[IMGCAP(1)]Richard Chambers has been reorganizing and consolidating the Institute of Internal Auditors ever since he returned in January after a five-year stint at PricewaterhouseCoopers.

Before joining PwC, Chambers spent roughly four years as an IIA official and 15 years as an IIA volunteer. He has 34 years of experience in internal audit, accounting and financial management, having also worked for the Pentagon, the GAO, the Tennessee Valley Authority, and the U.S. Postal Service. Chambers talked recently about the evolving role of the internal audit function.

What brought you back to the IIA?

Following the retirement of the former president, the board was looking for a replacement which presented an opportunity for me to come back to a place that I had been before and loved. It’s obviously an exciting and challenging time for our association and the profession as a whole. Certainly recessions are challenging for not-for-profit associations, as they are for any business, and this one has been no different. We’ve gone through a fairly intensive first quarter looking at our size and structure. We did a number of things to restructure and reorganize the IIA. I think we’ve been very successful in getting our model in a better position. Time will be the judge if we got everything right, but we’ve certainly made some changes, took out a bit of our cost structure, had to reduce our staffing levels, and now we’re in a much better place.

How are internal auditors dealing with the recession?

We did some research in the first quarter looking at how the economy has impacted internal audit. As you might expect, our profession’s not terribly different from any other. The economic downturn has had an impact. In North America, almost 80 percent indicated that their companies have been affected negatively by the economy and then almost 50 percent indicated that their internal audit resources had been reduced. And of those, at least a quarter said they had been significantly reduced by more than 10 percent. So that’s certainly a big change from what we had been seeing over the last few years.

How has the internal audit function been changing in the past few years?

Following the adoption of Sarbanes-Oxley, we saw rather unbridled growth in the profession, especially from 2004 to roughly 2006, 2007. At that point, it sort of leveled off a little bit and then we started to see some other challenges emerge. Our results showed there have been reductions. We asked people how they’ve handled those and we got some interesting responses. Training, travel and a lot of the discretionary spending have been reduced. Of those that have incurred a loss of budget of 10 percent or more, about a third of them have actually laid off staff, so there have actually been some staff reductions in internal audit, and I think that probably is some of what we have seen in the broader accounting profession in the U.S.

Where do you see internal audit going these days since the heavy concentration on Sarbanes-Oxley has faded?

What we saw in internal audit post-Sarbanes was just an exclusive focus in some places on 404 compliance, and in fact, we surveyed on this every year at PwC. In 2004 we saw it peak out. One of the questions we’ve asked is, “What percent of your resources are you dedicating to Sarbanes-Oxley?” and I think that was the year when we peaked out at almost 70 percent of those who responded they were spending more than 50 percent of their time fostering 404 and Sarbanes-Oxley compliance. It tailed off after that and it’s come down to a much different level. So the question then is, “OK, if focus is coming down off of SOX, where is it going?” That was one of the real stories to come out of the research we did in March. There is a much greater broadening of the internal audit focus, and the places that they’re getting back into it are the ones you might expect. Being driven by a recessionary environment, they’re looking at operational risks, compliance risks, fraud risks, and one that I think has real potential going forward for internal audit is assessing the effectiveness of risk management.

Why do you think risk management has become such a focus of internal auditors?

In many respects, it’s really a return to the more traditional internal audit approach. What we’ve seen over the last few years has been something of an anomaly. If you look historically, at least over the last quarter century, internal audit resources have been more broadly focused, looking at a range of risks, whereas in the last five years or so, there has been a trend almost exclusively toward financial controls and financial risks. Now we’re seeing a return to what I would call a bit more traditional view of what internal audit does. And so I think that’s the big story for us this year, that internal audit is starting to reassert its involvement in a range of risks that the organization may face.

Where else do you see internal audit going?

Another area where there has been a marked increase in coverage is helping identify opportunities for cost containment and expense reductions. From my experience, having been in this profession for 34 years, almost every time we get into a recession, that’s a sweet spot for internal audit, because that’s a place where management is typically looking for cost savings, and internal audit is just a great place to turn to figure out where we can achieve some cost savings and expense reductions at the company.

As SOX levels off and internal auditors get into their traditional areas of risk management, are there new areas the IIA thinks they should be trying?

That’s another message that came out of the research. One of the big lessons that came out of the financial failures of the past two years has been what some have referred to as spectacular failures of risk management. And so I think coming out of it there is going to be an interest and an urgency on the part of audit committees, boards, and others to get some kind of assurance around how effectively the risks are being managed at the company.

Is there training that the average internal auditor needs for this? Do they need to expand their notion of their role, or is this a task they can do with the tools they already have?

No, I think if you look at the skill sets in a lot of internal audit functions, they tend to ebb and flow based on the expectations of the stakeholders. If you go back to the late ’90s, you saw that internal audit focused more on consulting and business partnering. Then suddenly we got into the SOX era and the stakeholder expectations crystallized around a focus on the effectiveness of financial controls. A lot of audit departments now find themselves fully staffed with great accounting talent and now they’re suddenly going to have to focus on a much broader range of risks. Some of those folks are very capable as accountants, and hopefully versatile enough to learn new talents, but some of them are probably better suited to move into roles within the CFO organization. And now we’re going to see this diversification of talent within the internal audit function.

Are there a lot of new standards coming along that the internal auditors have to adapt to, like the international standards? Are you involved at all with convergence efforts?

Internal auditors are by and large complying with the IIA standards, which are the global internal audit standards. There aren’t a lot of new standards that are evolving out of that. Obviously we have our standards and then we have our practice advisories, which are essentially interpretations of the standards. We are starting to put out additional practice advisories around some of these areas, and we have a practice advisory out on this issue of assessing the effectiveness of risk management. In terms of the global accounting standards and IFRS and some of the other related areas, I think that’s something that internal audit will need to be more familiar with, particularly where their focus is on financial controls and financial risk. But it isn’t something that I think would necessarily be the top and center of where they need to focus.

Are you going to be recommending that people put in more stringent risk management models?

My guess is that there will probably be a lot of recommendations for enhancement. One of the things that we would do at the institute would be to monitor that, and if we start to see trends that would indicate that there are some key weaknesses, we would be publicizing that to give people some insight about what the best practices and leading trends are. But it isn’t something we would mandate as a standard because ultimately risk management is management’s responsibility, so the auditor should hopefully be identifying what the conditions are, what the causes are, and what the effects are, and let management determine what corrective actions they need to be implementing.

Register or login for access to this item and much more

All Accounting Today content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access