Anthony Pugliese of the Institute of Internal Auditors discusses the new and perennial risks and challenges facing his members, and the new standards and resources the IIA is rolling out to help.
Transcription:
Dan Hood (00:03):
Welcome Dalia of the county. Today I'm editor-in-chief Dan Hood. Like any other part of the accounting profession, internal audit is facing its share of fast paced change and then some here to talk about many of the major new trends in the field, from new standards to new approaches to risk and more is Anthony Pugliese, he's the president of the Institute of Internal Auditors. Anthony, thanks for joining us.
Anthony Pugliese (00:21):
Thank you for having me.
Dan Hood (00:23):
I want to jump right in. You are at the beginning of 2025, the I a, these new set of global internal audit standards became effective. And I want to talk a little bit for those who weren't familiar with it, maybe you can tell us what was the goal of those? What was the reason behind the new set of standards?
Anthony Pugliese (00:40):
Yeah, I mean I think the first one, it was due for an update anyway, but when we had the opportunity, we took the chance to rewrite our standards to be far more in line with the kind of risks that our members are facing when they provide assurance or advisory services to clients or employers, or it could be clients as well. So it gave us a chance to also think about how to elevate the quality of internal audit by also adding some components, some required communications, for example, with the audit committee required communications with management and things like that, different levels of documentation requirements or working papers. But overall improving the standards to more closely aligned to the evolving nature of risk. It took us about three years, which for the folks that understand Sanders setting, that's not terribly long in the scheme of things, but our unique challenge was we have 118 nations in our federation of i a. So getting 118 countries in tow in three years was actually Lightspeed compared to some of the projects we've had done in the past. And I think it was because everyone realized it was time to make the standards more accommodating to the world we're operating in. So it was three years. We have it in 34 languages already. It's been downloaded hundreds of thousands of times. So we've had really good feedback. We've been very fortunate that we were able to hit it right on the first time out.
Dan Hood (02:02):
Well, let's talk about some of that feedback and some of the uptake. What has that been like? How has in terms of use, in terms of comfort levels, in terms of are they coming back with questions and saying, Hey, what does this mean?
Anthony Pugliese (02:14):
Actually, we had such an extensive exposure process. I think we handled a lot of those questions. We were able to put 'em in the preface to the standards, so we had a lot of the questions already addressed. But I think some of the requirements that are new, we get questions about, well, what if I can't access this member of management? Or what if I decide that I don't need to do something that's not in line with the standards? For example, you may find in some countries that national law may heighten the requirement over what we put, so we would put our general explanation is conform or explain, which you'll see in many standard setting organizations. So we were able to really calm concerns around that. If you can't do it, it's against the law. The law is different, just document the reasons for that. And that's not common.
(03:04):
We see that in some organizations or countries like Japan. Japan has unique audit committee requirements. They don't really have audit committees per se. They have a different form of governance. The audit committee is completely separate from the board and is external to the organization. So we had to accommodate that, and that was part of the whole process of getting global standards in place. I think the biggest questions we had were on a component of the global internal audit standards that we call topical requirements. And that was probably what generated the vast majority of comments on everything. And that was done after we finished the main body of the global standards. So what we did is we looked out and understood when we rewrote the standards that we were doing it because risk is changing dramatically. And what our members do all the time is changing dramatically.
(03:54):
We still have the traditional internal audit functions, but many are being asked to do more or things differently or even to shift entirely into risk areas that are unrelated to internal controls over financial reporting. So the topical requirements, just super brief explanation, is that as we see these risks being addressed by our 270,000 plus members around the world, we were concerned that we were able to show in our advocacy efforts and other media that we were following a baseline of conformance whenever our members issued an assurance report versus advisory on a particular topic. And we tried to align those topics to where we saw the greatest risk developing in the profession. So for example, the first one out the gate was cybersecurity. And we know as we looked at the way it was being done around the world, it wasn't that it was being done wrong, it was being done very differently.
