Anthony Pugliese of the Institute of Internal Auditors discusses how changes in the business landscape are changing the risks that internal auditors need to pay attention to, and how the IIA is revamping its practice framework.
Transcription:
Dan Hood (00:03):
Welcome to On the Air with Accounting Today, I'm editor in chief Dan Hood. The business landscape is changing more and more quickly than ever, and that means that internal auditors need to be ready to face a more varied set of new business conditions and thus new risks. Here to talk about all that and how the internal audit profession is responding is Anthony Pugliese, he's the president and CEO of the Institute of Internal Auditors. Anthony, thanks for joining us.
Anthony Pugliese (00:23):
Thank you for having me. Dan,
Dan Hood (00:25):
I want to sort of start with, we're going to get into, you guys have been overhauling your sort of standards, but we're going to get into that more deeply. But want to start with the sort of 10,000 foot view of the big changes you're seeing in the business landscape and how they're impacting your members.
Anthony Pugliese (00:39):
Like many professions we're being impacted by all the I'm, when I say all the stuff, I mean literally all the things we read about in the news from technology all the way to the geopolitical and political issues. So we get hit with cyber issues is probably one of our biggest issues. E S G is hitting our profession. I say hitting in a positive way. It's affecting us in the sense that we're being asked to do so much more. Data privacy fraud is on the rise, kind of post pandemic. We're hearing a lot from governments around the world about fraud. So all those issues are becoming something that internal auditors are being asked to step forward, work with management, work with boards of directors around the world to help, to help and provide insight and assurance and advisory services.
Dan Hood (01:22):
I'm glad you made that sort of distinction. There's a lot of changes. I made it sound like there's storms brewing all over place A, and to be fair, there are, but a lot of these also become with opportunities in the right ESG as a, there are opportunities for, we talk about this in the broad accounting profession. It's certainly true for internal auditors as well as a chance to step up and provide extra value and to demonstrate their value and their worth of the organization and to help protect the organization and further its missions. Are there some of those changes, those that you see as particularly as risks?
Anthony Pugliese (01:50):
As risks? I think it would probably go to something pretty germane that again, I, I'm seeing across many professions, which is, I go back to the example of when I graduated from college 1989. So I think about the things of people in my generation left colleges and universities, understanding and knowing that need to upskill for so many people, whether you're in the legal profession, medical internal audit, external audit, you name it. This need to upskill into new understandings that how many people understand how to test artificial intelligence when it's used in a business. So the biggest risk is that we don't seize the opportunity to upskill our profession, take advantage of what we're being asked to do because if we do these things, we will evolve. We already have started to evolve. It's become a number one priority for i a to help in that upskilling task, which is daunting for any profession. So I'd say that's the biggest risk really.
Dan Hood (02:47):
That's pretty huge. And it's interesting. I mean you talked about grad, I graduated in 19 9 89 as well and wasn't an internal auditor. I'm still not an internal auditor. But even that, I mean the differences between then and now are enormous in every profession. I know they're enormous in internal audit. I know they're enormous across accounting. What's fascinating to me though is you talk about some of the changes in the landscape that you mentioned earlier. Many of those are fresh and what I was just sort of look ahead, you sort of expect to see similar things popping up on a fairly regular basis as we go forward. Does that mean the sort of upskilling you're talking about, is that a constant kind of thing that people are going to have to be doing as I think a lot of people look and say, well if I just get up to speed on this, I'll be okay. But it seems like you're people are just going to have to constantly keep learning and relearning and upscaling on a constant basis.
Anthony Pugliese (03:35):
I believe so, and I always tell members because it's such a daunting thing to come up to speed or to come up to speed on so many of these topics. We aren't expecting any member of our profession to be a jack of all trades. Understanding the entire landscape, for example, blockchain is pretty important, but when it comes to crypto, not every organization is investing in crypto right now. So that might not be a priority. Everybody should be upskilling in cyber because that is a priority. So it depends. I think it's depending on who you work for, there's going to be an urgent priority to keep up to speed on certain topics and then there won't be as big in others. A lot of our members are internal audit firms that have been sourced or outsourced. A lot of public accounting firms do that. I think they probably are going to be faced with maybe a greater array of skills that are needed.
