Description
Internal audit is undergoing a massive transformation. While its role to provide independent,objective assurance and consulting services to organizations in ways that improve their operations has remained constant for decades and remains true today, how this has been accomplished has changed over time.
Since the founding of the Institute of Internal Auditors (IIA) in 1941, the profession has evolved to adapt its personality, purpose, and approach to the changes taking place in the fields of management and organizational behavior. Universities and other academic institutions capitalized on the lessons of the industrial era and developed organization theories that created systems whereby centralization, a defined hierarchy, distinct authority levels and reporting lines, clear rules, and the division of labor were the norm.
Internal audit adapted to this approach and adopted it, so its methodologies were consistent with these theories. Standardization was the norm and organizations implemented rigid guidelines for how they functioned. Consequently, internal auditors did the same and implemented standardized approaches to audit their clients in those organizations. This search for consistency resulted in the proliferation of checklists, standard audit programs, and procedures. In the end, internal auditing evolved in a way that validated the organizations’ hierarchy and structure, its centralization, assignment of rigid authority, discipline, rules, and the division of labor procedures against the standard model. The audit function, then, focused on assessing an organization’s control or operational effectiveness with this standardization and could do so quickly by using checklists, prepared questionnaires, and reviewing the same documents year after year to verify consistency.
There was, and for those who continue to audit this way, a concealed risk. The focus on standardization limited the auditor’s ability to be creative. Creative thinkers were not sought for nor gravitated toward the profession. Using the excuse, and the legitimate need for independence, internal auditors isolated themselves from the businesses they examined and were supposed to support. Some even abstained from making recommendations to improve the weaknesses they identified. This risk became apparent in the 1960s and lasted through the 1980s.
While internal auditors were protecting their independence, the businesses they served were changing due to globalization, technological advancements, relentless competition, and a new social, demographic, and financial landscape. Companies no longer operated using the standard model. Since manufacturing moved to different countries, it was impractical to have a single procurement function with a single manager overseeing all purchasing activities. Since customers were now located around the world, the approval of customer orders could no longer be handled expeditiously and competently by the sales manager. Purchasing and sales decisions were now being made by regional general managers at the countries where these activities took place. Approving and making adjustments to customer accounts, were no longer handled manually and personally by the company’s controller. There was no need to. The local staff could handle that under the supervision of their local management team. The company’s enterprise resource planning (ERP) system provided the necessary separation of duties and limited transaction processing to those authorized.
Many internal auditors missed these changes and were slow to adapt to the changing landscape, instead believing that the world still operated by the standard business model. The result? Many became irrelevant. Some internal auditors still used their standard checklists, asked the same questions, searched for the same documents, and applied the rules of the standard business model. They continued to insist that outdated procedures be followed, like having the sales vice president approve all customer orders and the corporate controller print out the credit memos and sign them.
There was little disagreement about the need for effective internal auditing. Broad consensus existed about the importance of having a strong and reliable internal control environment. Generally, management believed in the importance of having sound internal controls, but did not believe that the internal audit function was making an effective contribution to the company. Boards of directors and their management teams slowly lost confidence in an internal audit function that focused so disproportionately, and inflexibly, on traditional business models that they recommended changes to the business that were clearly out of step with how the company needed to function. The disproportionate focus on compliance led many auditors to focus on what they thought was important to the business and less on what was truly important to the business. Management became disenchanted with auditors who wanted to refrain from making changes, even when the internal and external environments demanded quick and judicious modifications to the business structure and its practices. Beyond the methodology, some managers even wondered why some audits were being performed in the first place