Professional Documents
Culture Documents
Chapter 2-3-4
Chapter 2-3-4
Chapter 2-3-4
Step #3 Step #4
Internal External
Step #5
Reengineer the
Process
Without alignment of these projects, a series of problems may appear The shift to reengineering can be facilitated by efforts to
align multiple, discreet operating macro improvement projects with broader programs, plans, and visions. Each specific project can
be assessed and modified to ensure
compatibility with other infrastructure
standards, and long- Figure 2.9: Micro vs Macro Reengineering term business plans.
Local Senior
Leadership
Small Massive
Scale
potential organizations or business units in implementing reengineering, based on the worlds experience up
to this point it is clear that reengineering is not a fad.
Senior management's commitment and strong support of the reengineering initiative. This
commitment and strong support should not only exist at the initiation of the project, but should
continue and be visibly demonstrated throughout its duration. The project sponsor should be either
the CEO of the corporation or a member of the senior management team who is ultimately
responsible for the success of the process.
Reengineering projects should be initiated in the context of a clear and shared vision about the
goals and objectives of the organization going forward. This implies that vision should not only be
clearly articulated, but there should also be four-way communication of its elements and strategies
to be put in place to achieve it. According to Hammer and Stanton (1995, p. 151), the top principles
of communication on a reengineering project are: segment the audience, use multiple channels and
multiple voices, be clear, communicate, communicate, communicate, honesty is the only policy, use
emotions — not just logic, heal, console, and encourage, make the message tangible, and listen,
listen, listen.
Reengineering projects should be initiated in the strategic context of growth and expansion. In other
words, organizational members are more enthusiastic and less resistant of reengineering projects
when they are meant to increase market share, grow revenues, become more competitive, or
expand into the new lines of business rather than when they are designed to result in cost cutting,
downsizing, or outsourcing. At times, the outcome of a reengineering initiative might be just that and
it is perfectly fine, but to frame the project in terms of such emotionally negative goals would not
bring the best out of the reengineering team participants.
13 Barbara J. Bashein M. Lynne Markus, and Patricia Riley, "Preconditions for BPR Success and
How to Prevent
The sponsor of the reengineering project should set realistic expectations or goals for the
Reengineering team. In order to achieve this, the sponsor should have a deeper under standing of
the diseased process and the time and effort required to fix it. Agreeing to realistic expectations
does not mean that the reengineering team should be absolved from radically redesigning the
business process to achieve the dramatic improvements but rather the team should be accorded
realistic time and resources to successfully complete the task at hand.
Collectively, the members of the reengineering team must have a process-orientation holistic
perspective, creative mind-set, enthusiasm and restlessness, optimism, optimism, persist ence,
team spirit, excellent communication skills, and tactfulness.
A reengineering team should be sufficiently empowered along with proper accountability and
responsibility to deliver the best-suited solution to the diseased process. As the reengineering
project gets underway, there is a growing tendency among the project sponsors to either completely
forget about the reengineering project or to micro-manage each and every aspect, thereby killing
the opportunity to develop a well-thought-out business process. Both extremes are unproductive
and detrimental to the business process reengineering. The appropriate approach lies somewhere
between the two extremes.
The cross-functional reengineering team should be comprised of adequately trained, full time
personnel from the various parts of the organization. It is important that the reengineering project
have the undivided attention of the reengineering team during its entire duration. The real-life
experience indicates that all too often reengineering projects are add-ons to team members' regular
job responsibilities. Such an approach, for whatever reasons, sends conflicting signals to the other
organizational participants that indicate lack of commitment, resources, or direction on the part of
the senior management to the reengineering initiatives in the organization.
Senior management (along with the reengineering team) must understand that they will encounter resistance
during the implementation stage. Resistance is only natural, and everyone concerned with the success of
reengineering must find and confront the disguised resistance, understand it, and have a plan in place to
manage it by employing one or all of the following mechanisms: incentives, information, intervention,
indoctrination, and involvement.
Overall Hammer and Champy (1993, p. 80) view a business system in terms of four .business
processes, jobs and structure, management and measurement systems values and beliefs. Since
all of these components of a business system are hey all should be simultaneously managed and
changed to be success at reengineering the entire organization.
By no means is the above list of preconditions or enablers comprehensive, but it does capture the ones that are deemed to be of
critical importance by the practitioners in this field. Just like one needs to be aware of positive preconditions" for a successful
reengineering initiative, Bashein , Markus, and Riley (1994) also highlight a number of negative preconditions that can derail a
reengineering effort. Some of these are as follows:
The Wrong Sponsor: A well-intentioned reengineering project will fail if sponsored by the wrong
person or team in the organization. All of us are well aware of the political ramifications of any
change in an organization, and when change is initiated by the wrong sponsor, our experience
suggests that the project is doomed for failure from the very beginning. According to Bashein,
Markus, and Riley (1994, p. 11), “The wrong sponsor could be too low in the management ranks,
too technically focused, getting ready to retire or change jobs, lacking in credibility or leadership
abilities, unable to develop a good working relationship with internal or external BPR consultants,
and insistent on going ahead with reengineering when major change is unnecessary or excessively
risky."
A "Do It To Me" Attitude: A reengineering project will fail if the sponsor in the organization is not
willing to get involved and is interested only in hiring consultants to do the reengineering for him or
her.
Cost-Cutting Focus: If a reengineering initiative is presented to the people in the organization with
the cost-cutting focus, the effort is not going to succeed because "costcutting focus usually restricts
the creativity of redesign team...they may not seek out the opportunities for growth...and may avoid
radical changes that threaten to eliminate their own and others' jobs." (p. 11)
Narrow Technical Focus: If a reengineering project is driven by the goal of incorporating technology
in the process rather than by any strategic thrust, the project would be more likely to fail because
mere automation translates into the computerization of the existing inefficient process rather than
starting from a clean slate to create a value-added process.
Unsound Financial Condition: Since reengineering projects can be time-consuming and all
encompassing, it is not a good idea to undertake an organizational renewal type of reengineering
perspective and focus in times of financial difficulty. Inasmuch as organizational renewal may seem
to be the appropriate strategy during such times, the more immediate needs are generally focused
on turning the organization around as quickly as possible.
Consensus Management: "Although a collaborative work style am positive precondition, a culture of consensus decision making at
the top tion can delay reengineering efforts and even make completing them impo
ment Projects Underway: In an organization where to improvement projects are underway at any given time, a reengineering
initiate be considered another flavor of the month program. According to Bashein Riley (1994. p. 11). "Diverse improvement
projects may be poorly planned integrated, and even mutually self-defeating. When multiple projects are take same time their
effectiveness may be diluted, making significant improvement possibility and breakthrough improvements an impossibility."
rly planned, badly projects are taken on at the efficient improvements a remote
Fear and Lack of Optimism: If an organization is suffering through a period of fear and lack of optimism due to the failure of
previous total quality improvement or other organizational renewal efforts, it is not a good time to start a reengineering project
Rather, senior management should first work on reestablishing employee morale and confidence by building a culture of trust and
hope in the organization. “A certain amount of optimism is essential for creativity in redesign efforts and successful
implementation." (p. 12)
To assist in evaluating whether an organization is ready for reengineering, Hammer and Stanton (1995, pp. 86-88) provide
a self-diagnostic instrument which is presented in Figure 2-10. This diagnostic can be easily adapted to evaluate the
readiness of an internal audit function for reengineering. There are three basic dimensions of this diagnostic:
Reengineering Leadership, Organizational Readiness, and Style of Implementation.14
As mentioned above, even though reengineering methodology is usually context-specific, the implementation experience
of the last decade has taught us the potential obstacles that one might face in implementing business process
reengineering. In a field study of the members of the Planning Forum, an international business organization focusing on
strategic management and planning, Grover, Jeong, and Teng (1998, pp. 53-59) found that a majority of the obstacles in
business process reengineering implementation fall into the following six categories:15
Category 1: Management Support Problems: Problems associated with the top management's commitment and
leadership for reengineering.
**Refer to source mentioned in Exhibit 2-10 to view the complete set of instructions and scoring guidelines to complete
the self-assessment diagnostic.
For a full-length discussion of these problems, see "Survey of Reengineering Challenges" by Varun Grover, Seung R.
Jeong, and James T. Teng, published in Information Systems Management, Spring 1998, pp. 53-59.
REENGINEERING LEADERSHIP
1. The leader of reengineering is a senior executive who is strongly committed to reengineering and
who possesses the title and authority necessary to institute fundamental change. Score:
2. The reengineering leader truly understands the nature of reengineering and the magnitude of the
3. The reengineering leader has a vision of the kind of organization he or she wishes to create and
is able to express that vision clearly and simply in operational terms. Score:
4. The reengineering leader is ready and able to exercise leadership - through communications,
personal behavior, and systems of measurement and reward -- in order to make reengineering succeed.