(04:49):
And our standards aren't trying to replicate things that are already in place. But for example, for cyber, we would ask our members to say, follow a framework. What's your framework? Is it NIST? Is it something, is it COVID? Is it some other framework? Make sure your board, your management team agree with that framework and then go use it in audit. So was simple things, but it actually raised the bar quite a bit. And I think in a lot of the world they were already doing that. In some parts of the world, I think it will help tremendously, but they were also designed to allow members to advise versus provide just assurance. So we noticed a lot of our members would use our topical requirements to explain to management or board members that they wouldn't pass. So it takes a whole different consultative approach if you want to use it that way.
(05:36):
We've also issued one on third party risk and how to evaluate and test and look at that. And then the most recent one is on organizational behavior, which is really looking at the way an organization and its culture responds to risk. I think those were very different for us. And so it prompted a lot of questions. We don't typically have standards that relate to topics, and this was the first time that we did that. And just again, it was the right thing to do in our opinion because we were moving so firmly into that space. And in the case of cyber as an example, it's the number one risk identified 21 years in a row. So it was at that point where we needed to make sure our members had a baseline of consistency.
Dan Hood (06:18):
Gotcha. I find at some point earlier this year we had been talking about these topical requirements in the first three that you've issued. I thought they were. So I'd like to dive a little bit more into them, but before we do that, maybe we can take a step back. This is the new standards that come out in enacted this year are part of this international professional practices framework evolution and the topical requirements are sort of the next step in that. Maybe you could talk about that evolution a little bit just to give anybody the audience who's familiar with it, a little background. And then if you wouldn't mind, I'd love to dive into those three topical requirements, cybersecurity and third party risk and culture is the third one We'll start. Yeah,
Anthony Pugliese (06:58):
I mean the evolution, you're talking Dan, the evolution of how the standards gave weight to the topical requirements or why we thought we needed to do them.
Dan Hood (07:06):
Yeah,
Anthony Pugliese (07:07):
Yeah. Well, it really was based on the evolving nature of the work the profession was seeing. I mean, I think 20 years ago if we had done a risk survey and we did, you would've seen internal controls over financial reporting closer to the top things like fraud, which is still important. They would've risen up to the top. And the profession has a profound amount of experience looking at both of those, and we probably always will have that as a cornerstone of who we are. But we noted the things that our members were most worried about were not contemplated in the standards as they were originally drafted. And they've been around since, gosh, early seventies. We've had the IPPF in place and it's been evolving and it's been revised, but this time we felt a wholesale rewrite of the standards was in order. And that was what was really different.
(07:54):
And doing things like we heard a lot of, I wouldn't call it complaints, but concerns that the standards were only useful to internal auditors, meaning it was hard for an audit committee member to look at them and understand what was being attempted by following these standards. So writing them in a more, I'd say a more lay terms in lay terms versus the technical terms we might've had before allowed us to show audit committee members what we do, even the design of the overall structure. We have a section on how do you manage internal audit, how do you perform internal audit, how do you boom, boom, boom, so that the audit committee member and management could look at precise parts of the overall cycle. And that was a little bit more difficult to decipher under the old standards, which I think were last revised significantly in 2013 and then 2017.
(08:43):
So again, trying to align it to what they were actually facing. And then also to make sure things like, even though it may seem very intuitive, but you need to inform your audit committee of your audit plan and make sure that you have their support and their agreement and that you document the agreement. And that's pretty common practice in the United States and Europe and Canada. But we wanted to make sure in other parts of the world that we were absolutely raising the bar and also raising the bar for what we wanted audit committee members to do with internal audit. Because sometimes you have members of audit committees that come in that don't understand internal, but rather have had a focus in their entire careers on external audit, and they try to apply the same principles to that. So making them intuitive and making them align intuitively to the nature of work our members do is our biggest goal and the need for the evolution. So I hope that explains it a little bit.
Dan Hood (09:38):
Absolutely. I think it just gives people a little bit more of a clue. I do want to, like I said, dive into these topical requirements because they're fascinating. I think, is it eventually going to be six? Is that right?
