Somewhere Between Survival and Status, Did Substance Fall Through?

Chandrasekhar Krishnamurthy, CIA, CISA, CA
Manager, Internal Audit
Hydro Ottawa Group

Three “S” words govern internal auditors’ thinking about themselves and their profession: survival, status, and substance. For the past 20 years, we have worried perhaps excessively about survival and status, and not enough about substance.

Until the 1980s, internal auditors did not give much thought to survival. As corporate restructuring, business process re-engineering, leveraged buyouts, and mergers and acquisitions swept businesses aside, we realized we needed to work harder to get management to understand the value we added/retained/protected. So, we shifted the emphasis to new skills, especially soft skills, as a way of becoming better ambassadors for ourselves. We softened our duty to “advise management” (a rather stern phrase) by including it within the envelope of “consulting” activities.

Those who cut their audit teeth in the 1970s (me amongst them) would readily recognize this shift as a necessary corrective. It made us and our profession more presentable, more in keeping with the requirements of a 21st century workplace.

Our quest for survival was also successful because of the rocky history of business during the past 20 years — the savings and loan crisis, the Asian financial flu, the fall of Enron, etc. We converted each seismic event in business into an opportunity. We worked with regulators worldwide to ensure internal auditing would be somehow part of the regulatory response — Sarbanes-Oxley (or its equivalent in most countries), reforms in corporate governance, reporting on entity-level controls, and ERM, CSR, GRC, and all the rest of that alphabet soup.

Survival ensured, we turned to status. Armed with our new-found soft skills, we spent a decade or more pushing to make sure the chief audit executive (CAE) would report to the audit committee rather than to the CEO or chief financial officer. We successfully managed to make it a “best practice” for the CAE to have a seat not only at the executive table but also in the boardroom.

Great. Mission accomplished. Survival assured. Status elevated and cemented. Right? Not quite.

Early analyses of the current financial crisis, including the recently released report of the Inquiry Commission appointed by the U.S. Congress, indicate that the collapse of the house of cards had been more than a decade in the making. Banks, mortgage refinance companies, insurance companies, rating agencies, hedge funds, regulators — all began their risky journey in the mid 1990s, stepped on the gas after 2001, and finally drove off the cliff in 2007 and 2008.

The commission’s conclusions (on pages xv to xviii of the 662-page report) are humbling:

  • “This crisis was avoidable.”
  • “Widespread failures in financial regulation and supervision.”
  • “Dramatic failures of corporate governance and risk management at many systemically important financial institutions.”
  • “Combination of excessive borrowing, risky investments, and lack of transparency.”
  • “Government ill prepared for the crisis.”
  • “Systemic breakdown in accountability and ethics.”
  • “Collapsing mortgage-lending standards and mortgage securitization pipeline.”
  • “Over-the-counter derivatives contributed significantly.”
  • “Failures of credit rating agencies were essential cogs in the wheel of financial destruction.”

Internal auditing comes off almost honorably in the commission’s report. For example (page 157), the report documents how the internal audit department at New Century, the second-largest subprime lender in the United States, “identified numerous deficiencies in loan files and gave the company’s loan production department an ‘unsatisfactory’ rating seven times” out of nine in a single year. For its pains, the internal audit department’s budget was cut.

Elsewhere (page 160), the report concludes:

“Across the mortgage industry, with the bubble at its peak, standards had declined, documentation was no longer verified, and warnings from internal audit departments and concerned employees were ignored.”

Yet, there is also a faint whiff of disapproval about where internal auditing may not have measured up. The Inquiry Commission notes, for example, that the New York Fed’s supervision of Citigroup had “lacked the appropriate level of focus on [Citibank’s] risk oversight and internal audit functions.” (Page 303)

As I see it, internal auditors have two options. The easy one is to heave a collective sigh of relief at getting off so lightly in this weighty report and pretend nothing really happened. The alternative is to recognize that we may have failed to spot something momentous even as it was happening.