Score:
5. The reengineering leader is prepared to commit both the organizational resources and personal
6. The entire senior management team shares the leader's enthusiasm for reengineering.
Score:
ORGANIZATIONAL READINESS
7. The organization as a whole recognizes the need for reengineering and fundamental change.
Score:
8. The organization understands the nature of reengineering, including the fact that it results in
9. The organization believes that the reengineering leader and the senior management team are truly
committed to reengineering, and that this commitment will be long lasting. Score:
10. The organization has none of the complacency and arrogance that often follow a sustained period
of success. Score:
11. The organization is free of the skepticism, mistrust, and ambivalence that often follow a program
Score:
13. Key staff organizations - human resources, finance, and information systems - are positive about
the prospect of reengineering and capable of innovative responses to its demands. Score:
14. The organization's experience with total quality management (TQM) has created an environment
15. The organization places a high value on serving customers and has a solid understanding of
STYLE OF IMPLEMENTATION
16. The organization is comfortable with the way in which reengineering proceeds through risk
17. The members of reengineering teams will feel empowered to "break the rules and to challenge
18. The reengineering effort is directed at key business processes rather than organizational units.
Score:
19. Managers have been given end-to-end responsibility for the processes to be reengineered and are
20. Measurement systems and performance goals have been established to chart the progress of
reengineering. Score:
Score each one of the above statements on a scale of 1 to 5: 1 representing strong disagreement
and 5 representing strong agreement. Minimum suggested scores are printed against each
statement. If you score lower than these scores, you need to take remedial steps before proceeding
on to reengineering.
Source: Hammer, Michael, and Steven A. Stanton, The Reengineering Revolution: A Handbook
(New York: Harper Collins), 1995, pp. 86-88. Reprinted with Permission.
The Institute of Internal Auditors Research Foundation
Chapter 2: Reengineering: Theory and Practice
All in all, these researchers identified a total of 64 commonly encountered problems. These problems are
listed in Figure 2-11 under each of the six major categories.
Since a number of these obstacles are self-explanatory, we will discuss here only the major conclusions of
this research. According to this research (p. 55), the five most severe problems were:
A review of Figure 2-11 points to the fact that out of the five most severe problems, all except #2 fall in
Category 5 that clusters all the change management related problems. Obstacle #2 falls in Category 4,
Project Planning Problems. These findings confirm the observations made in the previous section that
deployment of a new business philosophy and techniques is 10 percent of the effort in any organization,
while orchestration of the related change management activities is the remaining 90 percent of the work.
On the potential causes and reasons of these obstacles, Grover, Jeong, and Teng (1998) observe that:
Often reengineering implementation is considered a highly political process where stakeholders are more
concerned about furthering their own self-interests than about contributing to their organization. This could
be partly attributed to the rigid hierarchical structure (the third most severe problem) since organizations
with this structure tend to be functional and hence parochial. Even with a high level of awareness of change
issues, careful change management is needed to handle issues of turf and politics. In many cases,
presenting employees with a prototype of how the reengineered organization will work and conveying a
sense of project's urgency to employees may prove useful in overcoming resistance (p. 56).
to reengineering efforts.
planning
16. Not enough time to develop new skills for the redesigned process.
ording to the
functional responsibilities.
organizational members.
process.
to the business
Source: Grover, Varun, Seung Ryul Jeong, and James T.C. Teng, "Survey of
On the problem of top management's short-term view and quick-fix mentality, Grover, Jeong, and
Teng (1998, p. 57) observe that, "In the absence of a broad long-term vision, it is difficult to
conceptualize a reengineering program aimed at radical improvements in productivity, service, and
quality. The resulting reengineering efforts may become fragmented and stunted." The
researchers further observe the prominent absence of information technology as a major problem,
which reinforces the concept of technology audit as espoused by Bennis and Mische (1995).
Relatively lower rankings of the IT-related obstacles is contrary to the popular belief held by die
practitioners of reengineering that IT is a major and critical variable in the reengineering og tion.
These findings should not be interpreted to belittle the importance of IT to any teen ing efforts, but
should be construed to mean that mere existence of strong IT will not successful reengineering
project if the other important preconditions are missing.
16"As mentioned early in this chapter, a great deal of material has been published on reengineering in as practitioner-
oriented journals. The above discussion only attempts to summarize the broad issues contextual background for
someone just starting in this area. Readers who are interested in le of the areas discussed in this chapter are
encouraged to read various references listed at the end of this chapter
References
Adams, J.D., Transforming Work (Alexandria, VA: Miles River Press) 1984.
Bashein, Barbara J., M. Lynne Markus, and Patricia Riley, "Preconditions for BPR Success and
How to Prevent Failures," Information Systems Management (Spring 1994): 7-13.
Bennis, Warren, and Michael Mische, The 21st Century Organization: Reinventing Through
Reengineering (San Francisco, California: Jossey-Bass Publishers) 1995.
Camp, Robert C., Benchmarking: The Search for Industry Best Practices That Lead To Superior
Performance (Milwaukee, Wisconsin: ASQC Quality Press, 1989.
Carr, David K., and Henry J. Johansson, Best Practices in Reengineering (New York: McGraw
Hill) 1995.
Chandler, G. Donald, "The Restructuring of Corporate America: Are Banks Next?" The McKinsey
Quarterly (Spring 1990): 119-125.
Davenport, Thomas H., and Donna B. Stoddard, "Reengineering: Business Change of Mythic
Proportions?" MIS Quarterly (June 1994): 121-127.
Davidson, W.H., "Beyond Reengineering: The Three Phases of Business Transformation," IBM
Systems Journal (Vol. 32, No. 1) (1993): 65-79.
Hammer, Michael, and James Champy, Reengineering the Corporation (New York;Harper Collins)
1993
Hammer, Michael, and Steven A. Stanton, The Reengineering Revolution: A Han York: Harper
Collins) 1995.
Klein, Mark M., "Reengineering Methodologies and Tools: A Prescription for Enhar Success,"
Information Systems Management (Spring 1994): 30-35.
Klein, Mark M., "Tips for Aspiring Reengineers," Planning Review (January/February 1996):40. 41.
Mische, Michael A., and Warren Bennis, "Reinventing Through Reengineering: A Methodology for
Enterprisewide Transformation," Information Systems Management (Summer 1996): 58-65.
Rigby, Darrel, "The Secret History of Process Reengineering," Planning Review (March/April
1993): 24-27.
Stone, Romuald A., "Mission Statements Revisited," SAM Advanced Management Journal (Winter
1996): 31-37.
Teng, James T.C., Varun Grover, and Kirk D. Fiedler, "Business Process Reengineering: Charting
a Strategic Path for the Information Age," California Management Review (Spring 1994): 9-30.
Teng, J.T.C., V. Grover, and K.D. Fiedler, "Developing Strategic Perspectives on Business
Process Reengineering: From Process Reconfiguration to Organizational Change," Omega,
International Journal of Management Science (Vol. 24, No. 3) (1996): 271-294.
The Institute of Internal Auditors Research Foundation
CHAPTER 3 REENGINEERING AND INTERNAL AUDITING
Introduction
In this chapter we specifically deal with the issue of internal audit reengineering. After developing
the definition of internal audit reengineering and its elements, we identify its major drivers. Building
upon the generic reengineering literature as summarized in the previous chapter, we then identify
the critical elements of successful internal audit reengineering. We propose that for any internal
audit function to embark on internal audit reengineering, it is necessary to adopt a process-
oriented mind-set and organize around a set of core and support internal audit business
processes. In other words, the internal audit function must operate like a business. To accomplish
this transition, an internal audit change integration framework is proposed.
In spite of the myths surrounding it, as discussed in Chapter 2, this definition has served well and
has guided a great deal of action in a large number of business enterprises. In the same sense of
the spirit, internal audit reengineering can be defined as:
Optimal restructuring of the internal audit function to re-relevance its core and support business
processes to help organizations achieve their business objectives in risk intelligent ways.
