By Mustapha B. Mugisa, CFE, CHFI, CPA
This is a summary of the presentation Mustapha B. Mugisa gave at the 8th Annual IIAU conference organised by the Institute of Internal Auditors, Uganda. Mustapha urgues that Internal Auditors must acquire new skills if they are to remain competitive and relevant to their stakeholders. He adds that the business landscape has changed significantly. The use of automation is mission critical in all organisations, yet most Internal auditors lack the skills and tools to provide assurance over the security (integrity, availability and confidentiality) of their organisation’s information systems. Internal auditors also lack the capacity (tools and skills) to respond to fraud incidents successfully. Even then, most Internal Auditors lack the capacity to review the work of an outsourced forensic investigator to ensure the process is well done.
The lack of Internal Auditor’s capability to improve their skills in response to the changed environment in which they provide, has led to low value perception of Internal Auditing by management of the company IA is supposed to help. Accordingly, today’s internal auditor is under paid and less resourced.
According to Mustapha, Internal Auditors’ mandate entails an all rounder. They need to gain lots of skills to be able to provide ‘assurance’, ‘consulting’, ‘governance’, ‘effectiveness of the organisation’s risk management processes’, adequately. Management and other stakeholders must have trust in the skills and competence of internal auditors to do this role adequately.
Anything short of that renders the Internal Auditor or the Internal Audit department useless from the perspective of management.
Consider the following top challenges of today’s CEO and how IA fails flat to deliver on each:
- Fraud prevention. Association of Certified Fraud Examiners, ACFE, (www.acfe.com) estimates that an average organisation loses about 5% of its annual revenue to fraud. Applied to the gross revenue of a typical company, this loss is very big. Yet, Internal Auditor has consistently failed to provide practical strategies to management to respond to the fraud risk like recommending management to implement a robust and efficient whistle-blower system that research has proved time and again is the most effective fraud prevention and detection strategy by 43.1% compared to the next best strategy management reviews at 14%! (www.acfe.com 2012 report to the nations). What strategies and activities has IA recommended to management to implement to ensure fraud is prevented and or any fraud incident is detected and culprits identified and punished accordingly?
- ICT security risks. Automation/ technology is a key driver of all key business processes of top organisations whether public or private. Internal auditors lack practical skills to provide assurance over the organisation’s IT security. Skills in need here are security risk assessment, penetration testing and incident response. Management do not trust their IA departments to provide this assurance. A lot of money is spent to outsourced providers. Even then, IA lack the skills to provide assurance to management that the outsourced providers did a good job. This lack of trust in IA by management makes the general perception of the value of Internal Auditor to be low.
- Incident response. When a cyber fraud or cyber crime incident takes place, is Internal Audit prepared to provide thorough investigations by employing digital forensic tools by collecting evidence to determine who did what where, when and how effectively? The answer is no. Management, just like all stakeholders, know this. How else can IA be respected if as ‘insider company watch dogs’ cannot prevail when there is a problem that everyone expects them to handle? It is like a husband at home who cannot get the guts to confront say a rat in the house when drawn to it by the wife. How can she ever trust him in fixing other issues? Internal audit needs to acquire skills to be able to respond or ensure external experts hired to do the work, do it professionally. Otherwise, management won’t see IA as useful. Which means low facilitation and pay. If internal audit cannot do this, management will continue seeing them on the structure for compliance or best governance practice purposes. That is to say: “we need internal audit on our corporate structure so that we comply or others see us as being well governed.” You get the idea. Must as incident response does not have to be a key focus by the IA, they must have capacity to get to the bottom of any incident when and as it happens. No short cut. Research shows that fraud and misconduct is likely to reduce by more than 50% once fraudsters know that the company will likely detect them, and effectively bring them to book. That is the kind of positioning internal audit must create enterprise wide in order to be perceived as ‘value adding.’ Otherwise, this word will just remain on the lips.
- Attracting, retaining the best and developing a winning strategy. This is yet another critical issue that management need fixed. Unfortunately, IA does not provide help to ensuring quality HR and a winning strategy. The nature and value positioning of the role of Internal Auditors is more of ‘reactive’ as opposed to ‘proactive.’ How does IA assist management in this critical activity? How often does internal audit undertake human resources deployment matrix – the process of examining the qualification and experience of each and every staff within the organisation and providing a report of how to effectively match staff skills and experience to responsibilities and activities where they can add most value? I bet there are very few internal audit departments that have ever done this kind of HR mapping. They think, wrongly, that it is not their role. Yet the mandate of IA audit as defined by the Institute of Internal Auditors (IIA) includes “providing a consulting role to management” provides for it. Management will often get such value adding projects from external consultants. The question is: where is internal audit? Why can’t Internal Audit do such kind of work and be seen to add value to the organisation. My experience as an Internal auditor of a bank is that, IA spend most of their time in reviewing what management has done and sort of critiquing their works. Here, IA misses the point. IA will do an annual risk assessment to guide their focus in the next 12 months. This is one of the greatest activities. Unfortunately, more often than not, most IA departments lack the skills to do good risk assessment. Even then, most of their work tend to focus on financial and controls assessment. This practice has made the nature, kind and quality of Internal Audit work and reports more predictable in the form of “Finding/ Observations; Implications/ Risk; Recommendations” and Management Comments – where management comment on the IA findings and when to fix the risks, among others. The question is: when does IA engage in advising management on the adequacy of their strategic priorities and other key issues like IT governance? Is it correct to say that management will most likely not seek for the ‘opinion’ of the Internal Auditor concerning their strategic priorities because they do the IA as that value adding? You guessed right.
- Compliance and risk management. The role of compliance seems to be more on the company’s in-house legal team. IA is expected to provide assurance that in-house legal teams do a great job by ensuring that SLA in force are complied to as well as other regulatory requirements. Unfortunately, IA rarely does this well, as legal costs are some of the top company costs
It is not unusual to find Service Level Agreements (SLA) not been met by the service provider, yet the company continue to pay a lot of money in fulfilment. Where is IA to ensure value for money?
The failure by IA to add real value to the organisation has reduced the value of the profession from the perspective of management. The end result is general poor remuneration of Internal Auditors and lack of good facilitation of the department. IA must acquire new skills, be all rounder’s and position IA as a missing link in the organisation’s governance puzzle. When the CEO, any senior management member or Board member needs to take any action – operational, strategic or otherwise, should have internal audit first on their mind for their opinion. Until this is achieved, IA shall not be recognized as value adding as it should be.
Click here to download the complete presentation in pdf. Please leave a comment below.
Copyright Mustapha B. Mugisa, 2013. All rights reserved.