BCAJ interviewed Mr. Naohiro Mouri [NM], Chairman and Mr. Richard Chambers [RC], Gobal President & CEO of the Institute of Internal Auditors, USA (IIA). In the following pages we present excerpts from the full interview. The aim of the interview was to understand individual stories and experiences of these two professionals and also to get a perspective on the emerging global internal audit canvas.
In this interview Mouri San and Richard speak to BCAJ Editor Raman Jokhakar and Nandita Parekh about their life experiences, their understanding of the Internal Audit profession around the world, corporate failures and role of internal audit, rebranding internal audit, future competencies, millennial generation and the profession of internal audit.
If you can recall and share your early professional journey and share with us 2 or 3 career milestones/experiences that shaped you? What is it that made you commit to a career in Internal Auditing and what other options did you consider?
(NM): I did not originally want to become an internal auditor. I started as an external auditor. I studied accounting in school and my career path was to become a CPA and then getting into one of the external audit firms. I passed CPA, and I became an auditor with Arthur Andersen. I thought it was the greatest profession in the world. But, as the second year passed, I became senior. Come third year, I was feeling a little complacent.
I started looking outside and took an offer to become a controller of a French bank operating in Tokyo, to replace someone who was to retire. I had no prior banking experience. So I went in and the bank was gracious enough to put me through two months’ training across different parts of the bank such as trading, settlement, credit, finance and compliance, legal etc. After two months, my boss called me up and said, “Mouri, your training is about to finish. But, the gentleman who is supposed to retire, decided not to retire. You have two choices. You either have to leave the bank or you start the internal audit department”.
I was very happy doing what I was doing, I did not want to leave the bank. So, I decided to just become the internal auditor and that was actually the beginning of my internal audit career. It turned out that it was the best opportunity for me because internal audit is different in each and every engagement. I’ve changed organisations – from French Bank to German Bank to American Bank and now I’m in insurance. But I have always been in internal audit and it always just excites me every day coming into the office.
(RC): You asked for two or three kinds of milestones that then ended up shaping the course of my career. And so, what I’ll probably do is sort of fast forward.
I came out of college and went into internal audit 43 years ago. So I have been in this profession for a long time. I worked in the US government – I was an auditor for over 20 years for the army – civilian auditor of the US Army. Then I spent some time in the US Postal Service where I was a Deputy Inspector General and then the Inspector General of the state-owned company The Tennessee Valley Authority, which is the largest producer of electricity in the United States. And then I had the opportunity to retire rather young. I was 47 years, and I took a retirement, had an opportunity to do that because of some wrinkles in the law governing civil service employment in the United States. So that was a really important milestone because at that point, I had to decide what was I going to do with the rest of my life because while I retired, I knew it was really more of a career change.
The President of the IIA at that time was a gentleman named Bill Bishop, who was quite an icon in the history of the IIA and he convinced me that I come to Florida and work at the IIA sort of the equivalent of the Chief Operations Officer. First, I was a little reluctant because I thought, okay, I have been in government. I am not sure, I want to go into a not-for-profit Association. But he was very persuasive. So the next thing I knew, we packed up and moved to Florida and I joined the IIA. That was in the year 2001. Three years later, he passed away very suddenly. It was a sad time for IIA. But it was time for me to think about doing something different and so, I took a reverse career path. Most people come out of college with an accounting degree like Mouri and they go into the public accounting field and then maybe later, they do internal audit. I spent my life doing internal audit and then, when I was 50 years old, I joined PwC. I spent five years with PwC in the United States and became the national practice leader for internal audit advisory services which was part of the internal audit practice that PwC had. So, that was the second milestone.
And then the third one was, at the end of my time at PwC, the IIA Board asked me to come back as the CEO; that was 10 years ago. So, I was back in the role of being a leader in this profession along with our Chairman. I served as a spokesman for IIA and a champion for internal audit in the world. So those are three milestones that just sort of jumped out at me, that sort of say – how did I get from there to here.