(04:29)
Well, our chief audit executives because, and those are the members that are working inside of an organization where they're going to be looking out to understand the risk horizon and understanding of when will this impact us and how might this impact us. I think about this great example of chat G P T. All of a sudden artificial intelligence has become so real and we're hearing a lot of members say, what do we do with that? And that's something I would expect a chief audit executive to begin looking at as well as staying abreast of other things like just laws and regulations that impact some of the things they know now already. Great example is E S G and data privacy where we're seeing literally the entire world engaging on those two topics in fraud at the same time legislatively regulatory wise. So it's the topic itself, but it's also how the topic is being interpreted by law and that impacts compliance issues and a whole sort of slew of things. So anyway, I hope that answered the question.
Dan Hood (05:33):
Yeah, yeah, no, it was great. It's great stuff. It brings up a point for me. You mentioned sort of the need to look forward to look forward and see a lot of risks. We're seeing this across counting, and I imagine the similar thing is happening in internal audit is that there's a shift, a shift from a lot of these different roles of being compliance based, I don't want to say backwards looking or historically focused and more of a shift towards looking forward and proactively helping the business therein look forward and be ready for what's coming down the pike. Do you see a similar shift in internal audit?
Anthony Pugliese (06:05):
Oh yeah, and I think we're all sick of talking about the pandemic probably, but I do think that was a proving ground for that. It has all of a sudden everyone looked to internal audit to help understand what do we do now, whether it was the supply chain issues, whether it was the increase in cyber attacks, the monies that were received from the pandemic, it was really a need to be forward looking and I think our members were forward looking, but I think it really changed things quite a bit and it will forevermore. I think that hasn't, that's not going to go away. If anything, it made us more aware of all the risks that we should be looking at as a profession and helping advise management on how they should be looking at those risks. I always like the third party relationships is one that I think the pandemic particularly brought to light as the whole supply chain kind of shut down and you couldn't get stuff to make the stuff you make, you couldn't get the talent to do the things you do.
(07:01)
I think all of that became very clear that risk horizon is a very different thing now than it was, and members have done that well for a long time. But that particularly brought it front and center because now audit committees and entire boards of directors are being asked, not just because it's the right question, but they're being asked by shareholders, how are you looking at all this and how are you thinking about it? E S G is no longer a topic of, I hate the expression, but like tree hover. That is not what it's about. It's about the creation of value. I mean, companies that do it and do it well tend to get shareholder wealth maximized and they get people that are happy and generations of people are looking for companies that do that well. So it's a whole different slew of things that are coming into focus for us as internal audit, same as the account profession.
Dan Hood (07:50):
Well, in all kinds of ways in which you can add value, and that seems to be the upside a lot. Obviously there's a lot of work involved in terms of even just with E S G, they're standing up with those systems, improving those systems, the reporting systems that go into them, making sure they're working, making sure they're delivering what they're supposed to deliver, et cetera, et cetera. That's a huge amount of work and going to be a lot of responsibility for everybody involved, including internal audit. But then the upside, as you say, among other things, even just for recruiting and retention purposes, it's enormous. And we all know what a nightmare recruiting retention is for everybody. There's so much upside to this and so much chance for the profession to prove its value to and enhance its value to the organizations that works for either outsource or an inside basis. Do you see other, as you look forward, well, are there other things you see for the profession, other ways it's changing other than this, a higher emphasis on forward-looking thinking and on an increase in the value it's providing?
Anthony Pugliese (08:46):
Yeah, well, one thing I'm seeing that probably isn't too obvious to a lot of folks in the United States is how rapidly the profession is growing outside of America. And that's happening a lot in part because of the way a lot of countries, regions are looking at the value of internal audit. For example, in Africa, after the pandemic, there has been as many countries and regions and increase in fraud. And as companies and countries start to crack down on the fraud, they're turning to a more formalized profession to assist in that. And external audit has a role in that. But of course, internal audit is 365, 7 days a week, 12 months a year. They're always there. So we're seeing ministers of finance, we're seeing other government agencies across Africa asking us to help them in further establishing the internal audit profession. Similarly, we have economies, entire regions that are undergoing economic change like the Middle East where they're mandating internal audit.
