US: New audit standards will add to compliance load
December 12, 2023
2024 will be a demanding year for internal auditors who will be facing new requirements and updated standards.
"The IIA is getting ready to put out new standards for internal auditors," said Richard Chambers, former president and CEO of the Institute of Internal Auditors and currently a senior internal audit advisor at AuditBoard. "That's going to influence the key priorities for internal audit next year. Around the first of January, and you're going to have a year to get compliant, so whatever the new requirements are in those standards, that's going to be on the internal auditor's shoulders, along with all of these other compliance requirements coming out of regulatory and legislative this year. I think 2024 to me is setting up to be the year of compliance risk."
He anticipates the new standards will be more proscriptive. "Somebody did a word count of the number of times the word 'must' is used, and it was substantially more in the proposed standards than the current standards," said Chambers. "Here's a good example. Internal audit must have a strategic plan. It's no longer good enough that I plan audits one year ahead. I need to do that, but I also need to have a strategic plan looking three to five years out."
He has been involved in the IIA's standard-setting process for 25 years and was the chairman of the IIA's Standards Board the last time it did a major revision. "We did two revisions where I was the CEO," he recalled. "There's always going to be an element out there not happy. There's always going to be somebody who's not happy with the new standards or some new standard that you put out. I think you have to assure yourself that the IIA has the right governance processes in place. They have a Standards Board. They have an independent oversight council that watches what the Standards Board does. They put it out for public disclosure, they've taken all the comments in, some 19,000 comments, I think, so I have to believe that what will come out will serve the profession well. There are a lot of naysayers out there. People are criticizing them even before they come out, and I don't see how you can do that."
Chambers expects to see the new standards coming out in the next few weeks, and so far the feedback on the proposed standards has been positive. "The IIA has said that the vast majority of comments they got from people who have completed the survey were satisfied," he said. "But there were some areas where people were a little concerned. I think they've made their final decisions, and we're going to be in a good place. There are going to be some people who are not happy about it. My biggest concern and the biggest risk that I felt was in play when I saw the first exposure draft is there's already a real challenge worldwide in getting internal auditors to comply with the standards. My personal feeling is probably only about 25% of internal audit departments in the whole world comply with all the standards. My worry is you make the standards more rigorous, what is that going to do? It's just going to drive compliance down."
He and former IIA chair Patricia Miller recently wrote a blog article about "6 Things Every Internal Auditor Should Know about the Proposed Standards."
Meanwhile, internal auditors will be busy making sure companies are complying with new requirements from the Securities and Exchange Commission regarding cybersecurity and upcoming requirements on climate-related disclosures.
"Just as it was with Sarbanes-Oxley, just as it is with the SEC's cyber disclosures, just as it is with any new legislation or regulations, it creates compliance risk, and that's where internal audit should always have its finger," said Chambers. "Today's legislative headlines and regulatory proposals are tomorrow's compliance risks, because invariably, what's going to end up happening is you're going to end up with some form of rules that come out of it. And then there's going to be a period of time that you have to become compliant and who better to provide assurance to management and the board about readiness to comply and then, once the requirement is in place, ongoing assurance about compliance."
Chambers has been working with AuditBoard for about two and a half years, and he has been busy with other work for them as well as UNICEF and his own training academy.
"AuditBoard was one of the companies out there making big investments in internal audit, and it was just a natural fit," he said. "It's been great. I've truly enjoyed every minute of it. I spend about half my time with AuditBoard. I do a lot of other things, too. I have my own company, my own training academy. I've been doing a lot of training in the Middle East. I launched some seminars there that I'm bringing to the U.S. sometime soon. And then I'm the overseas dean of Nanjing Audit University in China. That's a volunteer role, but I spend a lot of time promoting them and helping them."
He recently returned from China, his first since the COVID outbreak. He was recently in New York for UNICEF meeting at the United Nations building. "I'm staying busy," he said. "I turn 70 next year, and people are saying I should slow down, but I don't think so. I'm not ready."
He has been writing his own blog for about 15 years, Audit Beacon and recently wrote AuditBoard's 2024 Focus on the Future report, which covers technologies such as artificial intelligence.
"We call it 'Focus on the Future' because we do it once a year where we go out and we survey internal auditors, risk managers, compliance professionals, and we seek some input about what they think the key risks are that organizations are facing, and then what their audit priorities are, and then take a deep dive on other things, like we have some questions about artificial intelligence," said Chambers. "That's a fascinating topic to continue to monitor because we've been talking about AI for years, but in the last year the velocity of adoption and buzz around it accelerated almost exponentially. I don't think anybody really expected it, but at the same time, I would tell you that from what I'm seeing and from what our surveys indicated, internal auditors are still a little risk averse. They're not early adopters. There's a little more wait and see out there than there probably should be and I think that's going to be unfortunate if it continues. It will be unfortunate because internal auditors are going to miss real opportunities to leverage that emerging technology and the things that I think it can help them do. I call it a capacity multiplier because, like other technologies, if you're using it, it allows you to do more with less and to do it faster, and therefore as internal audit, you can cover more risks. To me, that's the biggest concern right now is that I feel like internal audit is not being as aggressive about experimenting and adopting the technology. I think some of that's just our tendency to be risk averse. We just don't want to be seen as failing. There's still too much mystery there for a lot of internal auditors."
He recently experimented with ChatGPT and had first-hand experience with the phenomenon of AI hallucination. He asked the chatbot which high-profile CEOs had once been internal auditors, and he got back the names of the CEOs of Apple and Microsoft, who definitely never were internal auditors.
"I knew one of the former heads of audit at Microsoft and I called him up and I said, 'Do you know the CEO of Microsoft today? Did he ever work for you guys?' He said, 'No, he's never been in internal audit.' Anyway, I started looking into it and to make a long story short, every single one it gave me was wrong," said Chambers. "I don't even know where it was coming up with this stuff. Tim Cook never worked in internal audit, but it sounded great. If I hadn't had a little bit of professional skepticism, I could have been banging out an article that would have gotten a lot of attention."
[Accounting Today]