Anthony Pugliese (09:48):
Well, we keep it open. There could be a lot more than that. It just depends. Right now we call it our global guidance Council. It's an international committee members all over the world, and they really review what we're seeing and what we call quality reviews, not too dissimilar to a peer review that would be in the external audit profession, the CBA profession. And this is where one internal auditor assesses another internal audit team's compliance with standards and other best practices. So anyway, the entire approach was to make sure that we had topical requirements that would match the issues our members were seeing around the world and making sure that we had the consistency. So if we talk to legislators or regulators, common question would be, how do you know your members do this kind of work? How do you know they're doing it well? And that's actually a very common question.
(10:44):
You're asserting that internal auditors can audit cyber, but what are they doing and how do you know? So we turned to the most logical way to approach that, which would be these new requirements based on topical areas that aligned to the most significant risks our members are facing. So that's kind of the origin of it. And we thought about that probably the entire time the global internal audit standards were under development. And that global guidance council I mentioned earlier, they developed the ones that had to go out quickly, which are our first four, and then the rest are sort of being assessed. And we try to again, make sure we align it to findings and quality reviews. We align it to our surveying, which is extensive every year and multiple times a year to make sure we were picking the right risks. So right now, four out of the door and some more coming, but not yet decided.
Dan Hood (11:33):
Gotcha. Well, if you don't mind, let's spend a minute on a couple of these, maybe cybersecurity. What are some of the highlights in that when an internal auditor opens that up and starts taking a look at it, what are they seeing?
Anthony Pugliese (11:45):
Well, it's interesting. Before members had even seen it, I think this is a normal reaction. It's like, well, all we need is another in place to do some work. But I think when they read it, we really, really tried to go for a principles-based versus a rules-based approach. And that's such a common thing in our profession, including the CPA world principles versus rules-based. It's always open to interpretation on how well you achieve that. Anytime you put the word should to some people, that means it's now moved into a rules-based approach. But if they open the cyber standard, they're going to see things like, what's the framework you're using and have you picked a framework that applies to the entirety of the operations that you're looking at? And then make sure you have that agreement across the three lines that this is exactly the model that we should be using.
(12:36):
And that way someone can't say later, well, you would've caught that if only you had used the COVID standards, or if you had only used nist, et cetera, et cetera. So they're going to see probably three pages of a required and then many pages of guidance that goes with that that they can use or not use depending on their situation. So we try to make them principles based. We try to make sure they were high level. I mean, we don't want to be going in every year and changing standards because that would be quite a heavy burden. So we wanted them to stand the test of time as well. But generally speaking, I think they're meant to be understandable. You would say, well, of course they are. But making sure a topic like cyber was understandable because some of our members have not yet moved into those new areas.
(13:21):
For example, I would say maybe in parts of Africa and parts of Asia, we still see a very traditional approach of looking at controls over financial reporting fraud and risk to some degree, but not this kind. So it also serves as a good roadmap for the internal auditor that's trying to do this for the first time. And it's important to distinguish that only if the internal auditor decides that there's an assurance report versus advisory being issued on that topic, do our standards kick in. So it's an important distinction. That's like external audit world. That's our highest form of our opinions in the assurance world, is the highest form of comfort we can give.
Dan Hood (14:00):
Gotcha. What's some of the highlights of, for instance, the third party risk requirement? Well, if they open that up, what might they be seeing? Well,
Anthony Pugliese (14:08):
Yeah, there's a lot. I mean, one that comes to mind quickly for third party is making sure that you've assessed all the different components of what could go wrong for cyber. For example, back to cyber, it seems to be all invasive and everything we're doing lately, but for example, we talk about the interconnected nature of risk and how one risk begets another, and that other risk begets yet another. And the example we've always used is rapid pivots to a new supplier. The pandemic showed that that was very commonplace and some things that get forgotten, and understandably, because of the urgency, if you don't have supplies, you don't have raw materials, you don't have the people to provide professional services, you got to move quickly or you're going to have a much bigger problem than controls. You're not going to have money coming in. But we tried to make sure that, anyway, that third party, for example, cyber, if you make a pivot into a new supplier, have you assess cyber risk appropriately?
