Will the internal audit disappear?

It is very common nowadays in audit meetings, groups and seminars to question the future of internal auditing, especially if it will disappear due to technological developments.

In fact, the theme of the 39th Internal Audit Congress that took place this year in the city of Florianópolis was Technology and Innovation for Internal Audit and in my lecture entitled “Internal Audit in a Changing World” brought to mind points to explain that the audit will be affected like any other activity, but not to the extension that may affects its existence.

First of all, we need to understand that the application of “Triple A” - Automation, Analytics, and Artificial Intelligence in corporate activities, is not the future but the present.

Digital convergence is already a reality in society as well as in companies. It implying the way business is done, managed and operationalized. We need to keep in mind that corporations are changing at great speed, and often disruptively.

Organizational structures are no longer hierarchical but flatter; operations and processes are no longer centralized and local to be decentralized and remote; functions are no longer specific to being more generalist and collaborative.

In such scenario it is clear that internal audit activity, if wants to remain an important player for the organization's success, will also have to adapt and innovate.

With this in mind, let's consider what the impacts will be on the audit activity. In my perception, what should not change, and what will change:

1. The mission, definition and professional standards for audit practice should not change, only adjust for technology applications,
2. The systematic and disciplined audit methodology, consisting of the planning, execution and reporting of results, will continue to be used in digital platform,
3. Evaluations, according to their nature: compliance, performance (operational) and accounting will also continue to be used, without significant changes,
4. Tools for applying audit procedures and techniques, as well as some planning and communication activities should change due to the use of Triple A solutions.
5. Possibly the risk of auditing (non-detection) should be mitigated as much as we can abolish the sampling of the works, as the technology will allow an evaluation of the whole universe tested,
6. The auditor's competencies and skills should be complemented to be proficient in using triple A solutions and knowledge of languages ​​such as Phyton and R.

I don't believe technology will take the human function out of auditing, but those who want to continue their careers will have to update and adapt to this new corporate format.

Solutions that are currently on the market are highly applicable in a  compliance and / or regularity audit, but for an (operational) performance audit they still have low application.

What worries me is that many auditors have not yet realized the need to update, this was for yesterday, they are already late, and at the speed of things, the professional shall become obsolete very quickly.

Another thing that strikes me, but it does not  have much to do with technology, is that a large portion of auditors have yet to understand their real responsibility as a third line of defense and the audit mission as defined in the IIA IPPFs.

They continue to perform only compliance audit work, which is the simplest and primary form of assessment, rather than performing operational performance reviews, reviewing the risk management and internal control system applied to operational processes to evaluate the governance.

As I said, I do not believe in the disappearance of auditing, but in the disappearance of auditors who do not connect with auditing standards, with new technologies, with new formats and structure of the corporate and business world.

The modern auditor has a great responsibility to support leadership in the governance process, the ethical values, the effectiveness of the processes and the economically of the application of resources. This auditor will always have his place in the corporation. 

Be happy!

Internal Audit

The auditor, the door and the fabric thread, a reflection!

Today I was finishing the slides for a new basic level internal audit course and I came across a very relevant topic for the quality of any assessment work carried out by internal auditors, but, left over.

I am talking about due professional care, an attribute that must be present in the list of necessary competencies of a high performance internal auditor.

The IIA through its international standards for professional practice, in its 1220 attribute norm, establishes that internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

In according to this standard, internal auditors must exercise due professional care by considering the: 

• Extent of work needed to achieve the engagement’s objectives. 
• Relative complexity, materiality, or significance of matters to which assurance procedures are applied. 
• Adequacy and effectiveness of governance, risk management, and control processes. 
• Probability of significant errors, fraud, or noncompliance. 
• Cost of assurance in relation to potential benefits.directs that internal auditors should exercise the due professional care to:

In orde to provide better understand about the relevance of this topic, when I am in class, I always like to illustrate my explanation with a short story, which I will share with you bellow:

Let's imagine that you are the auditor in an organization where every day, to go to your office, you have to go through a corridor with several closed rooms on both sides. 

One day, when you are walking in this hallway, you notice that there is a small fabric thread on the floor, near one of the doors. You observe, but since it is a simple fabric thread, you evaluate that it is immaterial or irrelevant and move on without care about that. 

