Editor’s note: Over the next several weeks, we’ll be sharing interviews between Conselium’s Managing Partner, Maurice Gilbert, and experts in governance, risk management and compliance. Each have valuable insights to share. We hope you enjoy hearing from these thought leaders!
Maurice Gilbert: You spent several years as a leader in the military. How did military leadership skills translate into audit leadership and subsequently to your leading the IIA?
Richard Chambers: Actually, I wasn’t “in the military,” per se. I was a civilian auditor working for the U.S. Army for 21 years. During that time, I had the opportunity to work alongside many great leaders. At one point, I worked directly for General Colin Powell, as head of his command audit program. Having a chance to watch some of our nation’s great leaders reinforced in me the kind of traits and characteristics that it takes to be a leader.
Perhaps some of the most valuable time that I spent around the military was the opportunity that I had to attend a yearlong army war program in Carlisle, Pennsylvania. The program wasn’t about fighting wars or warfare, but about creating strategic thinkers out of military leaders so they can move into positions of greater leadership and responsibility.
MG: What trends have you observed the past 10 years in the audit profession?
RC: Perhaps the most overarching trend is the significant strides that the profession has made in terms of its stature. Ten years ago, we were emerging from an era where internal auditors were viewed largely as a “back office” function, with limited access to the boardroom. Then came the calamities of WorldCom, Enron and all of the other corporate failures around the world. This 10-year odyssey has been one in which internal audit’s value has been recognized both in the corporate governance structure and even to a greater extent by senior management.
I’ve also seen internal audit become more risk-centric. Ten years ago, risk assessment and risk-based audit planning was viewed as a leading practice. Today, it’s very much a fundamental practice, and leading internal audit groups are doing more continuous risk assessment.
During the past 10 years, internal auditors also have made significant strides in our ability to audit business and strategic risks. We’d always been somewhat effective in auditing operational, compliance and financial risks. But as risk management itself has become more sophisticated and matured in a lot of organizations, we’ve had to demonstrate the ability to step up and provide assurance around the overall effectiveness of risk management, particularly as it pertains to business and strategic risks.
MG: As a former auditor myself in public accounting I always thought that the large CPA firms had a flawed model in having inexperienced junior auditors capturing data to be reviewed by the more senior professionals, inclusive of partners. How can a relatively junior auditor have the experience to know if something is fishy? What is your own assessment of this model?
RC: It’s not uncommon for the inexperienced, junior auditors to capture the data. The senior auditors then review the data and do the analysis that allows them — based on their experience and their seasoning — to identify whether there are any areas warranting further review.
Junior auditors can get more experience through active involvement. Rather than having junior auditors capture the data and then hand it off to someone else, it’s preferable that there be more collaborative instruction from the senior auditors to help those who are inexperienced and who haven’t had the opportunity to know how to do the analysis.
MG: What do you see happening in the audit profession three years from now?
RC: The environment around internal auditing is a little like the weather: If you don’t like it, just stick around and it’ll change. What will happen is somewhat speculative. No one predicted in 2001 that by 2004 we’d be neck deep in auditing financial controls. No one projected in 2007 that by 2010 we’d be up to our ears in auditing operations to identify cost efficiencies and effectiveness. Because internal audit is risk-centric, we will follow the risks. And unless someone has a crystal ball and can identify what the risks are going to be in three years, any effort to predict exactly what will happen with the profession is speculative.
That said, I do believe that we are likely to see greater emphasis on providing assurance around the effectiveness of risk management. We are continuing to see enhanced risks around regulatory compliance. And where there are risks, there is apt to be internal auditing because, as I’ve said, internal auditors should be following the risks. We’re also likely to continue the trajectory of greater use of technology.
MG: The IIA provides a great service to its membership with educational opportunities. What else does the IIA offer its members to further their success individually and to promote the profession as a whole?
RC: Perhaps the most valuable service that we provide in terms of fostering professionals’ ability to further their success as individuals is our certification programs, which demonstrate a level of proficiency. We offer the Certified Internal Auditor as well as a series of specialty exams, the newest of which is the Certification in Risk Management Assurance. To date, more than 13,000 individuals have achieved the CRMA worldwide.
In terms of promoting the profession as a whole, there’s an entire level of IIA service and commitment that our members may not see on a day-to-day basis. We have very robust advocacy programs, both nationally and globally, and we’re making great strides in reaching out to our key stakeholder groups and raising the awareness about internal auditing.
MG: What do you see the role of internal audit is in relationship with the compliance department?
RC: The Three Lines of Defense model illustrates this relationship well. The model depicts three groups on which senior management and the board can rely to detect and address risks: 1) operating management, 2) risk and compliance functions and 3) internal audit.
The compliance department is a very important element in the second line of defense. It’s one of the important elements of a system of governance, risk management and control that management designs and implements to ensure the mitigation of key risks related to regulatory and other compliance. Internal audit comprises the third line of defense. It’s very important that you have coordination and communication between the second and third lines of defense. If the compliance function is not aware of what the internal audit function is covering, and vice versa, you’re apt to have overlaps in coverage (which is inefficient) or gaps in coverage (which is even worse). When there are gaps in coverage, the two groups are like “ships passing in the night,” each side assuming the other has dedicated resources to address certain elements of risk.
MG: You do a considerable amount of public speaking and authoring. What are you most passionate about in your presentations?
RC: I’m passionate about the fact that internal auditing is a profession. When internal audit is adequately resourced, given the appropriate level of independence, and given the freedom to carry out its responsibilities, it can bring extraordinary value to the organization that it serves. It’s the hundreds of thousands of internal auditors around the world who inspire me every day by the work they do.
MG: You have built the IIA to over 180,000 members throughout the world…do you see additional growth opportunities? If so, what are they?
RC: We’re very gratified to have 180,000 members in 190 countries around the world. And we recognize there are opportunities to grow our membership even further. No one knows precisely how many internal auditors there are in the world. But I think it’s safe to say there are more than 1 million. So, there is a significant opportunity to bring additional professional internal audit practitioners into our ranks.
Regardless of whether internal auditors chose to belong to The IIA or not, however, they can rest assured that we are representing this profession. The IIA is not only serving its members, but we’re advocating on behalf of the entire internal audit profession.
We see huge opportunities in the public sector, where government auditors labor every day as the guardians of public trust to help maintain citizen trust in government. We also see opportunities in the financial services sector, which has been so depleted in recent years in terms of public and shareholder confidence. The IIA will continue to focus our efforts where these opportunities exist.
During recent years, we have seen extraordinary progress in developing regions of the world. For example, we have Institutes throughout Africa, where the profession is burgeoning. And currently we’re witnessing the future great economies of the world making the kind of progress that we saw in the western part of the world during the last century. The IIA is positioned to support the internal audit profession in those regions.
Richard F. Chambers is President and CEO of the Institute of Internal Auditors, the global professional association and standard-setting body for 180,000 internal auditors in 190 countries.