Richard, this questions is for you. You have been a prolific writer, speaker, two books, blogs for eight – nine years now, videos. How did you develop this art of communicating and being, sort of, the cheerleader for the profession of internal audit? And, being so disciplined to be able to publish week after week.
(RC): Actually, next month will be the 10th year that we put in the blog. So it’s been quite a journey. The last time I looked, we were already over 400 blogs since we started. When I wrote that first blog in February of 2009, I remember it was about the crisis, the impact of the financial crisis on internal audit. And I don’t think, I said then to myself, I am doing something that I will be doing for the next decade. But what I found was that members of our profession around the world starve for very contemporary, informal, short, digestible perspectives on things that are going on… Last year, I think, the blog was read more than 250,000 times. So it is an important way to communicate in the 21st century and then if you take the blog and leverage on social media, it has a wide reach and readership.
The books, I don’t know that I really ever expected I will write a book.
But way back in 2013, the Internal Audit Foundation, our publishing arm, came to me and said, you know, your blogs have been very popular, why don’t you share some perspectives via a book. I thought, I don’t know what I have to really share? But then, I started thinking that I have the privilege of being in this profession for 40 years. I started thinking what really I have to do, is a sort of package of these major lessons I have learnt in the course of 40 years into a book. We called it Lessons Learned on the Audit Trail. We published it and that is a very popular book. Then a couple of years later, the Internal Audit Foundation sensing that the first book had gone really well, came back and said “Would you write another book” and that is how this one – the second book, the Trusted Advisors book came about. I really sort of picked up where the first book left off (because I concluded “Lessons Learned on the Audit Trail” by talking about what does it take to be a Trusted Advisor in the 21st century).
After the book “Lessons Learned on the Audit Trail” was published, I really started reflecting and I thought that I had over-simplified the message about what does it take to be a Trusted Advisor. So we went back, we did some research, we gathered perspectives from Chief Audit Executives around the world and then we put this second book together “Trusted Advisors”, which was even more popular than the first.
We are now in the process of refreshing the first book “The Lessons Learned on the Audit Trail” because the last five years have taught us a lot about the speed of risk and how risk dynamics can change everything that an internal auditor needs to focus on. So the title of the refreshed edition is the Speed of Risk: Lessons on the Audit Trail. So we go back and we talk about some of those lessons that we explored in the first book and we overlay on it the impact that a dynamic risk environment has. We talk about auditing culture, we talk about the importance of innovation and how do you audit. It has been in process. That book will be out in March 2019.
The image of an internal auditor is often perceived to be uninspiring. How do you feel this image that people perceive should undergo a makeover? Is there anything that’s happening in this direction?
(RC): Oh! I think it starts with those of us in the profession. You know, like every profession, there probably are stereotypes about internal audit. But again, you can go to a lot of companies and they don’t see those stereotypes at all because their internal audit is alive, it’s vibrant, it’s dynamic, gets involved, engaged in all the key risks of the organisation. So I think, it’s up to each one of us in this profession worldwide, to make this profession not only meaningful for us but to be able to convey what the potential and the opportunity is, so that our boards and management and even the people in the organisation who are audited, begin to appreciate what internal audit really is. It has evolved, it’s gone beyond the bean counting. I say in the 21st century, we have to know how to do more than count the beans. We have to know how they’re marketed, how they’re grown, how they’re harvested, how they’re marketed, to know everything about the life cycle of beans. We have to know how they’re marketed, how they’re grown, how they’re harvested, to know everything about the life cycle of beans. And we have to be able to convey that in a way that gets people excited.
So, related to this, is a question – Does the name “internal auditor” do any disservice to the profession because there is a connotation of an auditor primarily being an accountant? The impression is that internal auditors are an extension of the accounting profession. There have been attempts to rename the profession as risk advisors or risk professionals or GRC professionals. Any views that you have – what is there in a name or how does it matter?
