The 12 Priorities of Top Performers

The coming decade may well redefine the role of the internal auditor in corporate governance, according to one widely followed expert.

“Internal audit is getting more strategic,” Dan Swanson, a 26-year veteran of the profession and a former director of professional practices at the Institute of Internal Auditors, told Rick Telberg. “It’s not seen as strictly a policing function as it was 10 years and 20 years ago.”

Swanson sees accountants in internal audit becoming “more involved in the overall business and the strategic direction of the organization.” He sets out a new, expansive and challenging role for internal auditors.

This new role for internal auditors requires a new set of priorities and principles, which Swanson lays out in a new compilation of his writings, “Raising the Bar.” He calls on auditors to dig strategically into a dozen make-or-break areas for many organizations, including:

Risk management: “To my thinking, enterprise risk management (ERM) is a silver bullet for improving governance and organizational results because it identifies your key objectives.” Swanson says in his new book, “It is time for organizations to take ERM to the next level.”

The top three most significant business initiatives: Swanson has long pushed the auditing profession into examining a company’s top information technology efforts. But he’s expanding the scope of his concerns. “I now firmly believe,” he says, “in auditing the three most significant business initiatives.”

Business continuity and disaster recovery: Both, of course, are probably already on most people’s top ten worry lists. “The problem is that they always rank in the bottom half,” Swanson says. “It is now time to ensure that the efforts are truly operational.” It could be one of the best investments any organization makes.

Information security: Swanson suggests a “very simple test:” Is it on your board’s agenda?

GRC: By whatever terminology you use – organizational governance; corporate governance; performance accountability; governance, risk and compliance – “internal audit should provide an opinion regarding the overall governance regime.” And these days, it’s essential to include social responsibility and sustainable development issues.

Ethics and compliance: Both are getting “enormous attention and funding” these days, but who’s minding the spending and the effectiveness if not internal audit?

Records management: It’s not always a job for internal audit. But, Swanson says, “If your organization has not started upgrading its records-management program to reflect today’s regulatory requirements and technological capabilities, then the organization is at risk … There is nothing worse than the legal nightmare of having a policy and not following it.”

The quality of enterprise information for decision-making: “The assessment should include the quality and completeness of the information, as well as the assumptions and analysis,” he says, predicting, “Information management will become more critical every year.”

The anti-fraud program: Internal auditors must be involved in assuring top management and the board that the right efforts are in place and working properly, he says.

IT efforts: Few areas can turn into a money pit as quickly or easily as IT.

Ad hoc requests from board members and top executives: By including internal consulting and assurance projects on the list, Swanson makes the case for a customer service philosophy in the internal audit function. “It lets the board and management know that internal audit is responsive to the board’s needs.”

Process management and continuous improvement: Swanson’s last – but not least – audit priority focuses on improving organizational performance. In some companies it might be called Six Sigma or a corporate-wide quality-management effort. To Swanson, every company needs one, and every program should be subject to examination by the internal audit department.

Clearly, Swanson sees an expansive and strategic role for internal audit. “It is time,” he says in the book, “for executives to lead, managers to manage, boards to govern, and auditors to provide assurances that things are as people say they are.”

It’s not just checking expense accounts any more.