


Link to original newsletter article