A broader array of skills: after years of narrowly focused compliance work, many audit departments are seeing a shift in priorities and a new set of skill requirements.
What they are finding is that the often narrow, mechanical nature of Sarbanes-Oxley testing has created a skills gap--particularly with newer internal audit staff members whose professional experience has consisted largely of Sarbanes-Oxley-related work. This gap has surfaced in a number of competencies, including analytical thinking, risk assessment, and operational audit experience.
The skills gap is becoming more apparent as internal audit departments "rebalance" and tip the scales back toward mainly traditional internal audit activity, with a reduction of time and resources devoted to Sarbanes-Oxley. Because the act shifted emphasis from the traditional audit skills to a specific focus informed by Sarbanes-Oxley concerns, nonmanagerial auditors often display what one audit executive calls a "compliance mind-set."
"The way they approach an audit can tend toward form over substance, emphasizing, for example, whether something was done at all rather than how it was performed," says Sebastian Bufalino, vice president of corporate audit at medical products and services company Baxter International, headquartered in Deerfield, I11. "Having spent less time performing substantive audits, they think that if you can 'check the box' on compliance, the job is done, as opposed to using a healthy combination of control-based and substantive auditing."
But a mind-set that is tightly focused on compliance, to the exclusion of broader business risks, is not consistent with the emerging role of internal auditing in the post-Sarbanes-Oxley world. In addition to returning to more traditional operational functions, audit departments are expanding their roles across the broader governance, risk, and compliance landscape. Increasingly, internal auditors find themselves communicating with a wide range of managers, both within and outside their organizations, about complex operational, compliance, and financial issues as well as risk management. Audit practitioners must broaden their skill sets to execute their evolving responsibilities successfully.
OUT OF BALANCE
For many auditors, the broad coverage requirements of Sarbanes-Oxley work provided a tremendous opportunity to understand financial reporting assertions and risks and to apply The Committee of Sponsoring Organizations of the Treadway Commission's Internal Control-Integrated Framework. But the underlying control design assessments and related transaction testing became overly prescribed. The typical Sarbanes-Oxley approach focused on standard control sets and sample sizes, while testing was designed to look for evidence of sign-offs versus re-performance.
"The typical narrow auditor experience with Sarbanes-Oxley testing was caused by the phased approach applied by most companies," says Mike Keps, managing director of risk consultancy Protiviti. "Risk assessment, process documentation, control design, control evaluation, test plan development, and testing are typically done in distinct phases and approved by the Sarbanes-Oxley project management offices. The average auditor will participate in process documentation and testing, but not always for the same processes--they are handed their small slice of the effort and asked to execute." Although this was, in many cases, the best approach, Keps notes that it was much different than internal auditing, where senior auditors typically perform a wide range of activities that includes risk assessments, research on issues, planning, control assessments, testing, and communicating audit results to management.
This more complete, comprehensive experience requires auditors to bring a broad array of skills into play, Keps says. "It allows them to think in the field, influence the work scope, make decisions on the fly, and proudly present the results of their work. Contrast the two types of experience, and there should be no doubt why auditors dread Sarbanes-Oxley testing and why skills stalled in so many departments."
Furthermore, as organizations moved past year-one compliance efforts, they placed more emphasis on control rationalization and program repeatability. This emphasis in turn narrowed auditors' focus, particularly among new auditors who weren't exposed to the year-one experience.
Internal audit departments generally launch their rebalancing efforts once audit priorities become less dominated by Sarbanes-Oxley compliance activities. Moving Internal Audit Back Into Balance, a survey conducted last year by Protiviti, found that rebalancing is closely tied to the development of an efficient and sustainable approach to compliance, which can take time to achieve. The year three mark of compliance appears to be the "sweet spot"--nearly half of the companies surveyed had reached this milestone, and of that number, 40 percent reported that they had achieved rebalancing.
The experience of internal auditors at Baxter International bears out the survey findings. At the start of the company's Sarbanes-Oxley compliance efforts in 2004, Bufalino says, "The vast majority of what we were doing was Section 404-oriented work. Projectwise, we decreased the amount of financial and operational auditing we were doing."