How much distance, after all, can we place between ourselves and “dramatic failures of corporate governance and risk management” on a global scale? Especially when, through the same period that these failures were building up, we were working tirelessly to augment our status and be part of the highest levels of corporate governance? With our now-established access to the audit committee, can we still plead ignorance of a “systemic breakdown in accountability and ethics”? Did we, like all the other actors in this decade-long drama, too readily “embrace mathematical models as reliable predictors of risks, replacing judgment in too many instances”?

The echo in the report’s conclusion is familiar:

“We must also accept responsibility for what we permitted to occur. Collectively, but certainly not unanimously, we acquiesced to or embraced a system, a set of policies and actions, that gave rise to our present predicament.”

How we “accept responsibility,” how we shape our role anew, how we fashion our value proposition — these are the challenges that we must address. In a prophetic February 1998 interview with Internal Auditor (“Soft, Dangerous, Essential”), James Roth challenged us to understand how we would “help management control an organization that is much looser, freer, and potentially more chaotic.” That moment of reckoning has now come.

It’s time for us to go back to the one “S” word we may have too long ignored: substance. What is the DNA of internal auditing in the 21st century, and how is it recognizable in the work we do? In my view, this discussion transcends simple survival and status.
 

Posted on Feb 14, 2011 by Tim

Share This Article:    

  Comments (4) un-categorized
  1. Comment by: Adil Buhariwalla   (2/19/11 11:37 PM)   

    Dear Chandra,

    Very well-articulated thoughts. Yes indeed, the Internal Auditing profession has to focus on the various aspects of the "Substance" of internal auditing. I know that the IIA is already looking at conducting research on the subject of 'Where were the Internal Auditors',in the context of the financial crisis. I recently saw this Hollywood documentary titled "The Inside Job", which traces the roots of the financial crisis into the top echelons of the government and regulatory bodies. The film also delves into blatant violations within some of the key organizations that fueled the crisis. I am convinced that there is a lot that the internal auditor of the future can do, and your conclsuion about our discussions transcending simple survival and status, says it all.

    Regards

    Adil

  1. Comment by: Chandrasekhar Krishnamurthy   (2/22/11 04:59 PM)   

    Dear Adil,

    It's gratifying to know the IIA is looking into the "Where were the Internal Auditors?" question. Not a day too soon. Internal auditors' part in the collapse may have been negligible, and we must have no illusions about what we could have done to prevent it or forestall it. But, this elephant has been in the room too long for us to pretend it need not be discussed. I think a sort of Truth & Reconciliation Commission effort is needed - where we can all do some plain speaking to one another. It won't be pleasant, but we will be the better for this effort.

    Thanks for the valuable feedback.

    Chandra 

  1. Comment by: Jayde   (9/6/11 07:17 PM)   http://www.facebook.com/ Haha, shouldn't you be charging for that kind of knwolegde?!
  1. Comment by: Sham   (3/28/12 04:00 AM)   http://www.facebook.com/profile.php?id=100003405683979 These questions souhld be asked regularly in every country. Enron, Worldcom, etc would not have happened if these questions were answered on regular basis. I live and work in Shanghai, been in Greater China for a long time. My answers to the questions would be:1. Almost impossible to protect against this anywhere in the world except by clean-rooming the audit team.2. This is part of audit close out procedure to negotiate' the final written statement.3. Except for a 1-person company i cannot imagine this not happening anywhere in the world.4. Risk management in an audit firm works to protect the audit firm. Has same function for laywers and accounting firms.5. EVer seen a firm that has proven through published accounting procedures and examples lifted at random from its books and records, that it complies 100% with the entire provisions of the law? No. So does anyone comply 100%? No.6. My opinion is take them out of business. Auditors, like accountants and lawyers are there to operate according to law. That is the public and government expectation. If they dont meet it then register and close the business.7. I think not. Auditors souhld be a government function to remove incentives to act for commerical advantage or gain. Yes this is idealistic but need to strive for it.8. Government involvement and oversight. Transparency of audit procedures.

Leave a Reply