(15:04):
Of those third parties that you're relying on, are they connected to your infrastructure? Do they follow similar standards? Do you want them to, do they have internal audit? Looking at the things that say the company you're in is worried about, not too dissimilar from a SOC opinion, but a little bit far more focused than narrow when we look at third party. So that's some of the things I'll look at. We always remind them that third party risks, we've noted since the pandemic that there has been a 300% increase in cyber attacks on the suppliers of companies that are actually the ultimate attack vector that they want to go after. So criminals have gotten smarter. So we have to, as a profession, get smarter as well.
Dan Hood (15:48):
Sure. Yeah. I want to talk just briefly. The third one I know was about organizational culture, which I thought was fascinating. Maybe we talk a little bit about, I don't think people would necessarily think of that as an area for internal audit to be thinking about. What are some of the things you might see in that requirement?
Anthony Pugliese (16:04):
Yeah, and it's interesting. Culture was one that I wish sometimes we had kept it at culture because all of our members in the US and Canada and parts of the world know what culture means. But in other parts of the world, it to the way we look at it, and we weren't trying to look at culture from the perspective of this is a great place to work, which some people immediately think that's what culture is about. And it is that angle of culture. We're looking at the organization's ability to respond to risk and the behavioral patterns in response to risk. Things like empowerment from upper management all the way through the organization and things like that. Making sure that there was an understanding that the organization when faced with a risk would be able to have a response that made sense by virtue of its culture, its risk tolerance, stated risk levels, all those kinds of things.
(16:53):
Helping employees prioritize the risks they find and understand which ones need to be elevated, et cetera, et cetera. So it's a different take on it, but the more and more we look at risk in companies around the world, the more and more we realize that the culture in that company is more important at times than all the different controls you may have on the IT side of things. If you can't respond quickly, it doesn't matter how well prepared you are, you're still going to miss the chance to mitigate the risk. So that's a little bit of an overview at a very high level. I hope that helps.
Dan Hood (17:22):
Oh, absolutely. No, it's one of those things, the idea of what culture is and what it can contain and what's underneath it continues to expand. I think for a lot of people, as you say, their idea of culture is just a good place to work, but it's so much, much, much more than that. I was fascinating when we first talked about that as a topical requirement, and I realize now that when last we spoke about this, there were only three, I didn't know there was a fourth out. What's the fourth one?
Anthony Pugliese (17:45):
Sure. And it's currently still in the drafting phase, and we're still getting feedback from all of our national institutes, those 118 countries that we work very closely with as part of our federation. But when we look at resilience of an organization, we're looking not at the cultural aspect, the ability to respond, the cultural is management, allowing responses, is it too much red tape, too much bureaucracy, things like that. Resilience is all about things like skillsets and capabilities and the ability of the organization to respond without regard to the cultural element of it, but actually the hardcore part of it. Thinking about things like even ai, having the right skillsets within a company that's challenging but looks at it from a more practical dimension. Culture is a little bit of a softer measure, which is also important that we had guidance and standards on that, but it's looking at the resilience, the ability to respond effectively.
Dan Hood (18:37):
Excellent. Alright. We've been talking a lot about risk and I want to dive more into that topic. I know you have some thoughts, did some recent survey? Did a recent survey on it, but before we do, we're going to take a quick break.
Alright. And we're back talking with Anthony Pugliese of the IIA. One of the things that's come up, I mean in the background of all this has been, and sometimes in the foreground has been risk and managing it, mitigating it, understanding it, figuring out where it's coming from and how organizations can deal with it. And I know that you all recently conducted a major survey of senior auditors, something like 4,000 of them on that. Maybe you can talk a little about some of the key takeaways from that.