"...in helping the organization achieve its business objectives" should not be construed to imply the
exclusion of traditional "controls monitoring" by the internal auditing function because "compliance
with and maintenance of effective organizational controls" is also considered an important
business objective by "world-class corporations.
following:
If we compare and contrast Hammer and Champy's (1993) definition of reengineering proposed
definition of internal audit reengineering, not a single phrase overlaps. Ho some differences, the
basic intent and purpose of the two "reengineerings” remain
ion is the notion of starting all over again. They Implicit in Hammer and Champy's (1993) definition
is the notion of starting all over propose to abandon the old and adopt the new; rightfully so, given
the objectives of ree ing in transforming "Taylorian-based" organizations. This is neither
recommended nor is in the case of internal auditing. The purpose of reengineering internal
auditing is to sufficient discontinuity in its history and experience to enable it to think outside the
box and perceiving itself in a much broader role. Therefore, the intended objective of internal.
reengineering is to transform the traditional internal auditing function from a mere protector of
shareholder value to one which would carefully balance its dual role of protecting and enhancing
the shareholder value. Figure 3-1 illustrates the conceptual model of the "reengineered” state of
internal auditing
It is important to note that in Figure 3-1, the emphasis is on the balance between the shareholder
value protection and shareholder value enhancement rather than have the internal audit function
camp on any one side. There is no way that a reengineered internal audit function can (or should)
totally abandon its oversight role and thereby jeopardize the entire corporate governance structure
of the modern-day business corporation. Neither can it afford to completely lose sight of the value-
added demands being placed on it by the senior management of the business organization. In
discussing the findings from a recent survey of internal audit directors and the CFOs of 60 leading
companies, Deloitte & Touche (1998), a leading provider of internal audit co-sourcing services,
observed that:
A Conceptual Model
Source: Deloitte & Touche Enterprise Risk Services, Internal Audit: The Nature of Transition,(New
York: Deloitte & Touche), 1998. Reprinted with Permission.
While providing value-added consultation is beneficial to any organization, and can greatly support
the internal audit function's primary charter of enterprise value protection, the original risk
mitigation and organizational protection charter cannot be assigned any lesser importance (p. 3)
In other words, a reengineered internal audit function would have duality of roles. At times there
may even be conflict in these two roles because the audit committee of the board of directors often
emphasizes shareholder value protection with a great deal of attention to the control structure of
the business organization, while senior management may exclusively focus on the enhancement
of the shareholder value role. It is up to the reengineered internal audit function how best it can
discharge the two seemingly conflicting roles and still be perceived as an ally as opposed to an
adversary by both equally important customers. The findings discussed in the survey chapter as
well as the case study described in the latter chapters also lend strong support to this role of the
reengineered internal audit function.
It is quite evident from the earlier discussion in this chapter that an increasing num panies are
either going through a massive organizational transformation process or are frantical-Iy
reengineering their core and support business processes. Their goal is to create house
organizations that are able to quickly adapt and deliver cheaper, better, and faster pro services to
their customers in a globally competitive economy. All of this change is for single segment of these
organizations to rethink their role, place, and value-add. organization of the 21st century. What
should an internal auditing function do in light of these changes? Some of the questions follow:
this role and proactively seek and deliver new services and products that suit customers' changing
business demands?
2. Should internal auditing learn from the organizational transformation experience of its
own organization and reengineer its own processes and activities to deliver what is demanded by
its customers — cheaper, better, and faster?
3. Should internal auditing maintain its independence as it always has or should it align
itself with the business unit managers to help them achieve their goals and objectives?
4. Should internal auditing align its mission and vision to its organization's strategic plans
5. Should internal auditing work to become a core competency of the broader organization
just like other core functions or should it continue to operate like a support or a shadow function as
it has done in the past?
These and many other related questions are being asked by an increasing number of internal
auditing functions around the globe. As found in a 1995 IIA Research Foundation (IIA RF) study by
Gupta and Ray, a large number of internal auditors responded to some of these challenges by
applying total quality management (TQM) principles, tools, and techniques to improve ing
functioning of their internal auditing departments. There is ample evidence in the that a project-
based quality improvement program can redeem an "old" organization limited time before it slips
back into the Dark Ages. However, to meet the market test soorten employed today by the senior
management of most business organizations, internal auditors learn from the reengineering
experience of their own organizations. They must reeng internal auditing to add value at an
unprecedented rate to the business of their customers, wing at the same time preserving
independence and objectivity.
Changing business risk profiles and the related control structure of business organizam
tions.
Threat of outsourcing due to increased competition from alternative service providers, such
as public accounting and other internal audit consulting firms.
Continuously being asked to deliver more and more with less and less resources (i.e., staff
downsizing, budget cuts, lack of experienced internal auditors, etc.).
Business process reengineering and organizational transformation have thrust risk and control
issues to the forefront as never before. Consider the following three excerpts from various
publications:
Luscombe observes:
[The changing business environment] has accelerated downsizing and the introduction of new
methods such as "empowerment and "total quality management." Layers of middle management
have been removed and the hierarchical, bureaucratic approach abandoned... Where does that
leave the directors, management, and auditors who have to satisfy themselves and others that an
organization continues to be under control. [We are) in need of a fundamental rethinking of what
control is and how it can be achieved?
2. Gibbs and Keating, in their 1995 Internal Auditor article titled "Reengineering
Control environments have been shaken and shifted (in a majority of the business organizations)
as a result of downsizing, flattening, and decentralization... Many of the controls on which auditors
have traditionally relied, such as separation of duties and authorizations, actually tend to work at
cross-purposes to the goals of the reengineered, virtual corporation (p. 46).
3. Robert Simon, in a 1995 Harvard Business Review article titled "Control in an Age of
The above observations are valid because hardly a day goes by when we de the popular business
press about an organization that has been either slapped on the heavily by one or more
governmental oversight agencies for failing to protect the int stakeholders. At a larger level, the
control breakdown issues and concerns are often raised under the banner of “corporate
governance" with a "goal to tighten control over wayward managers
All of such control breakdowns, whether intentional or unintentional, occur either because there
are no controls in place or employees are able to bypass or circumvent the existing control
mechanisms put in place by the organization. The cost of these control breakdowns is enormous
to the companies in terms of "damaged reputations, fines, business losses, missed opportunities.
and diversion of management attention to deal with the crisis” (Simon, p. 80).2 In other words, the
reengineering of business processes at every level has increased organizations' risk exposure
enormously. Organizations now face a whole host of new risks, such as information technology
risks, customer information privacy risks, risks related to all aspects of e-commerce, and so forth.
Traditionally, risk was always thought of as financial and compliance. However, in today's
changing business environment, the concept of "risk" has assumed a larger framework. Risk is
now perceived in terms of "business risk" rather than only "financial and compliance Risk.
Business risk implies any threat or obstacle that would stop an organization from achieving its
business objectives. Therefore, if this increased risk exposure is not managed effectively w
integrated risk management process, all the gains that have accrued to business organizations to
the business process reengineering" could not only potentially disappear, but could a ardize the
very survival of an organization. Similarly, even though COSO (1994, P internal control as a
process designed to provide reasonable assurance that an organ objectives are being achieved in
the areas of effectiveness and efficiency of operations, ty of financial reporting, and compliance
with applicable laws and regulations, con cally have been thought to relate only to the "financial
and compliance trat business.
2in support of his comments, Simon (1995) points our attention to the well-publicized
control breakdown decade such as fictitious booking of profits by a trader in Kidder.
Peabody and Company, an admittance Roebuck and Company that its automobile service
business recommended unnecessary repairs banning of Standard Chartered Bank from
trading on the Hong Kong stock scheme, and recent improper booking of revenues by a
number of Internet and dot com companies.
Tors who primarily worked as "policemen" to protect shareholder value. Proactively speaking, me
to their historical involvement in the financial and compliance risks and controls, who bene When
the internal auditors to help organizations manage these new and unfamiliar business risks To
discharge this broadened function and increased responsibility diligently, internal auditors
ed to change their "mental models") as espoused by Peter M. Senge in his seminal book The Dah
Discipline: The Art & Practice of the Learning Organization (1990, p. 8). He describes at length the
importance of organizational learning to survive and compete in today's business environment.
And this mind-set change about the role of internal auditing in this new economy will come only by
radically reengineering the traditional internal audit processes and other related activities of the
traditionally focused internal audit function. Bojan, a partner with Arthur Andersen's world-class
internal audit practice, describes the progression of internal auditing from a pure "control-based"
perspective" to the "risk-based" perspective in Figure 3-2.
According to Bojan, there are four distinct phases that capture the progression of internal auditing
from a mere "control-based" activity to a "risk-based" activity. During Phase I, the internal auditing
profession was primarily engaged in control-based auditing with an emphasis on auditing
operational effectiveness and compliance. Phase II saw internal auditing profession's involvement
with the financial and compliance risk-based auditing with the goal of controlling only financial and
compliance risks in an organization. For the so-called "world-class" internal auditing organizations,
Phase III of this journey saw a shift from emphasis on financial and compliance risks to business
risks. In this phase, internal auditing starts with an understanding of the various business risks and
focuses on controls that should be in place, auditing for design, operational effectiveness, and
compliance with these controls. In Phase IV, the internal auditor does the same thing, but rather
than focusing on controls, he or she determines what business risk management process should
be in place to block and tackle" the business risks. The auditor then proceeds to audit for design,
operational effectiveness, and compliance within each of the components of the business risk
management process.
