Will internal audit die? Won’t internal audit die? Is this not the wrong question to elicit the nature of the problem faced by internal audit? In some senses the problems IA face are perennial. Certainly, in my time as a national chapter President of IIA in the mid 90s, I confronted many of the same challenges discussed here.
I propose a more useful variant of the original question: Looking back, after the death of internal audit, what will have been the principal cause of its demise?
The reason for the change is more than semantic, it is one of realism: IA will not die not because its tool-kit becomes “commoditized” (although much of it will or should) ; it will not die because it tackles successfully “extravagance, avarice, apathy, ego and incompetence”; instead, it will not die principally because it is regulatorily mandated in most risk-intensive sectors. Where they go, other sectors follow (albeit often at a more leisurely pace). One thing regulators are not known for is imagination; eliminating IA would require imagining an alternative.
The suggested change reframes the question in to one of two sub-questions: either (i) what will have caused the regulatory mandate keeping IA alive to have lapsed, or (ii) in the absence of regulatory fiat, why would executives and non-executives allow IA to die – under what conditions would they no longer regard it as adding sufficient value to maintain it?
Perhaps meditating on these questions would be more revealing.
Some commentators have noted that better IA shops are developing the skills to participate in ERM initiatives. I cannot agree with this. Those skills have yet to be defined sensibly – anywhere. Any such definitions relating to ‘linear’ control approaches such as COSO or ISO standards are very limited in their purview and, as recent research shows, have (deservedly) received only limited acceptance among executives and NEDs.
Ironically, one of the better efforts to define the skill set required was prepared by the late Prof Bill Birkett in the mid 90s as part of the major global Delphi study funded by IIA Inc. that led to the redevelopment of CBOK. Sadly, in what became a very political exercise in Altamonte Springs, the IIA (led, as I recall it, by the late Bill Bishop – IIA global President – himself) rejected Bill Birkett’s work as too limiting. Bill (Birkett), with whom I discussed his drafts extensively, was appropriately conservative about the cross-over of skill sets from control-related risk assessment to broader risk issues at the level of the firm (or enterprise). IIA Inc. rejected this humility in favour of what I described to Bill Bishop at the time as the greatest and least justified professional ‘land grab’ I had ever seen. Sadly, via COSO, such attempts continue to this day. As Santayana observed, “those who do cannot remember the past are condemned to repeat it.”
The greatest threat to IA is over-reach in to areas in which its members are unqualified and to which its skills are not readily portable – most notably, enterprise-level risk management. Of course, the good news for internal auditors is that, so far, no-one else is doing very well in that score either.