Anthony Pugliese (19:22):
Yeah, so we call it our risk and focus report, and it is very global. It's probably even more than 4,000 because some of the responses came from very large, what we call service providers. For example, a Deloitte Protiviti. So they're kind of speaking for many companies at the same time because they're looking at 'em all at the same time. And we do it by region as well. We have regional bodies to manage. I ias 118 countries. We have Africa, Asia, Pacific, Europe, Latin America, middle East and North America or regions. But at the composite level or the global level, we saw a lot of things moving around from even last year. So for example, geopolitical risk is the highest increase from what we saw in 2020 fours report, which makes sense given the world we live in. I guess I don't have to go into detail on why that one has surfaced as a much bigger risk.
(20:12):
I mean, you've just got everything, tariffs and all the different aspects of that and every other policy change, not just coming from the US but from coming around the world and how does an internal auditor kind of look at that and prioritize it. But for our members, it was the biggest increase. It's not quite in the top five, but it increased quite a bit from the year before. So that was the biggest jump. Another one we saw was very much not a surprise was digital disruption. And in that we included artificial intelligence, and I think we're going to separate those two so we can get more detail on AI in the future. But that was the second biggest move up on the list, which tells us a lot about current practice. But if you were to rank them in order it's cyber, then digital disruption, that business resilience, again, that's how we found our way to the topical requirement. And human capital was another big one is making sure an organization has the qualified people to work in it, but that's a little bit about the risk. Then we did not see much variation from that as we went from region to region. We may have seen some things move one or two notches, but cyber stayed the same in every region. And for the most part, the top five stayed the same. When I say the same, exactly the same. Were moved around just a little bit. Everybody looking at the same things. Yeah, go ahead.
Dan Hood (21:33):
Yeah, it's fascinating that those risks would be so similar so far across the world. You would think in some cases that might vary, but that's interesting to, so in general, I mean as we've talked about the breadth of the I A and how far a field so many of your members are, it's got to be difficult to manage a single set of practices and strategies and approaches across the entire world. Do you find significant differences between regions? Does it tend to be regional? Does it tend to be national or is it tend to be, where do the differences tend to come from?
Anthony Pugliese (22:14):
You mean just in terms of the profession in general?
Dan Hood (22:16):
Not just in terms of the survey, but yeah, in terms of the profession in general.
Anthony Pugliese (22:19):
Well, so when we speak of regions, I think we think of North America as a region, which for us also it's Canada, the United States and the Caribbean, all those are what we classify as North America. And then everything falls into Latin America for another regional look. In Latin America, we seem to see a lot of national approaches, which is appropriate because the governments are so different. And Europe, of course, there's the European Commission, and even though some European countries may not belong to the commission, they tend to follow a lot of the requirements that kind of trickle down effect that you hear a lot about Africa. We seem to see more of a homogenous for an entire continent. That's interesting. And Middle East, we can also look at almost in a homogenous way because some countries in the Middle East sort of lead with the approaches that they fall and the rest kind of come behind.
(23:10):
It depends on the region. Asia is probably where you see the most vast differences in the profession as you go country to country. You look at China, you look at Japan, you look at Thailand, you've just got differing approaches, different forms of government that are in place that really change the way the profession looks. For example, in China, we enjoy a very large profession because it's required in many industries. So you see it just very different, much larger in other areas, it's more developing. But that's generally the way we see it. And all of them, we tailor each of our regions to make sure that our global headquarters, which is what we have here in Florida, is responding to those needs. So we have regional groups within our structure that make sure we're catering to those needs and make sure we're hearing them
Dan Hood (24:00):
Right. Let me just follow this up for a second, because fascinating, there's very few accounting organizations that have the global reach that you guys have. Do you have a sense, do you think that over time, not obviously in the near term, but over time, would you expect internal audit to converge largely across the world? Both in terms of obviously you're trying to do that with the standards and so on, that you're promulgating, but in terms of governments reaching out and saying, yeah, you know what, everyone should kind of use the same sort of internal audit standards and approaches?