According to Bojan, realizing the importance of effectively managing business risks in this volatile
environment, the innovative business organizations of the 21st century will proactively lead the
integration of internal auditing into their business risk management process. In turn, the business
risk management process-based internal auditing functions will contribute more than ever before
in helping their organizations balance the shareholder value protection and shareholder value
enhancement concerns.
According to Senge (1994. p. 8). "Mental models are deeply ingrained assumptions,
generalizations, or even pictures or images that influence how we understand the world and how
we take action. Very often, we are not consciously aware of our mental models or the effects they
have on our behavior."
Based Auditing
By all estimates the amount of outsourced internal audit work to date has barely scratched the
surface. There are not sufficient data points to establish a defined trend, but given that the term
"outsourcing internal auditing" was a nonexistent term just a few years ago, the extent to which
organizations have had some experience with the outsourcing of internal auditing is astounding.
Our review of The IIA's GAIN 1995 database indicated that 305 of the internal auditing
departments in that database had some experience with outsourcing. However, our survey of
organizations in 1996 indicates that the experience with outsourcing has risen to approximately
39% (p. 4).
This was four long years ago. Today, outsourcing is sweeping corporate America like
reengineering did in the 1990s. It would not be an understatement to say that there is a very real
threat of outsourcing to many internal auditing functions in large and small organizations alike.
Rose E. Wescott (1995), an internal auditor with the Portland General Electric Company, is quite
up front in declaring to his cohorts that "reengineering the internal auditing will save your job."
Wescott (1995) strongly recommends that internal auditing departments consider reengineering
either just their internal audit process or better yet the entire internal auditing function. According
to Wescott:
Reengineering the audit department will be the first step in saving your job. Audit managers must
rethink their strategic value to the organization. To compete today, audit departments must be as
productive as the operating areas. Managers must change the way they do business in a way that
does not put them out of business. They must organize their structure and performance in a way
that responds effectively and quickly to the business changes without loss of effective control (p.
43-44).
in spite of the increasing trend toward outsourcing the internal auditing function, many
nonbelievers argue against the merits of doing so. According to Rittenberg and Covaleski (1997),
some of the arguments by this group revolve around issues such as:
Since internal audit outsourcing services are generally provided by the external
serious impairment of the independence of the external auditor that detrimental to the
welfare of the entire organization
There is a potential loss of confidentiality as in some cases the internal audit work by a CPA
can be subpoenaed in a lawsuit.
Management and the audit committee lose an objective source of information if the same
auditor discharges both the external and the internal auditor's role and responsibilities
Some of these arguments may very well have merit, but rather than fighting the inevitable and
trying to stop the tide with arguments, the internal auditing function should concentrate on
becoming a value-added partner with the organization's management. Rittenberg and Covaleski
(1997) quote the feelings of an internal auditor who participated in their survey:
If you truly add value to your company, by improving productivity, cutting costs, increasing
profitability, and training the next round of company management, everybody will tell you about it.
There are a lot of good companies who miss the opportunity to add a strong internal audit function.
It is one of the essential tools in management's kit when trying to go from a good company to a
great company. The trick to avoiding the outsourcing dilemma for me is to always provide cheaper,
faster, and more insightful services than my company could get elsewhere, at any price. If I can't
do this, I should be outsourced.
Commenting on adding value, Wescott (1995) observes that "value" or "value-added," at least in
the case of internal auditing, is extremely subjective because what is considered valuable today
may be useless tomorrow. He challenges the internal auditing departments to continually define
the value-added of the internal auditing function to endure it in the minds of its customers. He
pronounces that:
The valued history of the audit department is not enough to sustain it in the turbulent future.
Business thinking is fickle and with a change in organizational leadership, the subjective value of
the audit department may be lost. That is why we must redefine, reshape, and retool value to
prove ourselves. We can no longer rely upon our rich history to fortify the future. We cannot rely
on past performance for security and must repeatedly prove our value. Proper reengineering will,
at a minimum, show good faith that the
In other words, reengineer internal auditing to change not only its name but also its orientation
from problem finders to solution providers.
Even if you become a value-added partner or a change agent with management to assist in
managing business risks effectively and offering innovative state-of-the-art services, you will not
be given a great deal of liberty with the budget. In other words, inasmuch as senior management
and boards of directors would appreciate your contribution toward protecting and enhancing
shareholder value, you still have to do your job with less budget dollars than you did the previous
year. As we discussed earlier in this chapter, due to the globalization of the capital as well as
producer and consumer markets, barring a monopoly, every corporation is learning to operate in
an environment of ever declining profit margins. In all the core competencies that an organization
needs to succeed in today's markets, cost management is also an important competency that
every organization must possess. Whether it is the engineering department engaged in designing
new products, a manufacturing function engaged in mass customization, a shared services unit, or
an internal audit function, each segment of the organization has an unspoken directive to get the
biggest bang for the buck.
Such pressures for internal auditors are similar to the pressures facing their organizations, which
have responded by reengineering their core and support business processes. Internal auditing
should learn lessons from its environment and set out to reengineer its various core and support
internal audit processes. Wescott (1995) confidently declares that "If reengineering effort is
successful and you become a valued business ally, the demand for the audit department's new
products and methods will increase. Why shouldn't it?" His observation is empirically valid as the
survey results and the Allstate Case Study presented in the later chapters unequivocally point to
the same conclusion. Further, it is true that the new demands for internal auditing services will not
be in the traditional areas of financial and compliance auditing; rather they will be in new and
challenging areas, such as supply chain audits, participation in quality improvement projects,
Integrated risk management, control and risk self-assessment, process improvement consulting,
and so forth.
In addition to the three major forces leading internal auditing into reengineering, a recent Deloitte «
Touche survey (1998, p. 2) of CFOs and internal audit directors of 60 leading organizations
This reengineering or re-relevancing of internal auditing would require a number of changes within
the internal auditing function. These changes could be in internal audit's focus, its response to
organizational needs and demands, its approach to risk assessment and risk manage ment,
internal audit tests and methodology, type and quality of its recommendations and audit reports,
and its overall role in the organization (McNamee and Selim, 1998, p. 5). Figure 3-3 compares and
contrasts the characteristics of internal auditing in this paradigm shift.
The implications of this paradigm shift are enormous. It turns the focus of audit away from the past
and toward the present and future. Focusing on controls over transactions buried the internal
auditor in the details of the past, limiting the value of any information derived. By focusing on risks
to present and future transactions, the auditor is working at a level above the details and dealing
with the obstacles for organization success. The information derived from such exploration has
great value to the management governance team.
There are different success factors in this new environment. The detailed checker may not have
the experience to adequately stimulate the imagination to identify all material risks. The new
auditor may need more strategic skills in visioning, planning, and communications. Definitely the
new internal auditor must move from the accounting and finance bias to more of a general
management bias (with a thorough understanding of the finance and accounting processes) (p. 5).
Overall, these drivers of change are real and should be taken seriously by the internal auding
functions, which are still considerably behind the curve in reinventing themselves. Any further
delays in this direction will only make it harder for such internal audit functions to legama
relevance lost.
Whenever we talk about change of any kind, such as reengineering, implementation of the TQM
process, or supply chain optimization, a common question arises in the mind of a practitioner:
Internal Audit
Focus
Internal Control Business Risk
Reactive, after-the-fact, Coactive, real-time, continuous
Internal Audit discontinuous, observers of strategic monitoring, participants in strategic
Response planning initiatives plans
Scenario Planning
Risk Assessment Risk Factors
Internal Audit
Important Controls Important Risks
Tests
Internal Audit
Emphasis on the Completeness of Emphasis on the Significance of
Methods
Detail Controls Testing Broad Business Risks Covered
Internal Control: Risk Management: .
Internal Audit • Strengthened . • Avoid/Diversify Risk
Recommendation
• Cost benefit • Share/Transfer Risk
s
• Efficient/Effective • Control/Accept Risk
Source: McNamee, David, and Georges M. Selim, Risk Management: Changing the Internal
Auditor's Paradigm (Altamonte Springs, Florida: The Institute of Internal Auditors Research
Foundation), 1998. Reprinted with Permission.
The first critical element of a successful internal audit reengineering initiative is to assess the
inherent level of complexity in an organization. It is the nature and change propensity of an
organization, besides its strategy and mission, that dictates the ultimate vision and goals of an
internal auditing function and thereby its role as a reengineered internal audit function. In other
words, internal audit reengineering must be a function of the inherent complexity of its business
organization. In this regard, a recent Deloitte & Touche study (1998, p. 6) suggested that business
organizations can be placed on a continuum with two extremes being "contained" and "complex."
