From a world of self-governance to regulation may be its time we stop and rethink!
Is Internal Auditing better off with being by regulation than we were being by choice? Certainly, being by regulation allows greater career opportunities and a spot at the top amongst the C-Suite, but is the basis of being there as a compliance necessity a good enough reason for existence?
Indeed, it becomes a question of existence, when we try to assess which state were we better in because not just our responsibilities or efficacy, but our purpose is also dependent on it as we align our conduct with the basis of our existence.
The perceived regulation induced perks and privileges aside, let’s address the elephant in the room first; the most staunchly believed benefit of increased authority of a regulatory Internal Audit. The authority of an internal audit function always used to stem from its position within the entity and its reporting line. The International Standards on Professional Practice of Internal Auditors (ISPPIA from the IIA) have been conceptually clear on this part.
So, does the internal audit function put in place through regulation enhances this authority? What does such an enhancement mean and how is it measured?
The Internal Audit authority is about the significance and seriousness its outputs enjoy within the organization. It is this bottom-line significance that causes the internal audit to be placed adequately within the organization for it to have unfettered access to people and information and hence its reporting relationship with the Board.
If an internal audit function already enjoys this authority, neither an enhancement is expected nor required as the value addition the function expects to add is guaranteed as far as its authority is concerned. Its findings are considered and reviewed at the highest level and the stakeholders look forward to these earnestly.
As for the measurement of authority, it would come from timestamped action plans made for closure of those findings, such that the root causes are identified so that recurrence is not possible. An adequate KPI system could attribute certain numeric to make these measurements more tangible with the results thereon being reported to the same apex reporting body.
As we can see now that the regulation does nothing to enhance the authority, we may now move on to see if it improves upon anything pertaining to internal audit’s perks and privileges. In the case of perks and privileges, regulation does exactly what the internal audit practitioners are wary of; keeping these at the bare minimum, just enough to satisfy compliance objectives.
Bare minimum in the context of perks means investment in sub-optimal internal auditing resources as adequacy and propriety is left for the entities to decide and the privileges are simply matched to what’s needed for their reporting responsibilities, which brings us to another very important aspect that’s also believed to be impacted upon by regulation, responsibility.
The responsibilities of internal auditing function come from the audit plan that is derived from the scope of services documented in audit charter which in turn comes from the audit universe aligned with the entity’s risk universe. Responsibilities need to be entity centric, not regulation driven, to be meaningful. An entity’s risk universe is the basic blueprint for guiding internal audit strategies. Therefore regulation, being generic, can offer no value in this regard.
But what regulation helps is in:
- Assuring the requirement for an internal audit function,
- Providing opportunities for internal auditors,
- Fixing an adequate position for the internal audit,
- Enhancing the profile of the profession.
However, these benefits could only be harnessed if the entity’s management and more specifically its Board understand the reason for investment in internal auditing beyond what is required by regulation, since now that we have seen regulation does more harm than good to the cause of internal auditing.
The motive for this investment needs to come from the Management and Board’s understanding of how internal auditing aligns with their vision and strategy for entity’s growth and sustenance. Certainly, the value of internal auditing that’s intrinsic to an entity’s own understanding cannot be substituted by regulation that tries to induce it through enforcement!
As for the regulators, we the internal auditors need to ask the following questions:
- Were you required to make governance policies only and not establish the implementation guidelines?
- Were you only required to ask for self-assessed compliance statements instead of independent evaluation of compliance?
- Is an external auditor review note on corporate governance enough instead of a regulator specified focused review engagements?
- Is having a complaint mechanism the only way to ensure compliance instead of regular monitoring of entities on the road to corporate failures?
And if these questions did not form part of the thought process that went into developing and improving the corporate governance regulations, dear regulators are you sure you completed the due diligence on your part in ensuring internal audit adds value to the entity’s GRC processes?
Please understand that internal auditing could not have benefitted from regulation similar to the one reserved for statutory/mandatory external auditing because internal audit scope had always been far and wide, not restricted to an opinion on the truthfulness and fairness of historical financial information.
Internal Auditing has and will always be forward looking for the improvement oriented, unlike the myopic and backward-looking external auditing!
Time for regulators to do some introspection!