- 6 month contract - Internal Audit
- Audit Team Lead – Compliance & Legal – IB
- Senior IT Auditor - Insurance
- Outsourcing – The Third Party Control Framework
- The Bribery Act 2010 & Business Ethics
- IT Audit for Non-It Auditors
- “Be prepared” - Business Continuity Essentials
- Fraud Prevention & Detection: Taking a Risk-Based Approach
- Home >
The Evolution of Internal AuditDate: 17/05/2010 Author: Sandro Boeri
Let me take you on an historical journey describing how our profession has evolved during the last thirty years.
To do so one needs to start with a story about my first internal auditing experience.
As part of a review of the fixed assets register, I was asked to go and verify that the valuable paintings on the 22nd floor of the bank employing me were where they were supposed to be.
Being eager to please I rushed upstairs and knocked on the thick wooden door marked “Room No.1” on the photocopy extract in my possession. There was no answer so I knocked again, this time much more loudly. I heard a gruff “ Come In” and entered the room.
I saw a long wooden table with about twenty old looking gentlemen seated around the table. At the top, was seated a very old looking man who asked me what I wanted.
I explained that I was from internal audit and that I had come to check the paintings.
Despite his rather astonished look, I proceeded to walk around the room ticking off each portrait as I found it. When I reached the end of the room and the door I gave the old man a thumbs up and confirmed with a relieved smile that I had found all of the paintings.
I proceeded to explain to my boss, the Head of Internal Audit. He turned a funny colour and then explained to me what a board meeting was.
Never mind. One has to learn sometime. What I found very positive was the fact that all assets had been found. This was the key purpose behind this audit.
What happens if I did not locate the assets? I would obviously be providing a service to my organisation and pointing out that assets had gone missing. But was this enough?
This answer is clearly no. A more valuable service that could be provided was to review the quality of the controls that would prevent the assets from disappearing in the first place.
Controls auditing was born!!
An army of internal auditors began to look for theoretical preventative controls and began to test that the controls were operating effectively. In the case of fixed assets, security arrangements would be examined as well as key chains to rooms containing valuable assets. A much more useful service focusing on “preventing the horse from bolting”!
The story goes on however.
Questions began to be asked as to whether internal auditors were really focused on the issues that fundamentally mattered to their organisations. Did it really matter if all of the portraits went missing?
In materiality terms, the answer is obviously no. Large corporations can obviously afford to lose the odd few million dollars.
Internal auditors started to focus on the risks that really mattered. This saw the birth of risk-based internal auditing. The community started to focus on the key business risks and started examining the related controls designed to prevent these risks from crystallising into losses.
All of a sudden, internal audit departments used to undertaking “tick and bash” reviews of unimportant topics focused on the essential business risks their employers were running.
In financial institutions, this meant looking at the important market, credit and operational risks and restricting one’s auditing work to areas where the theoretical amounts at risk were in excess of a materiality threshold agreed with Audit Committee.
In some organisations, internal audit departments increased their sophistication and focused on the impact as well as the probability of a risk materialising.
This re-positioning of the internal audit function brought the department into contact with top management and, as a result, top-level politics. This led to a major re-skilling exercise as the composition of departments changed to reflect this newly-found influence.
The story does not stop there!
The profession considered its position and felt that focusing on risks and losses was a very negative way of looking at life.
A more positive outlook was born.
The internal audit department started to look at an organisation’s key business objectives and started examining the key controls that assist a company in meeting these objectives.
This led to audit getting involved in major change initiatives using various project audit methodologies. It led to audit becoming integral to the running of an organisation.
Lets congratulate ourselves as summarise our remarkable evolution:-
Tick & Bash ---Controls Audit ----- Risk-Based Auditing ---- Business Obj Auditing