But, let's now include due professional care in this example. 

You are walking down the hallway and look at the fabric thread on the floor, next to a door, you understand that despite its immateriality, it is out of context. This fabric thread should be on the spool of thread or in a fabric, but not on that place. 

Thus, because of the due professional care, you need to check, get down to pick up the thread to analyze it, however, when you try to do tha, you realize that this thread is trapped under the door. Now, you will need to deepen your analysis action and you will need to open the door to see where the thread is stuck to release it for analysis. 

When you open the door, comes the surprise, this thread is not a normal fabric thread, in fact it is a hair tail of the little elephant that is quietly behind the door. 

One day, sooner or later, this door would be opened and the little elephant would be discovered. 

The manager would then ask the auditor, who spends every day in walking in this hallway, how and for what reason the auditor had not detected the elephant behind the door, and the auditor would not have, technically speaking, how to explain, other than his has used wrong professional judgment, due the lack professional care.

Unfortunately, by the excuse of materiality or lack of time, this type of occurrence is very present in corporations. I believe that this is partly due to the lack of knowledge of the auditors of the audit standards and also because of the lack of knowledge of the basic attributes for an audit work.

I observe many repetitive or standardized jobs being performed, without the necessary due care, resulting at least in low perfomance audit results.

Especially today where, through applied technology, the audit has been working hard on obtaining data, but very little in the evaluation of them. In this case the due professional care in applying the basic audit principles becomes even more relevant.

The due professional care helps the auditor to observe and evaluate everything that is out of context, regardless of its materiality. 

To finish, and looking for help, always keep in mind that:

Everything that is out of context must be analyzed, without exception!

Be happy!

Is Corporate Governance an outdated process?

The corporate world has been constantly shaken by events of fraud, disaster, corruption, wrong decisions, out-of-mission strategies, and others. These events put the governance structure in doubt, because with few exceptions, these companies that are or have been in the media counted on or rely on robust governance structures.

Then comes the question whether the governance structure or principles are outdated and should be changed as they are no longer effective.

In this article I would like to demonstrate that the problem is not the structure, but the attitude and awareness of governance existing in organizations.

We know that governance is historically a response to agency conflict, and in a simple way governance is the process by which organizations are managed and monitored in pursuit of the decision-making balance between shareholder, board and executive. Its principles are: transparency, fairness, accountability and corporate or social responsibility.

In order for governance to exist, it is necessary for the organization to have a robust and integrated risk management process, which, in its turn, needs to be supported by an effective system of internal controls, including in this point, the existence of a proactive audit activity aligned to the business.

A strong integrity program based on ethical value and principles ​​is imperative for the composition of the corporate governance structure.

Well, this whole structure becomes a great fiction if there is no real commitment, attitude and awareness of governance by the part of the decision makers, especially those who are in the highest positions of the company structure, like C-level and Board.

Before to have a governance structure, there must be the governance attitude and consciousness in the corporation, because without it the whole governance process loses its effectiveness. There must be an unrestricted commitment to good management practices, ethical values ​​and respect for all related parties.

The board should be active and independent, but it should also encourage and provide a conducive internal environment for risk awareness to be at all decision-making levels within the organization.

The Board must provide support to the second line of defense, which aims to support management in fulfilling its responsibility to improve the performance of its activity through the management of risks and internal controls, providing effectiveness and operational economics; to also support internal auditing, which as a third line of defense aims to add value to the corporation through the independent assessment of risk management, control and governance.

In turn, the leaders, in conjunction with the board, should clearly and transparently define the company's risk appetite in order that risk responses should be in line with this. Remembering that risk appetite for legal non-compliance, acts out of ethical values, and when there is risk of accident that could lead to death, should be zero.

Different from structure, governance consciousness must reach all organizational levels and need to be developed through organizational culture, which means long process with long maturation, needing to be constantly worked and evaluated.

This process should encourage and develop the managerial attitude guided by the best practices of risk management, compliance and internal controls, and in this regard the attitude of the top management, especially the C-Level is the extreme importance, as it should be the example of behavior and desired attitude.

Everyone who is part of an organization, who is governed by corporate governance, must be fully aware of the importance of their attitudes towards the organization's success and sustainability, and that they must comply with the legal, ethical and practice.

Be happy!