(09:44)
And that's from the perspective of, I mean they believe internal audit provides a valuable risk management tool being in existence to help manage the investments that a lot of the Middle Eastern countries are putting into their economies to become lost reliant on oil. So that is a kind of change that we're very much enjoying and watching is helping the profession literally develop and grow very rapidly. Sort of like the growth we saw in the United States after Sarbanes Oxley in the early 2000, it was an unexpected change that happened so quick and internal audit grew so rapidly, but we're seeing other reasons and other catalysts cause a profession to grow right now around the world. So with all the problems that we have and opportunities that we have and risks that we have, they're filling that talent gap with a range of people. Accounting was one of the traditional sources of internal auditors.
(10:37)
I mean, a lot of people that had accounting backgrounds would move into internal audit because they were exposed to it. Now, just like external auditors, were seeing engineers, mathematicians, people of all walks of life in education becoming internal auditors because there, there's value in that. It's not just a shortage of accountants that's providing that, but it's also looking at the fact that people with different backgrounds can be analytical and can be the world not just in shades of black and white. Not that that's what accountants do because I am very much one as well as an auditor, but they world for the gray that exists in between and that's very, very valuable. So we're watching that change right now as well, very quickly.
Dan Hood (11:16):
Well, it's interesting. I think it's, it is, it's a realization that that needs to be had across accounting is that there are lots of things in accounting of all kinds, whether we're talking internal audit routes, external audit or account just accounting or tax work. There's all kinds of work that can be done by other people. Other people can have similar or adjacent skillsets and to solve the staffing problems we're all facing, they're going to need to do that to be as open as it sounds like internal audit is to bring it in. People with often complimentary mindsets and complimentary skillsets that will help it out. So that's great to hear. Very cool. I know you've been in the midst of an overhaul of some of your standards. I want to dive more deeply into that, but before we do that, we're going to take a quick break. Alright. And we're back. We're talking with Anthony Pese of the In Institute of Internal Auditors. We've been talking about the risks facing just the economy's whole businesses as a whole, how that's impacting the internal audit profession and internal auditors, what their future's going to look like. I want to dive a little bit more specifically in the fact that you're in the midst of overhauling your international professional practice framework. And maybe you could tell us a little bit about that and what, first off, maybe what drove you to that overhaul?
Anthony Pugliese (12:27):
Understanding the changing needed to the environment and where our standards needed to head was sort of the reason we first started asking our members. And when I say our members, I mean our presence in 115 different countries around the world. So we enjoy a 230,000 plus membership and have a national presence in each one of those countries. So we're able to get really kind of deep within any national infrastructure and ask, what do we need to do? What are you seeing, what are you experiencing? And where did the standards help and where could they stand to be improved? So we heard a lot of feedback. One was that there was a need to kind of simplify the structure itself, reconsider it so that it flowed better and was easier and more intuitive for those entering the profession. And so that it could also be explained in an easier way to audit committees and boards and to management some clarification, the alignment of elements within the standards.
(13:18)
And probably one of the biggest I maybe should have mentioned at first is that they wanted standards that were a lot more timely in that covered emerging issues area by topic like cyber, like E S G, like fraud, all the different things that we've spoken about so far. They wanted them to be practical and applicable regardless of size industry, they should work at a theoretical level for public sector, financial services, healthcare, understanding. There are nuances in each of those industries, but generally speaking, standards should work for all the organizations and size. And then they asked us to be far more active, a global, to serve in a more active role of educating all the people that needed to be aware of our standards, not just the, I'll call it the new version or improved version, but that they existed and that they were serving a very valuable roble. And I think that was something we saw as an opportunity and we've really seized on it well before the standards were finished and have developed a team that's devoted to talking about them and making sure that stakeholder groups understand what our standards are all about. Alright.