A contained business organization is typically characterized by:
Deloitte & Touche, 1998, "Internal Audit: The Nature of Transition." Research conducted by
Deloitte & Touche Cosourcing Practice.
Before proceeding with internal audit reengineering, each internal audit function must an analyses
of the "containment" vs. "complexity" of its organization by analyzing its extern environment and
industry in terms of the degree of rivalry among industry participants, threat of new entrants and
substitutes, and bargaining power of customers and suppliers (Porter, 1985 1996). This analysis
would help the internal auditing function determine the place of its business organization along this
continuum, which in turn would help it understand the extent to which the internal auditing
conducted by it should emphasize the shareholder value "protection" vs. shareholder value
"enhancement." In other words, should internal auditing be the policeman" to protect the
shareholder value or should it also be a "partner" with management and a "consultant," helping
them enhance shareholder value? The growing trend in internal audit organizations is no longer an
either/or decision, but rather how to balance the two roles while maintaining objectivity and
independence. There is no easy answer in creating this balance because to a great extent it
depends upon not what the internal audit function can deliver, but what is needed by its
customers. The framework that creates an alignment between the role of the internal auditing
function and the complexity level of its business organization is presented in Figure 3-5.
According to this figure, organizations are becoming more complex. Therefore, internal auditing in
general needs to put more emphasis on enhancing shareholder value by assuming more of a
consultative management partnering role in the new organization.
The second critical element in any successful internal audit reengineering is the clear identification
of internal audit's customers and an accurate mapping of their needs and wants. There is a lot of
help available in this area. The proliferation of TQM in the early 1990s made us extensively
familiar with the notion of an internal customer as opposed to an all-too-familiar end customer.
Typically, internal auditing may have three primary customers: audit committee of the board of
directors, corporate senior management, and auditee senior or operating management. In some
cases there may be other customers (primary or secondary), such as regulatory agencies and
external auditors. However, on the critical importance of the audit committee and senior
management as internal audit customers, Wescott (1995) observes:
Without executive management support the audit department loses touch with the needs of its
most valued "customer." Without customer support, the audit "product" loses perceived value.
When there is a loss of perceived value, the customer looks elsewhere for service. When the
customer looks elsewhere for service, you look for another job (p.
44).
Organizations characterized by
- Stable growth
Contained
Source: Deloitte & Touche Enterprise Risk Services, Internal Audit: The Nature of Transition,
Critical Element 3: Develop a Mission and a Vision for the Internal Audit Function
The third critical element of any successful internal audit reengineering is the creation of a mission
and a vision for the internal audit function. However, prior to creating its own mission, the internal
audit function should expend a sufficient amount of time understanding the mission and vision of
its business organization. Successful internal audit reengineering not only requires an alignment
between the mission of the internal audit function and its business organization, but demands that
the internal audit mission support its larger organization's mission to demonstrate value-added.
According to Stone (1996, p. 32):
A mission statement is the starting point for an (internal auditing function's) entire planning
process. Establishing the mission requires (internal audit's) top management to sit down and
seriously consider where the internal audit function) is now and where it should be in the future. A
mission statement provides a sense of direction, focus, and unity and in Chester Barnard's words,
"a spirit that overcomes the centrifugal forces of individual interests or motives" (Barnard, 1968, p.
283). It contains both a strategic and a cultural perspective. Strategically, the mission statement is
a tool that defines the (internal audit function's) business and target (customers). Culturally, the
mission statement serves as the "glue" that binds the (internal audit organization) together through
shared values and standards of behavior (Campbell and Nash, 1992). (parentheses added)
Stone (1996, p. 32) further comments on the importance of mission statements as the motivational
tool by quoting from Bennis and Nanus (1985) as follows:
When the internal auditing function) has a clear sense of purpose, direction, and desired future
state, and when this image is widely shared, individuals are able to find
ilarly. Moore and Diamond (1995, p. 31) view a mission was a statement of shared purpose and
shared values." According to them:
Shared purposes provide a focus that integrates the services provided by the organization with the
needs of its external stakeholders. Shared values convey the spirit that permeates the
relationships between the organization and its external stakeholders and within the service-
providing team itself.
It is erroneous to think that mission statements are only appropriate at the overall organizational
level and shared service units such as internal auditing do not benefit from having a clear vision,
mission, or a sense of purpose. The participatory exercise undertaken to develop a mission and
vision would force the internal audit group to confront such basic questions as "Why do we exist in
this organization in the first place? How are we creating value ourselves or helping others create
value? Are we contributing to the overall goal and purpose of this organization? Why would
someone want to use the output of internal auditing? What does our output help others
accomplish? And, above all, would our users be willing to pay for our output, etc?6 Our experience
suggests that such an exercise inevitably starts a healthy dialog among the internal auditing staff
members — the first step to overcoming the internal resistance to change.
The fourth critical element of internal audit reengineering is the process orientation. The internal
audit function in a majority of the business organizations resides as part of the finance function
because it often reports to the CFO in an administrative arrangement. Functionally, it may report to
the audit committee of the board of directors, but for day-to-day management, it is treated as a
department within the larger finance function. That structure may fit the needs of the finance
organization, but internally, a reengineered internal audit function should be nothing more than a
conglomeration of various core and support internal audit business processes. Barring any pirical
validation (which is presented in the survey results chapter), the following core and
Internal audit human resource process i.e., hire to rotate, promote, or fire)
Internal audit staff performance evaluation process.
Process to assess the overall performance of the internal audit function in ligh vision,
mission, goals, and objectives.
Internal audit continuous improvement process (i.e., customer feedback, benchmark with
peer internal audit functions, etc.).
Process to coordinate and interact with the external auditors.
Process to continuously interact with the audit committee as well as corporate senior
management to ensure that these key customers are getting what they need from the
internal audit function.
By no means is it meant to be a boilerplate process classification for all of the internal auditing
functions aspiring to reengineer. The intention is that to move from a traditional "policeman" type
of role to a "consultative" type of role, internal auditing should also follow some of the principles
that it would use while conducting internal audits in this capacity. Therefore, in the spirit of
establishing a process-oriented internal audit function, each process should have a process owner
at the audit manager level or higher, and each process should be clearly mapped and flowcharted.
This process orientation can be of tremendous help in making internal audit reengineering
successful. Citing some micro-level examples of internal audit reengineering outcomes, Wescott
(1995, p. 44) observes that:
There is nothing sacred about how auditors do their jobs. Professional standards are broad
enough to allow for ordinary, notable, or even radical means of accomplishing audits. Review how
the audit engagement might be streamlined and simplified. Should auditors handle some entrance
meetings with e-mail instead of face-to-face? Should scopes of audits move beyond company-
specific tradition to target high-risk areas. Should final reports include management
recommendations and still make a two-week post-audit deadline... Think about the comparative
value of a recommendation on the
The newly approved definition of internal auditing from The IIA, which proves Wescott's view,
reads as follo Internal auditing is an independent, objective assurance and consulting activity
designed to add value and improve organization's operations. It helps an organization accomplish
its objectives by bringing a systematic, discipl approach to evaluate and improve effectiveness of
risk management, control, and governance processes.
value goes toward process. Your organization is thinking this way. Are you? Often overJoked are
the internal processes that the audit customers do not see: time tracking, scheduling, planning,
training, and record management to name a few. How might you
dify these to best use technology advances, increase productivity, and enhance auditor job
satisfaction?
there it is also important to note that to be effective, the relevant processes within internal diting,
such as human resources and performance evaluation, be properly cascaded with the finance
function's related processes as well as with those of the larger organization. Synergies with the
larger organization's processes will lend longevity and legitimacy to the internal audit's rocesses,
which is always desirable while implementing change.
The internal audit function should develop a business model for itself, based on its understanding
of internal audit's customer needs and wants, the various core and support internal audit
processes, and the external environment and the change drivers leading it to reengineer. A
sample business model template is proposed in Figure 3-6.8
As part of developing this business model, the reengineered internal auditing function would
develop an understanding of the following:
Who are its suppliers? For example, the finance function is a supplier of internal auditing in
the sense that it approves the internal auditing function's budget. The human resource
function is a supplier because it supplies it with trained internal auditors to execute its vision
and mission. The external auditors are suppliers because they provide "canned" audit
programs or other assistance. And other outsourcing service providers are suppliers
because they supply temporary staff during peak periods of activity.
The objective of identifying and understanding suppliers and their role in the success of the
internal auditing function will enable the internal audit function to understand the degree of
dependence it has on these constituencies. This understanding will help it ascertain the
extent to which these suppliers can enable or disable internal auditing in achieving its
business objectives and what it can do to control these risks.
