Richard Chambers, president and CEO of the Institute of Internal Auditors, has released a new book, "Lessons Learned on the Audit Trail," that describes his varied career and the real-life challenges he sees in achieving success in the internal audit profession.
Chambers’ advice is based on his experiences not only heading the IIA, but also in previous jobs as national internal audit advisory leader at PricewaterhouseCoopers, inspector general of the Tennessee Valley Authority, deputy inspector general of the U.S. Postal Service, and director of U.S. Army Internal Review.
Accounting Today asked him about why he wrote the book, his experiences as an auditor, and where he sees the internal audit profession heading.
What was your impetus for writing the book?
I think probably the main impetus was coming up on my own milestone of 40 years in this profession. Obviously that’s a time I would reflect back on my own career. Because of the important role that I play here in helping to lead the profession, I’ve been very fortunate to have attracted a lot of followers around the world via social media. I understand that I have more than 40,000 unique readers on my blog, and based on the reaction that we get when we post a new blog, they seem to be driven to the real examples and the real stories that I’ve been able to share of real examples of things that happened in my own career. I really wanted to share my own experiences with others in the profession, particularly young accounting professionals and internal auditors who are trying to make a decision about the right direction to take. I wanted them to know that a life in this profession can be very exciting. As I say in the book, this is a profession that you can live your life in color, in spite of the fact that some people think of accounting as a very black and white world.
It sounds like you’ve had a very varied career, in government, in accounting firms and in organizations like the IIA. What are some of the differences that you’ve found in working at these different types of jobs?
You’re right. I’ve had the opportunity to spend part of my career in public service, part of it in the corporate sector, particularly in the years I spent working at PricewaterhouseCoopers, and in the not-for-profit sector. I think each of those critical sectors has very different objectives, and the organizations in them have very different governance models. Certainly those are things that stand out in my mind as being differences. There are also tremendous similarities, particularly regarding the folks in our profession. Regardless of whether you’re an auditor in the public sector, the corporate sector or the not-forprofit sector, your objectives are very much the same, and that is to bring value to your organization by providing assurance around how effectively the organization is being run. I think that can be a very rewarding way to spend one’s career.
You talked about dealing with things like budget cuts, as when the Army and the Pentagon were cutting back on their budget for internal audit. Do you think there is enough money being spent on internal audit in government and the private sector?
That’s a good question. The reason I shared those stories in the book was really to illustrate how I began to connect the dots that internal audit has stakeholders, and if those stakeholders feel like they’re not getting the value that they need, they’ll make difficult decisions about how effectively to resource the function. In terms of today, I always say about internal audit in particular that it is very much a function of what is the risk appetite of those who lead an organization. If they don’t have the appetite to assume a lot of risk around failures in controls and risk management, then they need to be thinking about what are the ways to mitigate those risks.
Having a strong and effective internal audit function is a very important means of making sure that as a board member or management, you’ve got good insight into what’s happening in your organization. In government today, I think we have probably adequate levels of resources in the federal government. Where I worry about more is not necessarily whether the resources are adequate in the federal government, but whether they are adequate in the state government and municipal-level governments. They have been under much greater scrutiny and the challenges are much greater for them. They don’t have the ability that the federal government does to borrow far beyond their means, and often they have to live very much with a balanced budget. That’s where the difficulty seems to come in for the audit profession. People make very difficult decisions about how much they’re going to resource the audit function, and when you’re in the state and the local municipal government levels, that’s a much more difficult decision.
Do you think there is some unwillingness to see what’s lurking in the books when an internal auditor goes through them? Did you run into a lot of that?
I think we still continue to see that. We see the sort of latent downsizing of internal audit in order to reduce the level of oversight. If you don’t want to have a lot of scrutiny or oversight, just reducing internal audit and claiming that it’s a function of budget constraints, unfortunately is all too common. It’s something that we, and I in particular, have been very willing to call out when we see it happening. If we see that there is potentially some deception about the motives to reduce an audit function—that is, it’s being reduced not commensurate with any overall reductions in the budget—those are things that we need to call out, and we do.
You mentioned about all the change you saw after Sarbanes-Oxley came out in 2002, and the impact it had on the audit profession. You were at working at PricewaterhouseCoopers and seeing how they adjusted. Did you see some dramatic changes there too?