Partly in response to the demands of Sarbanes-Oxley, and partly to bolster overall IT skill sets, beginning in 2004 Baxter increased its internal audit staff from I8 to more than 30. Since 2005, the internal audit department has gradually been rebalancing. "Our goal now is to keep Sarbanes-Oxley at no more than 40 percent to 50 percent," Bufalino says.
Part of this effort, he adds, involves a recommitment to processes that were de-emphasized during the past three years. The departure from traditional audit tasks to perform Section 404 work almost exclusively created gaps in the department's internal processes.
"We lost some of our internal process focus as an audit function, and it has taken more time to rebuild that than we would have liked," Bufalino says. "That's been time-consuming and a bit of a distraction."
To address this situation, the internal audit department conducted a thorough external quality assessment that identified areas requiring attention. One area Baxter is focusing on is a quality review program. The department has established performance metrics in several areas, including professional development. Bufalino says the department is also now monitoring more closely the amount of time auditors spend on three main types of activities--traditional audit duties, projects related to Sarbanes-Oxley, and consulting work.
"We're looking for a balance that we haven't had during the last three or four years," he says. "We try to manage that balance to make sure the project mix is appropriate in terms of risk to the company, what the audit committee requires or expects, and what provides the most value to the company."
BUILDING BUSINESS EXPERTISE
The audit department at U.S. Bancorp, a financial services holding company headquartered in Minneapolis, presents a contrasting example of Sarbanes-Oxley's impact on the audit function. Because internal auditors in the banking industry are required to balance U.S. Securities and Exchange Commission requirements with banking regulatory requirements, Sarbanes-Oxley work did not create an imbalance, says Art Heise, senior vice president and CAE. U.S. Bancorp's audit department, for example, worked primarily with its external auditors on evaluating and testing key Sarbanes-Oxley controls; the incremental work related exclusively to Sarbanes-Oxley did not significantly alter the annual plan.
The department's challenge, Heise explains, is a lack of readily available business expertise among internal auditors in specialty businesses in which U.S. Bancorp is engaged. "Although auditors are proficient at understanding audit principles and standards, this expertise is sometimes insufficient because they don't understand business needs and practices," he says. "Most of the people we hire come out of the Big Four or other internal audit departments. What they sometimes don't know is how a complex financial services institution operates--that's a potential gap we continually manage." This lack of specific business expertise is particularly problematic in the areas of wealth management and global payment services, two significant U.S. Bancorp businesses.
To bridge the gap, the company allocates a minimum of 40 hours per auditor annually for business-specific training, both within and outside the company. Internally, Heise arranges for senior- and manager-level auditors to spend time within a given business unit.
"With payments, for example, we found that even an experienced bank auditor may have to learn the business to understand where the risks are, how payments are settled, what the contractual agreements are with customers, and how to establish and build controls around those risks," he says. "Once the auditors completely understand the business, we get a much better quality audit." For the external component, the company purchases training from organizations such as the Fiduciary & Investment Risk Management Association, The IIA, and the American Institute of Certified Public Accountants.
"At this point, our biggest issues in terms of training and understanding are in the mortgage area," Heise says. "Most problems are on the investment side, in the secondary markets. An enormous amount of assumptions underline the valuation of these portfolios--that's an area that we're focusing on to make sure auditors understand it."
FOSTERING LEADERSHIP SKILLS
As Sarbanes-Oxley fades from the foreground, other concerns have acquired greater urgency. Protiviti's 2008 edition of the Internal Audit Capabilities and Needs survey found that information security is considered a top risk for organizations. Respondents also ranked "personal skills"--such as public speaking, change management, and leadership--as competencies needing improvement (see "Critical Skills in Demand" on page 4I). Similarly, The IIA's recent Common Body of Knowledge survey, the most comprehensive study of the profession in The Institute's history, cited leadership as one of the most important behavioral skills for management level auditors to possess.
The internal audit department at defense contractor Raytheon Co., headquartered in Waltham, Mass., provides an example of dynamic, broad skills development in these areas. All of Raytheon's internal auditors, regardless of specialization, undergo comprehensive training in change management, leadership, negotiation, persuasion, and communication, says Larry Harrington, CAE.