Anthony Pugliese (24:32):
Yeah, we're very careful about wanting anything to be legislated into existence because we all know from experience, maybe it's the uniqueness of the United States and my time working at the AICPA, that can come with a lot of baggage over time, over decades. I don't want to leave behind like, yay, I got the profession legislated into existence and a hundred countries, but now we're subject to a hundred different sets of national laws that make it a lot more cumbersome and inhibit growth. But generally speaking, we don't advocate for that. But when we do see it happen, we have to go in and support it. For example, in the kingdom of Saudi Arabia, it's required by law and that's a good thing. And it has even a ministry of audit. So that's just the minister reports to the king, and that's about as where do you see the profession really run?
(25:26):
Well, I always think of that. That's a great model, but it just changes. But the Middle East kind of follows that pattern. But Saudi Arabia, we work with them whenever they have a change and we have to pivot into a new approach. If we're looking at countries that are not like that, we tend to go after changes that are more geared toward thought leadership or getting national governments to adopt our standards, which will then cause a triple effect and to other parts of, or other sectors of that country's economy using the same, just using our standards more and more aggressively, making audit committees more aware of what we do is another big approach. But the thought leadership with organizations like the World Economic Forum or OECD, the European Commission, those tend to have the hits that we want to further the cause of internal audit versus going right after, let's make it a requirement in this company.
Dan Hood (26:20):
Right. Very cool. Excellent. Lemme pivot a little bit. I know y'all recently stood up the Global Audit Committee Center. I think you could tell us a little bit about that, what it's for, what kind of resources you have, that sort of thing.
Anthony Pugliese (26:34):
Yeah, we did a survey. It came out in 24. It was all of part of 23 into 24 called Vision 2035. And I know a lot of organizations do reports like that, but trying to understand what would we look like in 10 years time and what are some of the challenges and do we like where we landed in 10 years and what could we do to correct that or change the outcome from where we are now? And as we were looking at that, it became clear that perception of internal audit is our number one issue. And when I say perception, meaning it's not bad, it's just not anything. In some parts of the world, there's not a strong understanding of what internal audit is. And one of the very places that we find that, not the most, but commonly is in audit committees. They're more geared toward dealing with the external function than they are with the internal auditors.
(27:23):
So we need to make some changes as it relates to that. And the best way to do it is to get to the audit committee members. And a lot of the big firms have board centers, board of directors, and they work within a c, d and other groups. But we particularly want to go after audit committees given what we do, and make sure they're educated and have tools to understand our standards, including the topical requirements. Understanding that the role of internal audit has grown a lot. One thing we hear from parts of the world is that they don't even ask us to do this work. I want to do cyber, but the audit committee doesn't know I can do cyber or they're not used to internal audit doing cyber. So we want to change some of those perceptions because in reality, we do all this work and we do it quite well, and we just need to make sure that that perception is, if it's nothing, we need to lean it into positive and a strong understanding of the depth and scope of what internal auditors provide.
(28:18):
So the center gives us that kind of a platform, and our job now is to make sure we get all the resources into it that'll match global demands. We want it. It is a global audit committee resource. It's designed for everywhere around the world. And if anything, countries will have higher requirements than what we put in there, but we wanted to really help audit committee members understand it and hopefully other people understand it as well. But we're giving it, there's a big kickoff occurring in January in Washington, and we have over a hundred chief audit executives coming in from all over the world, from some marquee companies, and it's just a kickoff and an announcement of what we're going to be doing, but it is created, we have a web presence, but it'll really kick into high gear in the first quarter of next year.
Dan Hood (29:05):
Cool. A lot of exciting things going on in the world of internal audit.
Anthony Pugliese (29:08):
There is luck.
Dan Hood (29:10):
Excellent. Well, Anthony Pugliese of the IIA, thank you so much for joining us.
Anthony Pugliese (29:14):
Thank you, Dan. Thanks for having me.
Dan Hood (29:17):
Thank you all for listening. This episode of On the Air is produced by Accounting Today with audio production by Adnan Khan rate to review us on your favorite podcast platform and see the rest of our content on accounting today.com. Thanks again to our guest and thank you for listening.