Dan Hood (14:27):
Well I want to get into some of the specific changes or specific things you've done in the change in the overhaul, but before we do that, maybe talk about is this, I, I'm sure the standards have been overhauled from time to time or looked at it from time to time. Is there anything different about this current effort, that different approach you've taken or anything like that that would make it stand out?
Anthony Pugliese (14:44):
Yeah, I think one of the things that we did well in the past, the process we had served as well and that was what we would call re-look project. So we would make changes to the standards, time would pass, and then we would look to see where they needed to change based on what had happened in the world. So for many years through the nineties, early two thousands, that worked because a re-look or a refresh process was okay, but as we see a landscape changing so quickly, we need a standard setting process that's more prospective, that's looking into the future so that we're thinking about standards before they're urgently needed in the field, so to speak, by our members. And I think having a new process where a standards board is looking out into the future and understanding what needs to happen, what are the trigger points for a standard, what are the things that we're seeing and hearing and why would that relate to a standard, some other form of documentation or guidance before it becomes a standard.
(15:43)
All that is different. The whole process we use to assess standards has changed. So our standards board will meet regularly to look into the future and write standards, and we actually have a list of the standards that we think we need that haven't been drafted yet. This is the first exposure that will be further exposures of different standards to come. So I'd say what's changed is pretty basic, a very active standards board that we'll be meeting and looking into the future instead of a refresh process we've used in the past, which worked, but now we think we need something very different.
Dan Hood (16:17):
Right. Well as you mentioned, you talk about all the things that the membership wanted you to be timely on. There's are sorts of things we expect in three to five years. There'll be a whole nother set of those similar, who knows what the issues will be, but there'll be just as we'll need just as much guidance, just as much help with 'em. So a sort of constant process makes some sense. Maybe you want to talk about some of the big changes that that's come through this particular round or the That's in this particular exposure draft.
Anthony Pugliese (16:40):
And I, I'll have to admit, I really love the standard setting process. It's been a big part of my career. I'm going to try to summarize these at a high level I mentioned before to simplify the structure. So we're going to see a far more, I think, intuitive approach to how it looks, how the standards look, consolidating what we had as our six existing elements into new standards that include a mission, a definition of internal audit that's been changed, code of ethics, core principles, standards, and what we call implementation guidance. So consolidating those and creating also a new section on the purpose of internal auditing. Believe it or not, that was something we saw a lot of need for change on, meaning what is the purpose? And the purpose has changed quite a bit over the years. We're seeing a evolution of the profession. It's changing.
(17:33)
Maybe some people believe it's rooted in compliance. And if that was the case, it's not anymore. We offer advisory and assurance, just like you hear from the external firms that do work or the external accountants. We also enriched the ethics and professionalism section by adding due professional care. Something that we leave is very important, was something that we needed to clarify. We made sure we interpreted what we wrote were the public sector and for the smaller internal audit shops versus the really larger ones. And we clarified the meaning of advisory services and what advisory services could be, what would comprise of, before we called them consulting and we thought consulting sent probably the wrong message. Advisory was more in tune with what we were doing. So we changed that and we also changed the board's role in governing the internal all audit function. So that resulted in what we call five domains, Dan.
(18:31)
And these are kind of the intuitive part we hope. Well, where our exposure draft is out there, we've gotten very close to them. So I'm hoping we had a very large pre-exposure period as well, meaning we did a kind of friends and family approach of bringing our stakeholders very close, asking them what they thought of the pre-exposure draft, did they have any input, et cetera. And we incorporated all those thinking, all that thinking and ideas into what we put out for public comment. But our five domains are what is the purpose of internal audit ethics and professionalism? How do you govern the internal audit function, which speaks to the audit committee and to the chief audit executive managing the internal audit function and then performing internal audit services. So those are the five domains that we're exposing right now. And what we're working on are really a subset of that. Last one, performing internal audit services. And we're going to look at what we call topical requirements. So in the performance of internal auditing services, how do you audit cyber, how do you audit E S G, how do you audit fraud, risk management? And the topics go on and on. So we're going to prioritize that next tier of standards, which we call topical requirements and start the draft process, which has actually already begun.