To achieve skill development objectives, Raytheon's internal audit department sponsors in-house and external training for its 54 staff members. The department provides auditors with at least I00 training hours per year and asks them to match that with an additional I00 hours of their own time. All internal auditors are required to undergo Six Sigma training and to read at least two business books each year, as well as prepare a report on those books to share with co-workers. Internal auditing also provides job-related skills as well as leadership training and brings in speakers on topics such as diversity, managing a global workforce, and working with remote colleagues. The internal audit department also helps each of its auditors develop a career plan that identifies the individual's strengths, weaknesses, and opportunities.
"We use a variety of tools to help them assess what they like to do and what they might like to do in the future," Harrington says. "We identify gaps and work with them to get appropriate training to close those gaps."
In addition, auditors are expected to extend their skills beyond their own specialty--non-IT auditors, for example, fortify their knowledge of IT-related risk through The IIA's Global Technology Audit Guide (GTAG) and Guide to the Assessment of IT Risk (GAIT) series. "The skills gap that non IT auditors have had for many years is finally starting to be closed," Harrington says. "Nonfinancial auditors are getting information that helps them understand the role IT plays and why it is important."
Although Sarbanes-Oxley did not produce a skills gap at Fortune Brands--a U.S.-based consumer brands organization with operating companies in distilled spirits, home and hardware, and golf--it did increase formal internal control evaluation requirements, says Gary Tobison, Fortune's vice president and chief internal auditor. He adds that for his department, the process has been more of a refocusing than a retooling.
Before Sarbanes-Oxley, the internal audit department at Fortune concentrated on financial control auditing. At the height of Sarbanes-Oxley activity, the department's focus turned to more select key financial controls. Now, the pendulum is swinging back to where it was before compliance with the act began.
"What we're doing now is moving back to broader and deeper dives into specific areas while maintaining Sarbanes-Oxley controls," he says. "We're looking at across-the-board financial control audits--such as order-to-cash, production, inventory, marketing expenditure, payroll, and ad agency reviews."
He notes that while there was a change in mind-set from compliance auditing to more traditional audits, the skills are basically the same for Fortune's financial auditors. "While one is more compliance-oriented, even with Sarbanes-Oxley our auditors are looking at risks and determining whether the key controls exist."
The attention to risk has been a consistent feature of Fortune's audit department, both before and after Sarbanes-Oxley. "We keep risk in the forefront with our auditors, so they're aware of exposures and the potential for fraud," Tobison says. "If they see something unusual, we'd expect them to report on it, whether they're doing a traditional audit or one of our Sarbanes-Oxley audits."
At Baxter International, the internal audit staff's technical proficiency, certifications, and amount of experience with external versus internal audits are closely monitored as part of the overall process improvement drive, Bufalino says. Although the audit team is solid in terms of the skills required for both Sarbanes-Oxley and more traditional work, he explains the organization as a whole is expanding its commitment to training.
"Our team will be able to participate in broader finance training, and they'll also receive external training to ensure they're technologically proficient," Bufalino says. "That's somewhat 'business as usual,' but in terms of the metrics we've highlighted, it's something we're watching more closely to make sure we're reaching the levels we need to hit."
The internal audit department at U.S. Bancorp measures improvement against The IIA's International Standards for the Professional Practice of Internal Auditing as well as its own policies and procedures, Heise says. The department's Professional Practices Group randomly selects and reviews workpapers produced by internal auditing's six other groups against these standards and creates a quarterly report that shows results and trends that provide opportunities for improvement. "The Professional Practices Group performs a quality control function within our department," Heise says. "They audit the auditors."
For Raytheon's Harrington, success is measured by his department's reputation both within and outside the firm. Raytheon's auditors strive to be known not only for audit-specific knowledge and ability, but also for the broader skills required in the post-Sarbanes-Oxley world. "More than one-third of my hires come from within the company because people see how much they'll learn in internal auditing, beyond audit skills," he says. "We view internal auditing as a way of teaching leadership and critical thinking, and offering some unique training, which helps differentiate us when it comes to recruiting. The need in internal auditing is greater than the supply of candidates--if you can't differentiate your company from others, you won't get the top talent."
Although training will vary in its structure and delivery depending on an individual audit department's existing capabilities and skills gaps, many audit professionals recognize the need to upgrade their knowledge and skills continuously. In doing so, they help the department rebalance after Sarbanes-Oxley and enhance the function and status of internal auditing as a key player that creates value for the entire enterprise.