(NM): I have my personal view on this originally. To me, the name convention doesn’t really matter. What matters is what we do. Even if you are called internal auditor, if you are actually being very innovative, if you are providing value to your board or the committee in the senior management, doesn’t really matter to them. I have seen different name conventions like management reviews, the audit and risk reviews and different connotations. But you know, at the end of the day, if you are actually doing what is considered as bean counting, as opposed to helping the business, protecting the organisation, being strategic, being innovative, trying to do more with less, they will actually see it through, no matter how it’s called. So that’s just my opinion about the name convention.
(RC): I agree100%. I mean, you could change the name of an airline pilot to aircraft navigation engineer but it’s still an airline pilot, right? I think, what we really need to be doing is – we need to be focusing on what does it mean to be an internal auditor. You simply say, we are going to rebrand what we do, not rebrand who we are. But we are going to elevate the level of service that we provide. So I would like to think where we are going to be the Apple of the future.
Coming to internal audit, unlike in statutory audit or an external audit, there is no legal mandate to have an internal audit. Do you think this is an impediment to the work of an internal auditor? Should there be legal force given to the position of an internal auditor?
(RC): IIA has taken the position and I happen to personally agree strongly with that, that licensing of internal auditors, somehow creating a licensed profession, is not really in the best interest of the organisations. We very rarely find any statutes or regulations that license the person who’s the CFO in the organisation or license the other professionals, Chief Risk Officer and others. Organisations, particularly publicly traded organisations or corporations, I think should be free to decide how to manage their affairs, without the long arm of government reaching in and saying – No, here’s what you have to do – here are the credentials or the skills or the qualifications. Now, we were very big proponent of listing agencies, stock exchanges, and others saying – if you’re going to be traded on an exchange, you need to have an internal audit function. I don’t think we have a problem, even seeing government regulations saying that organisations and companies should have an internal audit function. But it’s getting into it, it’s sort of mandating, who can do it and who can’t and what qualifications and credentials, because I have seen how that gets stuck in the past. If we had something like that 20 years ago, it would be mandating that in order to be internal auditors, you have to be accountants and yet today, only a fraction of what internal audit does, has any relationship to accounting. So I think, the profession needs to be live and to evolve and companies should be free to decide how they’re going to resource it.
(NM): Internal audit is a management tool to self-regulate itself, self-correct itself, find the problem by your own and correct it so that companies’ sustainability is maintained. It is a wonderful training ground for anyone who actually wants to learn about organisations – how they make money, how they lose money, what is the control that needs to actually exist. So, a number of companies use internal audit to actually put people in for training for few years and put them back to the business, to take more senior level roles. Such free flow of people is important for internal audit and for the organisation.
You know, as the world around us is changing, the competencies and skill sets that internal auditors need to own has changed tremendously. So, what are the few things that the future internal auditor must add to his bucket of competencies, to remain relevant. I am talking of survival, I am not even talking of success.
(NM): So, future is now already and this is one of the Richard’s comments. I took it from his slide. But not just the internet, now everything is on smart phone. No one goes to the bank branch anymore. Banking transactions to travel booking to buying insurance, everything is done by phone and laptop! How do we actually deal with this situation as an internal auditor?
First, you have to be extraordinary and able to work across the organisation. Earlier, there were IT auditors (called EDP auditors) and Business Auditors and Financial Auditors within internal Audit. Now the lines have been blurred because there is no process existing without technology. Thus, today’s internal auditor needs to operate across all areas, technology being an important skill to have.
Facilitation skills, because audit is all about Listening, Thinking, and Communicating. So, you have to really facilitate the conversation that goes on. And in many organisations, once you start to incorporate self-assessment process as part of the audit process, you have to facilitate the discussion. When you talk about the agile process, the scrum meeting – you have to actually chair the scrum meeting and bring the information now from your auditee or risk management or compliance, legal, finance. All this actually helps to make the internal audit better, right? So that is the second characteristic or the skills you need to have – facilitation skills.