Protective Activities
Enhancing Activities
What kind of alliances or partnerships can it develop with its customers to better execute its
mission and goals and develop new opportunities for internal auditing to add value? For
example, internal audit may consider joint audits, joint control and risk selfassessments,
control and risk-oriented training and development, and internal audit staff rotation to the
business units.
Thompson and Strickland (1993, p. 18) define a strategic plan as the "statement outlining an
organization's mission and future direction, near-term and long-term performance targets, and
strategy in light of the organization's external and internal situation." Consequently, strategic
management tasks must involve environmental analysis, goal formulation, internal resource
analysis, strategy formulation, strategy implementation, performance evaluation, and continuous
strategy monitoring and control (Shrivastava, 1994). Generally, when one hears the word
"strategy" or "strategic planning," one normally tends to focus on the entire organizational level.
But there is no reason, except for our own tunnel vision, why the internal auditors cannot apply
these concepts or thoughts to their activities to unleash the power of the internal auditing function
in today's organizations. As a starting point, Figure 3-7 provides a "generic" change integration
framework that can be utilized to develop an internal audit strategic plan (Moore and Diamond,
199511).
Its centerpiece is the mission of an internal audit function as discussed in Critical Element 3. Other
elements of this strategic plan are:
Distinctive capabilities, which are core competencies or special attributes that add value to
internal audit customers. These are capabilities that would underlie the future performance
of the internal auditing function, enabling it to deliver value on a sustainable basis. For
example, in the case of internal auditing being a service organization at a collective level,
the audit staff can be viewed as a distinctive capability that must be TMAclass" in terms of
its experience, maturity, business savvy, and skills. In its absence, the value-added of the
reengineered internal auditing would be highly questionable.
Mission fulfill Internal Audit's mission Audit's distinctive capabilities must do to achieve its
distinctive capabilities
Shared Purposes
Shared purposes provide
focus by driving strategy
Shared Values
Measures of
Success
Indicators of success in
fulfilling our mission
Measures are quantitative and qualitative indicators that are continuously meas, tracked by
the internal audit function to determine whether it is successful in achie its mission, goals,
and objectives. It is important that these measures be co-develope the internal auditing
function in complete transparency and continuous consultation wi its customers. If the
customers of the internal auditing function do not find the measures creditable, then it
becomes an exercise in self-padding with no real impact great deal of literature is available
in this area to help internal audit practitioners deve the needed measures. 12
Strategies are critical initiatives that a reengineered internal auditing function needs to
undertake to achieve its mission. At this stage in the reengineering process, it is important
that the broad mission and vision be broken down into actionable items because strategies
incorporate a number of coordinated actions to accomplish these specific goals and
objectives. The establishment of strategies implies committing resources to achieve a
specific end. Implicit in developing strategies is the assumption of identifying potential
obstacles and estimating their impact on the achievement of the internal auditing function's
mission, goals, and objectives and developing appropriate "tackle" plans.
It is all too common to see participants in the reengineering initiative proclaim victory at the end of
a long and arduous reengineering project only to see new problems arise or a misalignment to
occur to disturb their recently achieved equilibrium. Unfortunately, that is the irony of the real world
with which we all are too familiar. As mentioned earlier, since internal auditors now operate in a
continually changing business environment, they cannot afford to rest on their laurels. Rather, a
major internal audit reengineering initiative should be supported with an ongoing continuous
improvement process. Emphasizing the importance of following internal audit reengineering with a
continuous improvement mind-set, Wescott (1995) observes:
Revisit everything periodically and look for changes that will improve those things already done.
Continuous evaluation will bring moderate improvements until the next radical reengineering
effort. The audit department cannot afford to become secure and content. That is, after all, what
caused the whole reengineering effort in the first place (p. 46).
editing function should also guard against the mind-set that might stalk any continuous
Improvement efforts based on the feeling that it is too soon to change anything anymore.
Whether you are using computer-assisted audit techniques, specialized audit software,
mainframe, workgroup, or local area networks, each member of the audit staff should have access
to and be proficient in some aspects of its use. Notice that this is a three-part "how." The
availability of technology (hardware and software), training for its use, and the opportunities to
apply it, is critical. The three are highly integrated and one cannot go without the other two.
Training without application is shallow. Access without training is frustrating. An application
without access or training collects dust (p. 46).
It is important that information technology be used to support and enhance the reengineered
internal audit processes rather than drive them. Improvements in various internal audit processes
should not be made to fit the processes to the available technology, rather the available IT tools
should be altered to fit the processes. Therefore, the IT vendor for audit tools and systems should
be selected systematically and methodically.
Although marketing the internal auditing function, per se, may not be considered a critical lement
of internal audit reengineering, it is perhaps the most important activity that a reengineered internal
auditing function ought to undertake. Based on the field study interviews onducted as part of this
research, marketing of the internal audit function's activities and "valueuded" must go hand-in-
hand along with internal audit reengineering. As ironic as it may sound, today's environment of
"faster, better, cheaper," "do more with less, and "outsourcing." interauditors, just like all other
functional areas, have no choice but to be proactive in marketing
Internal auditing is an independent, objective assurance and consulting activity designe to add
value and improve an organization's operations. It helps an organization accom. plish its
objectives by bringing a systematic, disciplined approach to evaluate and improve the
effectiveness of risk management, control, and governance processes. [emphasis added]
A close examination of this definition will reveal that the profession of internal auditing is clearly
repositioning itself as a value-added partner with management as opposed to being perceived just
an overhead. Given these perceptions and stereotypes, it is imperative that as the internal audit
function reengineers itself, it should also engage in a proactive way to educate its organization's
members about its new focus and mission and how it can help organizational members and
business units achieve their goals and objectives in a "risk intelligent" way. Without an explicit
marketing effort, you may not be able to realize the full potential of the internal audit reengineering
effort that is add-value to the larger organization.
Summary
As one can see, in more ways than one, the above mentioned nine critical elements are al building
blocks of internal audit reengineering. These critical elements should not be in ed as sequential
steps in the internal audit reengineering road map because some of the can be acted upon
concurrently. In the end, Wescott (1995) appropriately comments:
(Internal audit) reengineering is neither easy, free, a quick fix, nor always successful. It is
realistically quite difficult, will come at a cost, and must be a a long-term perspective. Short-term
results are fleeting and can discourage ev best of the intentions. However, [internal audit)
reengineering can succeed and p superior results. The radical approach may not be entirely
necessary, but its an discourage even the ecessary, but its elements
And if you are still not convinced, here is what Charles Darwin had to say: "It is not the strongest of
the species that survive, nor the most intelligent, but the one most responsive to change." So, here
is a message to internal auditors: Do not become extinct!
References
Barnard, C.L., The Functions of the Executive (Cambridge, MA: Harvard University Press) 1968.
Bell, Timothy, Frank Marrs, Ira Solomon, and Howard Thomas, Auditing Organizations Through a
Strategic-Systems Lens (Montvale, NJ: KPMG Peat Marwick) 1997.
Bennis, W., and B. Nanus, Leaders: The Strategies for Taking Charge (New York: Harper & Row)
1985.
Campbell, A., and L.L. Nash, A Sense of Mission (Reading, MA: Addison-Wesley Publishing
Company) 1992.
Deloitte & Touche, Internal Audit: The Nature of Transition, (New York: Deloitte & Touche) 1998.
Gibbs, Jeff, and Patrick Keating, "Reengineering Controls," Internal Auditor (October 1995): 4649.
Gupta, Parveen P.. and Manash R. Ray, Total Quality Improvement Process and the Internal
Auditing Function (Altamonte Springs, Florida: The Institute of Internal Auditors Research
Foundation) 1995.
McNamee, David, and Georges M. Selim, Risk Management: Changing the Internal Audi
Paradigm (Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation
1998.
Moore, Michael R., and Michael A. Diamond, The Challenge of Change in Business Education
(New York: Ernst & Young Foundation) 1995.
Porter, Michael E., Competitive Advantage (New York: The Free Press) 1985.
Porter, Michael E., "What Is Strategy?" Harvard Business Review, (November-December 1996):
61-78.
Pound, John, "The Promise of the Governed Corporation," Harvard Business Review (March/April
1995): 89-98.
Rittenberg, Larry E., and Mark A. Covaleski, The Outsourcing Dilemma: What's Best for Internal
Auditing (Altamonte Springs, Florida: The Institute of Internal Auditors Research Foundation)
1997.
Senge, Peter M., The Fifth Discipline: The Art and Practice of the Learning Organization (New
York: Currency Doubleday) 1990.
Stone, Romuald A., "Mission Statements Revisited," SAM Advanced Management Journa (Winter
1996): 31-37.
Thompson, Arthur A. Jr., and A.J. Strickland, Strategic Management: Concepts and Cases
(Homewood, IL: Irwin) 1993.
