Best-Practices in Internal Audits: Interview with Holly Kidder of the IIA
Yet, in the wake of security breaches and questionable business practices at some financial institutions, federal regulators are cracking down on auditors. In an exclusive interview, Holly Kidder, a director of the Institute if Internal Auditors, discusses:
Kidder has almost 15 years of experience within the field of internal auditing as well as practical knowledge in the financial services industry, having worked in various roles from teller to Vice President.
She is currently a Technical Director within Standards and Guidance at The Institute of Internal Auditors (IIA) Global Headquarters. The IIA, established in 1941, is an international professional association of more than 160,000 members in 165 countries with headquarters in Altamonte Springs, Florida, United States. Throughout the world, The IIA is recognized as the internal audit profession's leader in certification, education, research, and technological guidance.
TOM FIELD: Hi. This is Tom Field, Editorial Director with Information Security Media Group. We're talking about internal auditing today. Here with us is Holly Kidder of the Institute of Internal Auditors. Holly, thanks so much for joining me.
HOLLY KIDDER: Thanks for having me, Tom.
FIELD: Tell us a little bit about yourself and your role at the IIA. I see you've got a background that is going to be particularly enticing to our financial institutions.
KIDDER: Yes. Actually Tom, I'm going to start with the IIA, just to give a brief background for those that are not familiar with it. The IIA has been around for a long time. We were established in 1941 and currently have about 160,000 members in 165 countries around the world. We are recognized as internal audit profession leaders in certification, education, research and technical guidance. We are also the global professions leader, the chief advocate, where the standards are set for the worldwide profession of internal auditing. Many people have heard of us, but for those that haven't, there's a little background. As for me, you had mentioned that I have some background with financial services. I've had about 15 years of experience with internal auditing, but I've had practical knowledge in financial services. I started out as a teller. I worked my way up through the banking industry to Vice President of Internal Auditing before I left, and I've been with the IIA now for three years.
FIELD: Very good.
KIDDER: Specific to my role at the IIA, we provide standards and guidance for the professional practice of internal auditing, and one of our goals is to be recognized as a trustworthy, international, guidance-setting body. And within the standards and guidance team, one of our key roles surrounds the International Professional Practices framework. Most people are familiar with that when we talk about our standards. The framework actually encompasses our standards, as well as all of our other authoritative guidance of the IIA, which also includes our definition of internal auditing and our code of ethics. Most are familiar with our practice advisories that give the methodology of how to implement the standards. But, now we are coming out with practice guides and position papers, where practice guides give more of a step-by-step, hands-on, this is how you do it type thing, which has been very useful for our members. We have our G-Tag series, which is the IT series. As far as my role within the team goes, my focus is on the IPPF, but I also help beyond the IPPF in supporting matters that impact the internal audit profession as a whole.
I am the staff liaison for our professional issues committee. For those who are not familiar with the IIA and how we function, we have a huge group of volunteers all around the world, and most are familiar with our chapters and how you can get involved with the chapters. Going even higher up than that, we have volunteers that help us develop our standards and guidance, and they help us look at what the future of internal auditing is going to be. Within the professional issues committee, I work regularly with more than 50 thought leaders and practitioners from around the world who are selected to serve as volunteers to help us create our guidance, develop our standards and take the profession where it needs to go. That's primarily what I do, as far as our standards and guidance team goes. But we also assist with media relations, with our Common Body of Knowledge (CBOK), and we go out and do quality assessments. We go out and help with our course development, training and speaking engagements as well. We have a variety of things that we help out with at the IIA.
FIELD: Very good. Give us a sense, Holly. What is the state of internal auditing within banking institutions today, from what you see?
KIDDER: From what I see, we've got changing expectations, as far as the internal audit stakeholders go, resulting in revisions to internal audit strategies. Internal auditing's growing role is in enterprise risk management. With the financial crisis, there is a new focus on that. That has changed things. The way we used to look at it in the past, we looked at what the regulators were focusing on. What do we need to look at, as internal auditors, based on what the regulator is going to come in and look at? I really think that your senior management and your board of directors are starting to see more of the value that internal auditing can play, as far as helping the institution not only prepare for your regulators, but also to prepare for what risk might be out there that they don't see.
The audit committees are relying more on internal audits to keep the stakeholders informed on enterprise risk management strategies. Senior management or your board of directors will go to a conference, or listen to a podcast, and hear something. They're starting to turn to their internal auditors and say, "Hey, what do you know about this? If you don't know about it, can you research it and get back to me?" That's really key for the state of internal auditing. We've seen this coming along. We saw a big change with Sarbanes-Oxley, where everybody turned to internal audit and said, "Hey, we've got this internal control thing. What is this all about? Can you help us out?" There was a big push with that. Within financial services, we always had the fiduciary regulations, so luckily we were prepared for those organizations and those banks that fell underneath that. But the Sarbanes-Oxley really put an emphasis on the board of directors, on their responsibilities and having them really step up. I know when Sarbanes-Oxley came through the bank that I was at, it was the first time that we actually had our board of directors, and we scrutinized our audit committee, saying, "Okay, this is the experience that we need to have on our audit committee." We took a proactive approach for the organization, not necessarily just, "What are the regulators going to come in and look at? Let's make sure we've got that covered."