Dan Hood (19:48):
One thing that emerges, this is a fairly serious overhaul. This is not just, hey, we're coming up, we're tweaking A couple of things here. As you say, it's not a, I don't want to call it a re-imagining, maybe it's not quite as strong as that, but you really sort of went down to the foundations and sort of looked at everything and reordered it in a way that made sense for current situation.
Anthony Pugliese (20:06):
We did, and we wanted the final product and we realized exposure period is going to be through the 90 day period, ending at the end of May. We wanted to make sure that we could have a set of standards where we could ensure the conformance of the standards across the world, that they were a little bit more succinct in how they could be understood and read and interpreted. We wanted to make sure that what our product was, the final standards were actually going to enhance the quality of services that our members delivered because they provided more clarity and they provided more data on the topics that they were encountering. And enhancing quality also means delivering value. We don't want just to have a better internal audit function. We want it to actually be a function that delivers value, which we believe almost all of our members do.
(20:51)
But in this day and age where we're seeing so much change, how do you deliver value that I can't wait to get that report from internal audit because it's going to tell me something about my business that I maybe didn't think of or I thought of it differently. This is going to be a new perspective. And I mentioned before, we want to set a standards where we can really drive recognition. So that's going to be a part of the product as well as now do we have them? We'll see what we get from comment period to through the end of May, but we going to drive the recognition of them around the world.
Dan Hood (21:22):
Very cool. All right. So you mentioned comment period ends a around the end of May, and then I assume there'll be some taken into account people's comments, et cetera, et cetera. And then a final, do you have a sense of when this particular set might be finalized?
Anthony Pugliese (21:36):
Sure. We're looking during the fourth quarter of this year, I, I've learned not to give a specific date. We kind of have a date, but let's say in the middle of the last quarter of this year, we'll issue them in their final form. And that includes all the due diligence processes we have to take through our governance structure, which illuminates in our global board of directors, approving them and approving them for issuance. And then from the day they're issued, there's a one year date until implementation is required. So a one year period to implement. So it would be effective the fourth quarter of 2024.
Dan Hood (22:10):
Gotcha. And then as you say, you've already started looking at other, other specifically topic-based, other standards to be set up. So it's going to be a continual sort of process from here. Maybe not as quite a big lift as this first set was, but
Anthony Pugliese (22:25):
You'll see a lot of standards rolling out from I a one by one on topical areas, and we want to do it carefully so we're not putting dozens into the market on tons of technical topics, but do them in a calculated wave based on what our members need the most. And I would expect E S G, cyber data privacy are all going to be at the top of that list. Fraud, risk management, all things that we would look at in this first pass.
Dan Hood (22:49):
Alright, well it's taken on plenty of of tasks, so it sounds like you're very busy. So I don't want to hold you too long, but do you want to just give a final chance, any final thoughts on where the internal audit profession is going or where you hope these standards take them?
Anthony Pugliese (23:05):
I think the standards are going to take us to a whole new place in terms of our ability to provide services in a consistent way around the world. And that's really important to us. So that audit committees, no matter where they are, can expect a similar consistent result when internal auditors are involved. And I think it's going to be very useful, if not imperative, that they have these standards because our members are embracing the change. They are involved and the standards provide a pathway for that. And they also help us to none ton of other ways, our advocacy efforts, our student recruitment efforts, it changes the nature of our CIA exam, our flagship exam. So a lot of different things will change as a result of this. So it brings us into the future in a very quick way. So we're very excited about this.
Dan Hood (23:45):
Excellent, very exciting stuff. And for those who want to see you, as you said, you can take a look at em, you get a chance to comment on it through to the end of May. But in the meantime, Anthony Pugliese of the IIA, thank you so much for joining us.
Anthony Pugliese (23:54):
Thank you, Dan.
Dan Hood (23:55):
And thank you all for listening. This episode of On the Air was produced by Accounting Today with audio production by Kevin Parise. Rate and review us on your favorite podcast platform and see the rest of our content on accountingtoday.com. Thanks again to our guests and thank you for listening.