Certainly in the first years after Sarbanes-Oxley, I’d say 2004, 2005 and 2006 were an extraordinarily dynamic period for our profession and for external auditing as well. Everyone was under a mandate, certainly in the corporate sector, to prepare themselves for audits of their overall effectiveness of internal controls over financial reporting. There was a lot of money spent in those years, and a lot of it found its way into internal audit and also into public accounting. Certainly it was an expensive period, but I personally believe that internal controls over financial reporting are much stronger today than they were 15 years ago. Obviously there was a lot of cost, and a lot of resources were expended to do that, but we’re talking about nothing less than confidence in our capital markets. We couldn’t afford to have many more Enrons and WorldComs, so while there might have been sacrifices made from a resource standpoint, we have a much healthier level of control over financial reporting today than we had in 2000 and 2001.
You mentioned in the book that when you were working in the inspector general function, you had visited a lot of the offices. Is it important for internal auditors to familiarize themselves with the different offices and functions in a company or government organization?
Absolutely. If you think about that, internal audit has a mandate to assess the overall risks of an organization and then to build an audit plan that reflects those risks. You’re not going to have an easy time of conducting a comprehensive risk assessment if you never leave your desk. You’re going to have to get out there. You’re going to have to have the interaction and dialogue with others in your organization, and you’re going to have to understand the business. If you don’t understand the business, it’s going to be much more difficult to audit the business.
One of the overarching lessons or themes that I hope would come through there is that internal auditing—and I would say this is true for the auditing profession in general, whether you’re an internal auditor or external auditor—in order to be successful you have to be more than just technically proficient. You have to have what some people would refer to as soft skills. You have to have the ability to build and sustain relationships. You have to be a strong and effective communicator. There has to be an aspect of empathy in what we do as well.
In one of the chapters I talk about never forgetting that we’re auditing people. The vast majority of people that I’ve audited throughout my career have been good, decent people who are working hard to do a good job, whether it’s in government or the corporate sector. While our role and our responsibility is to assess the overall effectiveness of operations or the overall effectiveness of controls and risk management, I think we have to go at it in a way that respects and values the professionals who are doing these jobs. These are things that I wanted to convey in this book because if you don’t empathize, and have these traits and these characteristics, it’s very easy to develop a sort of traffic cop kind of mentality where you simply show up, you cite someone for doing something wrong, and you move on to the next victim. Part of what I wanted to convey in this book is if you want to be effective as an internal auditor, particularly as an internal auditor, you have to have a degree of compassion in how you approach the job. You have to be open and build and sustain a level of trust between you and the people you’re auditing because if you don’t have that level of trust, you’re not going to be nearly as effective, and you’re not going to bring nearly as much value to the organization.
What are the biggest lessons you have learned in your career?
The biggest lessons that I learned early in my career really were around what is the role of an internal audit function and how do you add the most value. Those are some of the things we talked about. I detail examples early in my career where I learned things about the effectiveness of communications and how important it is in your own career to decide what it is you want to do and then pursue that. I describe in the book about job hopping a little bit early in my career and recognizing that just because I can get a promotion to do this next job doesn’t mean that I’m going to enjoy it. To me, those are life lessons that I think every professional will learn at some point. I don’t think that just by reading it, that’s going to change their mind, because that next promotion or next raise is often very attractive. But I learned in the first five years of my career that I could keep jumping to the next job at a higher and higher level, but I might not enjoy the work. If I enjoy the work, I’ll do a good job and I’ll get where I need to get eventually, and then I’ll have been happy in the process.
Do you have any predictions about where you see the future of internal audit going?
As I talk about in that last chapter, I have said for a number of years that I feel like this profession is on a journey from one where in our origins we were focused on hindsight. That is, we were the guys and ladies who showed up and cited ineffective controls and the consequences that happened in the past. We’re in an era now where increasingly we are providing insight in addition to hindsight about the things that are happening in the organization and being willing to provide our perspectives. I think the ultimate destination for our profession is also to be able to provide foresight, to be able to not only talk about the past and the present, but to be open and willing to give our perspectives on what will happen in the future if key risks are not addressed. The former Comptroller General of the United States, David Walker, really popularized that notion of internal audit—in his case he was talking about government audit—of audit being capable of providing hindsight, insight and foresight, and that’s where I see the journey for our profession headed.