I have a friend who is a regulator with the office of first supervision, and I asked him this question. His comments coming back to me were that in larger institutions that they regulate, they have seen a steady improvement over the last ten years from a general auditing standpoint. They think SOX has a bit to do with it, as I just spoke about, and they hope that regulation has played a part, as well. The IT audit is much stronger today than it was five to ten years ago, but it still needs more resources. We need knowledgeable, experienced IT auditors who are very difficult to hire and retain, not only in the financial services industry. I think that everybody is beginning to understand the key role that the IT piece is playing within companies, and not just the IT auditors. Every internal auditor has to have some sort of IT understanding. Those are some of the changing roles. But, going back to the basics, I think the biggest piece of it is looking at the enterprise risk management as a whole and internal audits getting more involved from the beginning, rather than being a retrospect. Internal audit is more of a resource for organizations than it was before.
FIELD: If you look at that as the mission of the internal auditor right now, where would you generalize and say that practices are strongest and where they are weakest?
KIDDER: Looking at financial institutions, when you are looking at their strongest and weakest points as a whole they are beginning to understand risk management more. We've always looked at risk. When the financial crisis came along, everybody asked, "What happened with risk in banks?" They've been doing it all along, but it was just the understanding of what risk management truly encompasses. It's taking a look outside of the box, and making sure that you are covering everything, not just the things that are in front of you. There are a lot of checklists within internal auditing and financial services, and I really think that we are getting stronger at looking outside that checklist. We are becoming more focused on the most significant issues. One of our weakest areas, from a financial institution perspective, is probably the documentation. Documentation is always very difficult to keep up on. And it's a challenge not only in financial institutions, but all industries.
FIELD: Yeah, you're right.
KIDDER: Looking from an internal audit perspective, when you talk about the strongest and weakest practices, it is going to depend on the maturity of the internal audit activity. Your maturity level is going to be based on your size, your scope, and the time the audit committee has been in existence. Sometimes you get into talking about whether it's an internal audit function or an outsourced internal audit function, depending on whether it is a rotational internal audit activity. Some people will bring internal auditors in and rotate them out every two years. It is very difficult to say, as a whole, where your internal audit activity practices are strongest and weakest. But, if I had to look at financial services in North America, I would say that our strongest practices relate to those that the regulators and the external auditors look at. That has been our focus in the past. It is our strongest still. It will be our strongest because the financial regulators and external auditors can make a big impact. That is going to be where your focus of the board of directors and your senior management is, because if they come in and give you a bad grade, or give you a bad rating, that is going to affect the organization as a whole. I think that will always be a very strong practice for your internal auditors, looking at what regulators are going to be looking at and looking at what external auditors are going to be coming in and looking at.
I also think that we are getting stronger as far as being a resource. We did a survey of 117 internal auditors working in the financial services industry in the U.S., and 42% felt that better risk management practices could have helped prevent the organization's current financial situation. More than half, 55%, felt that internal auditing could have helped identify the risk to mitigate the impacts of the financial crisis, and 43% of the respondents whose companies had accepted the TARP funds had not addressed the related risk. We expect this number to increase as companies feel pressured to look after the related reputational risks. Then, look at why internal audit did not play a larger role in preventing the crisis, and there are various reasons for this, what goes in the reasoning behind this. Some CAEs may not have been close enough to the organization risk management program. Many organizations' risk had been rating with extremely low probability. Many are now contemplating new approaches to risk assessment. Going back to what I said earlier, we looked at risk assessment outside the box. We are looking closer at factors such as probability and possible impacts of risks and their organizations' preparedness for those risks.
FIELD: We talked about the economy a bit. How has the practice been affected by the recession? I know there have been many cutbacks at financial institutions. What has happened to auditing?
KIDDER: The recession is definitely hurting internal auditing. Institutions have cut staff and auditing has definitely not escaped. We see it everywhere. Looking at that survey that we conducted, 41% had seen a decrease in their internal audit budget, and the biggest hits to the budget had been in the areas of training and travel, where 68% have had to freeze or reduce compensation in addition to that. Overall, the internal audit profession is feeling the pinch on their budgets as organizations try to deal with the reduced resources. That's been a common factor everywhere, looking at your staffing and trying to decide what's needed and what can be reduced. However, internal auditors are still in demand; things have just slowed down since the Sarbanes-Oxley boom. Our IIA membership is not increasing as dramatically as we had seen in the past, but it's still holding steady. Once the economy has improved, we expect to see another hiring trend as more accountability and transparency are expected by banking institutions. In fact, last month, the widely distributed Parade Magazine called internal auditing one of the five bright spots in the job market. At the beginning of the year, Forbes magazine said that President Obama's stimulus plan will boost the internal audit profession because they are calling for more oversight of the markets. We see the recession everywhere, but we expect that to rebound, as far as internal auditing goes.