"We spend half of our training time making our internal auditors the leaders of tomorrow," Harrington says. "A world class internal audit function is a talent pool for the organization. You have to attract talented people, develop them, and then move them out into the business units where they can create change and contribute to the company."
A BLESSING IN DISGUISE
Despite Sarbanes-Oxley's profound effect on the audit profession's focus and skills requirements, Keps cautions against making the act a scapegoat. "Let's not discount the positive impact Sarbanes-Oxley has had on the skills of the internal audit profession," he says. "It sharpened practitioners' focus on IT general controls and formal risk assessments, both short-changed by some departments. It also forced internal auditors to be more disciplined on some basics, such as sample selection, evidence, and exception reporting--all valuable, transferable skills." More importantly, Keps adds, Sarbanes-Oxley pushed the profession to grow and achieve greater visibility as it raised expectations about internal auditing's role.
Bufalino agrees, pointing to the influence internal auditing has gained as a result of its increased stature. He says the closer relationships to board committees and corporate executives and the advisory role of internal auditing are some of the unanticipated gifts of Sarbanes-Oxley. "Sarbanes-Oxley has allowed us to rebuild a lot of relationships within the organization, because it's given the internal audit group a bit of visibility that it might not otherwise have gotten--we're perceived as a group of internal experts that can help guide the company."
This unexpected prominence in the post-Sarbanes-Oxley era represents an exciting opportunity for audit professionals to rebuild their audit skills and ultimately help their companies identify and avoid unnecessary exposure. The skill shift not only allows auditors to identify and analyze operational risks, but also provides necessary career growth, particularly for those who developed their initial baseline skills during the early Sarbanes-Oxley years.
To comment on this article, e-mail the author at firstname.lastname@example.org.
RELATED ARTICLE: Critical Skills in Demand
While the attention of many organizations was focused on Sarbanes-Oxley compliance, the nature of the audit profession changed significantly. The role of internal auditing has expanded--auditors are called upon to assess their organization's risk management processes, develop creative solutions to complex business challenges, explore new technologies, and encourage their organization to adopt best practices that will enhance all business functions.
To perform these highly sophisticated duties, auditors need a broader array of skills and competencies than ever before. The 2008 edition of the Internal Audit Capabilities and Needs survey conducted by Protiviti found that internal audit professionals feel a need to fortify their skills in three key areas--general technical knowledge, audit process knowledge, and interpersonal capabilities. Within each of these areas, survey respondents identified specific competencies that require improvement.
Because information security remains a critical risk for organizations, it's not surprising that respondents indicated as a high priority the need to improve key technical capabilities, including enterprise risk management and fraud risk management skills, knowledge of The Committee of Sponsoring Organizations of the Treadway Commission's Enterprise Risk Management-Integrated Framework, and proficiency in the Financial Accounting Standards Board's new fair-value accounting standards.
In terms of audit process knowledge, survey respondents say computer-assisted audit techniques is the area requiring the most improvement, followed by continuous auditing, data manipulation, and statistical analysis. The value of such skills is echoed in The IIA. Research Foundation's Common Body of Knowledge study, which shows that more than 75 percent of surveyed chief audit executives named data collection and analysis as one of the most important technical skills for staff auditors. Of less pressing concern to respondents of the Protiviti survey are five areas of auditing IT--program development, change control, computer operation, security and continuity. As part of their rebalancing efforts, many organizations are using state-of-the-art technology to assist with continuous monitoring and fraud detection.
In the third competency area, interpersonal skills, respondents to the survey say improvement is needed around developing and managing relationships with other committees of the board of directors, in addition to the audit committee, company executives, and external contacts. To facilitate communication with these diverse constituents, audit professionals seek to improve their presentation and public-speaking skills. Other high-priority interpersonal skills are developing rapport with senior executives, negotiation, and change management.
ILLUSTRATION BY DOUG ROSS
MICHAEL PRYAL, CPA, CIA, CISA
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||BEYOND SARBANES-OXLEY|
|Date:||Jun 1, 2008|
|Previous Article:||An uncertain protection: internal auditors may not be protected as corporate fraud whistleblowers under Sarbanes-Oxley Section 806.|
|Next Article:||Extracting energy from Sarbanes-Oxley: auditors at Chevron became internal consultants when management took responsibility for performing...|