“Everyone makes predictions about the future as if there is only one probable outcome – I believe there is a range of different possible scenarios and that, if you apply bird analogies to the internal audit profession, we could dive, glide or soar in the coming decade,” says Richard Chambers, former president and CEO of IIA Global. If there’s one message he wanted delegates to the Internal Audit Conference to take away, it’s that internal auditors are the ones who will decide which scenario materialises.
“It’s up to us, not external factors,” he says. “The future is not something that is going to happen to us. The only thing that will happen to us is us – we will make our own future. We have to make it happen.”
He believes that the profession is at a crossroads. A series of crises in the past decade, from the aftermath of the financial crisis of 2008 to scandals resulting from poor corporate cultures, led to an increase in guidance and legislation. For many internal auditors, this was a chance to increase their profile and help managers as they worked out what this meant for their organisations.
Then came the pandemic. “This was the most disruptive event in the history of the internal audit profession,” Chambers points out. “It reached into every crevice of organisations across the globe and put renewed pressure on internal audit functions to demonstrate their abilities.”
But even those internal audit teams that proved their value and emerged with increased respect and status cannot rest on their laurels. They should already be looking ahead to see what the future holds, he warns. If nothing else, the pandemic showed us the speed with which risks change – even risk assessments completed in June 2021 were often out of date four weeks later because of the emergence of the delta variant of the virus. Who knows what is around the corner?
“That’s the speed of risk today and why we need to be able to deal with it in a dynamic environment,” he says.
The availability of talent will continue to be a huge risk and soft skills for internal auditors will be a basic requirement. “These are the ‘table stakes’ in gaming terms – you will need skills such as critical thinking and communication before you can even start to act as a strategic adviser,” Chambers warns.
In a recent poll asking for the five strategic risks that will be critical in the decade ahead, over 700 internal audit leaders identified the chief risk to the profession as internal audit’s ability (or inability) to assess risk.
“If this is where we are in the current environment, where might we go in the next decade?” Chambers asks. “The first scenario is that complacency causes us to dive and our stature is diminished. I don’t believe that it is likely that internal audit will disappear in the next ten years, but I can see a situation in which our stature is lower than it is today.”
The chief causes of this, he argues, would be internal audit’s failure to identify emerging risks, leading to repeated situations in which a disaster occurs without any preparation by, or warning from, internal auditors. This could exacerbate “stakeholder fatigue” and encourage organisations to invest less in assurance and oversight. “If we don’t spot emerging risks we will end up at the children’s table, rather than the executive table,” he says.
This is not just a macro risk to the fortunes of the whole profession, but a risk to each and every internal audit function in every sector, he adds. Even if the profession as a whole soars, one weak individual function that fails to prove its value could decline. The threat is therefore personal as well as general.
The second feasible scenario is that the profession glides along, but does not gain stature or recognition. “Internal audit functions that adopt a ‘don’t ask, don’t tell’ approach, and which fail to identify and highlight to the board areas that they do not currently cover adequately, or that do not invest sufficiently in technology and upskilling, will rely on a disaster not happening on their watch,” Chambers says.
“Those that neither sail towards storms, nor seek to avoid them, will have to deal with whatever fortune throws their way. Most are likely to end the decade with their reputations intact, but not seen as indispensable.”
He acknowledges that it can be difficult to admit you’re not doing something, or that you lack the skills to address a specific risk, and that this creates a temptation to ignore potential problems (particularly if no one else seems to have spotted them). However, internal auditors in his third scenario – who will soar in the next ten years – would take control of such risks and put them firmly on management’s agenda.
Internal auditors in this category will have dynamic audit plans that are continuously updated to take into account rapid changes in an evolving environment. They will embrace technology and “future-proof their value” by upskilling and developing to meet emerging risks. “It’s not a question of just introducing Agile techniques; we need to develop an agile mindset,” he says.
So which of these scenarios does he think is most likely to transpire? “Probably 2.5,” he says. “Over the past decade, the profession has glided with a slightly upwards trajectory and if we don’t apply ourselves and aim higher, this will continue – like the bright child at school who doesn’t aim to get A grades,” he explains.
“I think we should be aiming higher than this. Change isn’t just happening to internal audit, it’s happening everywhere. The speed keeps accelerating and we have less reaction time and less time to anticipate what’s coming next. But this is exciting – if I were earlier in my career and in a chief internal audit role, I would relish this challenge.”
Too often in the past, organisations after a crisis have asked “where were the internal auditors”, he adds. “The question that chief executives ought to be asking is ‘where are the internal auditors – I need them’. You can’t believe you’re valued if you never get a text or a message demanding your immediate attention.” There is a direct correlation between the value you bring and how often you are asked by management to engage with them, he adds.
Key emerging threats in the coming decade will include risks from climate change and the environmental, social and governance (ESG) agenda, as well as evolving risks from artificial intelligence and data. Internal auditors will not be able to offer assurance on every threat, so they need to become smarter about identifying those that matter, Chambers points out.
“Lots of internal audit teams are still working to keep the lights on day to day. The issues that enable the organisation to operate smoothly are important, but internal auditors need to increase their value by moving up to focus more on existential threats to the business,” he says. “The vast majority of internal audit departments are not anywhere near that at the moment.”
Internal audit is generally good at thinking and planning for short term risks, but is not so confident thinking beyond the next year, Chambers explains. “It’s true that if you don’t survive today, you won’t need to worry about tomorrow, but we need to get better at looking to the long term,” he urges.
“There’s a term ‘cone of certainty’ that applies to hurricanes and is important if, like me, you live on the coast in Florida – it shows the likelihood of being in the direct path of an approaching tropical storm and becomes clearer as the storm gets closer,” he explains. “I watch storms coming off the East African coast and then monitor them carefully. Most will not turn into anything, but if I wait until a major storm is three days away then I’ll find it hard to get provisions or evacuate before it hits. Internal auditors need to monitor long-term risk like this – we need to plan tactically and think strategically.
This article was published in November 2021.