FIELD: Now Holly, you spoke of the regulators coming in and we know that financial institutions are very responsive to what the regulators want. What do you find that they are looking for primarily? Maybe the top two or three things in best practices and auditing?
KIDDER: Overall, your best practices are still what they have always been: having strong documentation. It's a weak area, but it's key. Its best to have strong documentation. Strong communication with your audit committees and senior management is huge. If you have that relationship and you can get that communication going, that is certainly a best practice. Another common thing that is not talked about as much, but certainly is a best practice, is to have a strong program for follow up and verification of action taken to address the audit concerns. We do all this work in internal auditing and if we don't follow up, it could all be for naught. As internal auditors, we make the recommendations and management has the option to implement what we recommend or not. Going back to the second best practice, if we have good communication with our boards and senior management, it will help with the follow up piece.
FIELD: What sorts of programs and services are you offering now at the IIA to help out institutions?
KIDDER: This one is really near and dear to my heart, because when I was a practitioner in internal auditing, I steered away from the Institute of Internal Audit because I couldn't find what I was looking for. And even when I went to the chapters, I was in a remote area where I didn't have a close chapter; I had to drive at least an hour to get there. However, since I have been at the IIA, I have been overwhelmed with the resources that are here that I never imagined. Most people are familiar that the IIA provides guidance on an array of topics such as best practices, corporate governance, risk management and information technology. Most people are familiar with the IIA providing conferences and seminars around the world. We are doing more online training opportunities, and we also have onsite training, where we will set up a specialized program specific to your organization. Being from financial services, that is very important. Going to some of the seminars, I felt it was so generic. It just wasn't applying to me. Now that I am here at the IIA, we put together a specialized program for your company - not just for your industry - but for your company, and we will come in and we will train you specific to those. That was huge for me to find out. Also, every year we have our financial services conference.
This year it is in Orlando from June 1st to the 3rd. This is where we bring in high profile speakers from financial services and the banking industry. They discuss recent and emerging issues in the sector. The best thing about our conferences is you get the speakers that come in and also the networking opportunities, to have someone that is in the same situation that you're in. For myself, being in that remote location I couldn't always reach out to my chapter. But if I had a network of people that I could call up on the phone or send an e-mail to, that would be beneficial. Another key area of resources that the IIA has that most people are not familiar with is the IIA research foundation. They are in control of our bookstore, for example, and they come up with all the topics, and they resource that out to authors who will write books and publications, provided at the research foundation aspect on our website or through our bookstore, where you can purchase them. The IIA research foundation also does ongoing reports and our GAIN, which is our Global Audit Information Network. It has been moved underneath the research foundation. We do surveys. For example, if I'm an internal auditor and I'm starting up a new audit shop and I want to know what is common where I live for financial institutions, I can call up the IIA, and ask them to run a survey for me.
We can run a survey specific for you where you create the questions and we can send them out and you can get your answers. I've seen that happen a lot since I've been here because we are trying to show our board of directors and our audit committees that in the past, it was always "I've got two auditors and I need five." This is the reason why when they see the statistics, they can see what is happening in an area. That is always a helpful push. That's a common request from our GAIN network. We also have an annual participation, where you can be part of an annual survey and get information on a regular basis. If we go on and look at our IIA chapters and institutes, we have the networking opportunities, we have financial services, FSA membership, where you can be a member of the specific FSA group, and once you are a member of that, you can get the resources. I even get this question all the time: "Do you have audit programs for ABC?" From an IIA standpoint, that is very difficult for us to do because we are an international organization and we cover every industry. For us to come up and create audit programs for every industry around the world is very difficult. It is something that we really want to do, but we also struggle with, because we've got to make sure that we are not only watching out for those internal audit shops that are very mature. I'm going to be going to Ecuador next week doing a presentation, and their audit shops are different from what our audit shops are.
Even when we create our guidance, we try to look at it as, "Okay, this is a very mature audit shop," down to, "This is an audit shop that is just starting out." In the financial services industry, we have the biggest range of sizes and maturity levels within internal audit shops. Within our website, we have our periodicals online. Our internal auditor magazine is online, and that is a membership benefit. It has key resources there that you can go online and get. We also have discussion groups. That is not monitored by the IIA. You can go out to the discussion group and post a question. You can go out and ask for an audit program. A lot of people use that as a resource, just to get more information and insight from others that are out there. Lastly, people can call up the IIA and ask a question. I get questions all the time from members. When I was at the bank, I would have never thought to call the IIA and ask a question. If anyone has any questions, or needs resources, if you can't find anything you are looking for, you are more than welcome to contact the IIA and we can help direct you in the right direction. Our main number is 407-937-1100. Our website address is www.theiia.org. Once again, my name is Holly Kidder, and I would be happy to help anyone with any questions or anything they have that I might be able to assist with.
FIELD: Very good. Holly, thank you for your time and insight today.
KIDDER: Thank you Tom. I appreciate it.
FIELD: We've been talking with Holly Kidder at the IIA. For Information Security Media Group, I'm Tom Field. Thank you very much.