Wescott, Ross E., “Radical Reengineering for Internal Audit," IS Audit and Control Journal (Vol.
III) (1995).
Consistent with the overall objectives of this exploratory research, the data for this project was
collected using a number of research methods, including extensive literature review, a survey
questionnaire, in-depth on-site interviews with key members of several world-class and
reengineered internal auditing departments, and analysis of company-specific archival information.
This chapter discusses the sample profile in terms of the participating firms as well as individual
internal auditors (of course, in aggregate and on an anonymous basis). The purpose of presenting
this background information is to define the proper context for the readers within the confines of
which they should interpret these research findings.
This section evaluates and analyzes the characteristics of the respondents in terms of their level of
overall experience, the specific accounting and auditing experience, and the level of their
educational background and professional qualifications. Background information on the
organizations included in the sample and on the characteristics of the internal auditing function is
also provided. This background information is provided to help the readers of this study develop
an overall sense of the context within which to interpret the results and arrive at conclusions best
suited to their organizations. Further, where appropriate, respondent and firm demographics are
also compared with the findings of The Institute of Internal Auditors Research Foundation (IIA RF)
1995 research study by Gupta and Ray.
A total of 382 surveys were mailed to current and former members of The IIA. Of these, 112
surveys2 were completed and returned, yielding a response rate of about 32.4%. Table 4-1
provides information on the titles of the respondents who completed the survey. As can be seen,
The average age of the respondents was 46, with a range from 31 to 64. On average, the
respondents had an overall work experience of about 24 years, of which about half of their
experience came from being an internal auditor. Further, on average, the respondents had been
working with their present company for the last 14 years, which includes an average of five years
in their current position in the present company. Based on this information, we can observe that,
on average, the respondent pool represents internal promotions from within the internal auditing
department. Given the dynamic changes in the current internal auditing environment, it is expected
that within the next five to 10 years, one would expect to find an increasing number of non-
traditional internal auditors occupying the positions of senior internal audit executives, whether
they were appointed from within or outside their present organizations. From a research
methodology viewpoint, since we have an experienced pool of respondents, there is considerable
legitimacy and real-life value in the findings of this study.
Similarly, the respondent pool is also a well-educated group. It is evident from the fact that more
than half the respondents (51%) had master's degrees, predominately MBAs with a concentration
in accounting or finance. It is interesting to note that of the remaining respondents who held only
bachelor's degrees, a little less than half (45%) had degrees in non-accounting areas such as
finance, marketing, economics, mathematics, industrial engineering, computer science,
psychology, and literature. This compares impressively well with the 1995 IIA RF study (p. 80) in
which about 65% of the respondents had only bachelor's degrees and only 35% of the
respondents had master's level education. These data suggest that an increasingly large number
of Fortune 500 firms are recognizing the importance of master's level education for their internal
audit executives.
dy a similar upward trend is evident with respect o the number of respondents having a formal
certification. Of the 112 respondents, only 12 about 15%) had no formal certification. Of the
remaining 95 respondents (85% of the sample 08 (80%) were CPAs and 25 (29%) were CIAs.
Further, 27 respondents (more than 30%) hela uual certification Ge. CPA. CIA. CMA. CISA, CA,
etc.). In contrast, the 1995 study in 701
Ported 83% of the respondents having a formal certification: 26% CIAS, 75% CPAs, and 250
holding more than one certification.
The above discussion and analysis clearly point to the fact that the respondent pool for this study
is well qualified and more than adequately experienced. This provides a strong backdrop for
analyzing the findings of Section II of the survey, which are discussed in the next chapter. The
next section presents the findings and discussions on firm characteristics.
As discussed earlier, 112 respondents completed the survey. Out of these 112 respondents, 102
were from Fortune 500 companies and 10 were from non-Fortune 500 companies. Since the
financial metrics data (i.e., assets, revenue, profits, stockholder's equity, market capitalization,
etc.) were not available for the non-Fortune 500 entities, this information is presented only with
respect to the 102 respondents to provide additional context for interpreting the results and
assessing the applicability of various practices to firms of various sizes.
On an average, the 102 responding firms had total assets of $26,615 million and sales of about
$12,760. For the same year, these firms had an average profit of $782 million on an average
stockholder's equity of $5,115. These firms employed an average of 50,000 employees and had
an average market capitalization of $20,721 million. This profile is a fair representation of the
Fortune 500 when compared with its overall average assets of $25,763 million, average revenue
of $11,037 million, average profits of $648 million, average stockholder's equity of $4,152 million,
and average market capitalization of $16,221 million. In other words, our sample more than
adequately represents the Fortune 500 firms on the frequently reported financial metrics.
Panel A and Panel B of Table 4-2 provide information on the annual budget of the responding
internal audit functions. In such studies, respondents are usually not willing to disclose the exact
information on their budgets, etc.; therefore, intervals starting with $0 to more than $20 million
were used to collect data on this sensitive variable. According to Panel A, of the 109 respondents
who provided information on this question, more than 65% had internal audit budgets ranging from
$0 to $4 million dollars, and the remaining 35% had internal audit budgets ranging from $4 million
to more than $20 million. Panel B of Table 4-2 reveals some interesting information: about 52% of
the responding internal audit functions experienced an increase in their internal The percentages
would not add up to 100% due to double counting.
Table 4-2: Internal Audit Annual Budget Excluding Outside CPA Fees
1. $0-$500,000 6%
2. $500,001-$1,000,000 6%
3. $1,000,001-$2,000,000 25%
4. $2,000,001-$4,000,000 28%
5. $4,000,001-$6,000,000 11%
6. $6,000,001-$8,000,000 8%
7. $8,000,001-$10,000,000 6%
8. $10,000,001-$15,000,000 5%
9. $15,000,001-$20,000,000 3%
ease (34%) or no change (14%) in their internal audit budgets with the percentage
audit budgets with the percentage of internal audit functions expecting either a deor
or no change (33%) over the next five years. Overall, these statistics point to the fact th for about
half the sample, the internal audit budget is trending upwards, while for the other half of the
sample the trend toward decreasing the internal audit budget is een
ternal audit budget is either slowing down or the trend toward "staying put" or not changing the
internal audit budget is accelerating. Based on this Tinding, one can speculate that an increasing
number of senior management within the Fortuna 300 firms are allocating more resources to their
internal audit functions because they perceive them as value-added partners more than ever
before. If this were not the case, in the current world of outsourcing one would expect to find
across the board an overall declining trend in the bndo. ets of internal audit functions.
Table 4-3 provides information on the average number of hours that are spent on continuing
professional education or training by the various internal auditing departments. Panel A of Table 4-
3 provides mean, median, mode, standard deviation, and range for the entire sample, while Panel
B of Table 4-3 further analyzes the desegregated data as it relates to the budget of the internal
auditing department.
According to Panel A of Table 4-3, on an average about 65 hours are spent by a typical member
of the internal audit staff on continuing professional education or training during a year. For the
entire sample the range of training hours varied from a low of eight hours per auditor per year to a
high of 200 hours per auditor per year. When compared with the 1995 IIA RF study, it appears that
the time spent on training by internal audit professionals has essentially remained unchanged:
from an average of 63 hours in 1995 to an average of 65 hours in the current study.? This is a
perplexing finding given the fact that during the same period, the internal auditor's responsibilities
expanded into a number of new areas (i.e., increased involvement in the total quality and business
process improvement initiatives, business risk and control-related audits, etc.). Further
examination of Panel B of Table 4-3 suggests that about 78% of the respondents provide
anywhere from 20 to 80 hours of training per auditor per year. It is not clearly evident from the
results presented in Table 4-3, but further analysis of the segmented results for various budget
groups reveals the expected: there is an increase in the number of hours of training available to
the internal audit staff as the budget of the internal audit departments increases.8
1. $0-$500,000 1 3 1 1 0 1 7
2. $500,001-$1,000,000 1 2 2 0 2 0 7
3. $1,000,001-$2,000,000 2 14 3 7 0 0 26
4. $2,000,001-$4,000,000 0 5 8 10 2 5 30
5. $4,000,001-$6,000,000 0 6 2 2 2 0 12
6. $6,000,001-$8,000,000 0 3 2 1 1 1 8
7. $8,000,001-$10,000,000 0 1 1 3 2 0 7
8. $10,000,001-
$15,000,000 0 0 1 2 0 1 4
9. $15,000,001-
$20,000,000 1 1 0 1 0 0 3
10. More than
$20,000,000 0 0 0 1 1 0 2
total 5 35 20 28 10 8 N=106
Percentage of
Respondents
Information Technology Tool Using the IT Tool
Microsoft Office Suite 92%
Table 4-5 provides information on the reporting relationship of the sample internal audit functions.