And finally, analytical ability of course, to think in-depth about what is the root cause of the problem? Why is it happening? Because if you don’t actually get the root cause right and if you just remediate superficially, the problem will come back. We don’t want that to happen because we actually embrace remediation. We need to kill that root cause and then move on. So those three things that I would actually think, that’s really the skill sets necessary,
(RC): I speak a lot these days about the importance of internal auditors being able to provide foresight. The profession, the origins of internal audit was totally behind – in the past. What happened last year? Were the records maintained correctly? Were controls adequate? But it was in the past.
Then as the profession evolved, we became more adept at talking about the present. Okay. Here are things that we see now, that need to be corrected. But as I look to the future, we are really going to have to be able to look to the future because the things that happened yesterday are yesterday, they’re not the things that we seek. I spoke earlier this week and I said, you know, you seek out experts for the future, not for the past. So I think, internal auditors as a profession and as individuals are going to have to become much more adept looking forward. We speak a lot about what are the threats that artificial intelligence presents to our profession. I often say, if you’re only providing hindsight, that’s something artificial intelligence can easily do. If you are only providing hindsight and insight, you are still likely threatened by artificial intelligence and some of the other technology that’s coming. The things that will make it more difficult for you to be disintermediated, are your ability to leverage your professional knowledge, your professional judgment and to give the organisation perspectives about what the future holds.
This question is about recent corporate failures and the role of internal audit. Couple of lessons that both of you may want to share for the internal auditors, seeing what has happened in the UK, in Europe, and of course, America, and closer home to IL&FS in India – Anything that internal auditors need to wake up to and learn from?
(RC): I shared my message this week and I talk about it a lot. The five scariest words in the English language are “where were the internal auditors?” And it almost always comes when there’s a major scandal or collapse or calamity. It may have nothing to do with the internal auditors. But somebody will ask a question and say, well, where were the internal persons?
First of all, I would say internal auditors can audit anything, but they cannot audit everything. Okay? So we always need to keep that in mind that it is perfectly plausible that a big collapse or scandal or fraud can occur. That internal audit was focusing on all the right things and just didn’t see it. I mean, we cannot audit everything unless you’re willing to give us thousands of people. Study after study has been done looking at what contributes what, which risks are the most lethal when it comes to shareholder value. It’s not financial risk. People think, Oh! well – financial reporting fraud is what kills companies. It’s not compliance risks. Those risks together account for fewer than 20% of decline in shareholder value. It is strategic risks, it is business risks, sometimes even operational risks. it is companies that don’t see what’s coming ahead. And that is where I think, get back to internal audit, being there to help the management identify what are the things that could cause the failures and the calamities to occur. Now, some of the examples you find in Europe and others elsewhere. Some of those were compliance failures, some of those were frauds that occurred. But you know what, if you look deep enough, you’re going to find that it was culture, it was culture in the organisation. It was culture in the organisation that caused the compliance failures or the fraud or all the other things that took the company down. The compliance failure or the financial reporting fraud was symptomatic of a bigger issue. And that’s where internal audit always has to have insight.
There is a lot of talk about engaging with the millennials, the younger minds. As a profession, how would we attract the most creative, the most difficult to engage with talent within the profession?
(NM): Please watch my video, it is for you millennials. Because we were trying to make it very simple, trying to relate to building the career by using the analogy of constructing the building. So, it was actually, essentially targeting for millennials, to really understand the concept of, how important the standards are, how important that certification programme is, in what sort of thing that internal auditors do? So, please watch my video.
(RC): In the interest of time, let me just say, we over-analyse sometimes what differentiates generations. I think, millennials are a lot more like baby boomers of my generation than they are different. I think, we have a lot of the same kinds of the interests. I can tell you, we were very ambitious too. When I was a young adult, people of my generation felt like we should own the world. I think, that’s a natural kind of phenomenon. One of my daughters falls into that millennial category. These are people that are motivated by a purpose. They don’t just want a job for money, they want a purpose. There’s no greater opportunity to serve a purpose than to be an internal auditor and to exercise your craft to make things better. So I think, millennials will be attracted and are being attracted to internal audit. And I think that’s something we will continue to work on.
(You can see the unedited interview on the BCAS You Tube channel.)