Panel A of Table 4-5 provides information on the percentage of respondents experiencing each
type of reporting relationship. A review of these results points to two major groups to whom the
internal audit function typically reports: chief financial officer and the audit committee of the board
of directors.
Further analysis of internal audit's reporting relationship as reported in Panel B of Table 4-5
provides additional insights. Panel B of Table 4-5 develops the clusters from the frequency count
underlying Panel A in Table 4-5. Primarily three clusters emerge: single reporting relationship, dual
reporting relationship, and more than dual reporting relationship. These clusters were further
classified according to whether the internal auditing function had a solid-line or a dottedline
relationship. What emerges from this clustering is the fact that about 74% of the responding
internal auditing departments have one or the other kind of dual reporting relationship, while the
remaining 26% either have a single or more than dual reporting relationship with the various
members of the senior management team and audit committee of the board of directors.
Overall, upon comparing the detailed findings of this study with the 1995 IIA RF study and the
1978 Conference Board study (Macchiaverna 1987), one can observe the following trends in the
internal auditing function's reporting relationship within the organization's hierarchy:
Over the years the internal auditing function's reporting relationship with the corporate
controller has consistently declined.
The internal auditing function's reporting relationship with the corporate treasurer has
virtually disappeared.
There is a substantial decline in the internal auditing function's reporting relationship to any
single reporting authority in the organization, such as only the CFO or an equivalent senior
financial executive, or only the CEO or an equivalent senior corporate executive.
Percentage of Times
1. Solid-Line Reporting Mentioned
• Solid-line reporting to corporate CFO or anequivalent senior financial
59%
executive
2. Dotted-Line Reporting
• Other 3%
Percentage of Times
Mentioned
1. Single Solid-Line Reporting 10%
*), provides detailed guidelines on the skills and competencies needed for the em and changing
role of the internal auditor as the profession enters et Table 4-6, which is organized in three
panels, rank orders the skill set by the av
he extent to on these skills are found in the professional internal audit start of the participating
internal auditing departments.
Panel A of Table 4-6 provides ranking of the skills that exist to a great or sufficient extent in the
audit staff of more than 50% of the participating internal audit functions, which are listed below.
Panel B of Table 4-6 provides ranking of the skills that exist only to a moderate extent in the audit
staff of more than 50% of the participating internal audit functions, which are listed below:
Interestingly, when we examine Panel C of Table 4-6, which again provides a ranking of the skills
that exist only to some extent in the audit staff of the participating internal audit functions, almost
the same set of skills emerges again. They are listed below:
Comparison of the results presented in Panel A with Panel B and Panel C of Table 4-6 points to
three observations and conclusions. First, since the rankings of the skills highlighted in Panel A
PANEL A: Rank Ordered Skills that Exist to a Great or Sufficient Degree in the Internal
Audit Staff
PANEL B: Rank Ordered Skills that Exist to a Moderate Extent in the Internal Audit Staff
PANEL C: Rank Ordered Skills That Exist To No Or Some Extent In The Internal Audit State
Percentage of Times
Mentioned
1. TQM/Reengineering knowledge 35%
6. Value-added orientation 5%
vs. Panel B and Panel C are mutually exclusive, there appears to be consensus among the
respondents on the existing strengths and weaknesses of the skills possessed by their internal
audit professionals. Second, when we combine the results presented in Panel B and Panel C, a
worrisome picture emerges: 91% of the internal audit functions feel that their internal audit staff
lacks the sufficient skills in the area of TQM/reengineering; 85% report lack of sufficient knowledge
of the alternate risk management strategies; 78% report lack of sufficient understanding of
information technology enablers; and 77% report lack of sufficient preparation in facilitation skills.
The reason these findings are worrisome is because these are the very basic skills that would be
needed of the internal auditing profession as a whole to deal with the emerging opportunities, such
as integrated risk management, risk assessment, control self-assessment, business process
reengineering, and total quality improvements in the next millennium. Third, an examination of
rankings in Panel A points to the fact that over the years internal auditors have succeeded in
acquiring some of the soft skills, such as interpersonal skills, the ability to work in the
interdisciplinary teams, good oral and written communication skills, client or customer focus,
valueadded orientation, and a continuous improvement mind-set.
Overall as a profession we are moving in the right direction by developing a portfolio of skills that
contains the hard and soft skills. However, due to the rapidly changing business environment and
the speed-of-light infusion of information technology in the business, we need to leapfrog in
Others 9%
acquiring the emerging skills that we lack as profession as a whole. In the absence of these skills,
internal auditors could very well lose on the value-added proposition that is so often espoused by
the senior management of almost all the organizations. Further, in the future, these are the skills
(among others) that will differentiate a world-class internal audit function from a not so worldclass
internal audit function.
Table 4-7 presents a ranking of the internal audit customer base as reported by the participating
internal audit functions. The top four internal audit customers are corporate senior management,
the audit committee of the board of directors, auditee management and staff, and the external
auditor. Other less noteworthy internal audit customers are internal audit employees, regulatory
agencies, and vendors or suppliers. Rarely, business partners or joint venture management,
company shareholders, and external customers are also perceived as customers by some internal
audit departments.
Two observations can be made from the data presented in Table 4-7. First, there appears to be an
equal emphasis by the internal audit functions on serving the needs of corporate senior
management as well as the audit committee of the board of directors in spite of each group's
unique needs and demands (senior management's emphasis on business-focused auditing vs. the
audit committee's emphasis on controls). Second, even though external auditors rank as the fourth
largest customer of the internal auditors, various case study interviews indicate mixed results.
le many internal auditing departments are trying to distance themselves from the external itors and
establish themselves as independent and creditable entities within their organizaons, at the same
time others are forging partnerships with them to ensure that the new roles adopted by internal
auditing are not sabotaged by external auditors by auditing the deserted areas nd increasing their
external audit fees. Overall, it is very comforting to note that the notion of
Summary
Overall, the findings presented in this chapter provide sufficient evidence that there have been lot
of structural changes in the way the internal auditing functions are organized across corporate
America today as opposed to three decades ago. Some of the major conclusions emerging from
this chapter are as follows:
An increasing number of senior internal audit executives are holding dual titles. Some of
these dual titles reflect the emerging orientation of internal auditing on value-added
consulting type activities.
There are significant changes in the reporting relationship of internal auditing with the
corporate controller, corporate treasurer, CEO, CFO, and the audit committee of the board
of directors.
Although slight, it is encouraging to see an increase in the number of female senior internal
audit executives.
A majority of the senior internal audit executives still come from within the rank and file of
the internal audit function, indicating that professionals with traditional accounting and
auditing backgrounds are still the preferred choice for these positions within the companies.
Increasing numbers of internal auditors are holding master's degrees, more so than ever
before.
For half the sample, the internal audit budget has trended upwards during the last five
years, while for the other half the trend is either toward not decreasing the internal audit
budget or at best slowing the pace of reductions in the budget. This indicates that, at least
within the Fortune 500 group, more and more senior corporate managers are beginning to
see the value-added of the internal audit function.
Even though over the years internal auditors have taken on new responsibilities (1.C.,
process improvements, total quality management, etc.) and adopted new audit approach es
(i.e., risk-based internal auditing), there has not been a significant change in number of
hours spent on annual training or continuing professional education.
In spite of the increased responsibilities of internal auditors in general in many new areas,
there is widespread perception that internal auditors lack sufficient skills or knowledge in
areas of total quality management, integrated risk management, information technology,
leadership, and facilitation skills.
More than ever a larger number of internal auditors are now using extensive information
technology-based tools, from Microsoft Office Suite, to automated audit tools and
workpaper systems, to Web-based query and intrusion detection tools.
The top four internal audit customers are corporate senior management, audit committee of
the board of directors, auditee management and staff, and the external auditors.
Overall, it is clear from many of the above findings that since internal auditing is primarily a people-
oriented function, its success greatly depends upon the kind of people it is able to attract, train,
and retain within the ranks. With the expansion of internal auditing into many new areas, it has
now become extremely important to think outside the box in developing human resource strategies
for the internal auditing function (i.e., attracting employees with more business background,
understanding of the business processes and technology, etc.). The progressive internal auditing
functions are doing exactly that.
The Institute of Internal Auditors Research Foundation
References
Gupta, Parveen P., and Manash R. Ray, Total Quality Improvement Process and the Internal
Auditing Function (Altamonte Springs, Florida: The Institute of Internal Auditors Research
Foundation) 1995.
The Institute of Internal Auditors, Competency Framework for Internal Auditors (Altamonte
Springs, Florida: The Institute of Internal Auditors Research Foundation) 1998.
Macchiaverna, P., Internal Auditing (New York: Conference Board) 1987.