Before joining CA, I worked for a large public accounting firm. One of my responsibilities was to perform independent reviews of internal audit organizations to determine if they complied with IIA standards. One of the most frustrating parts of these reviews was assessing internal audit career paths. Invariably the head of internal audit and, if the organizations were large enough, the leaders in different internal audit groups were well situated. They were not going anywhere. However, their staff members had different issues. Either you were stuck in a dead-end job, or internal audit was considered a ‘management cadet’ position to learn about a company before moving into a line management position.
 

With the advent of Sarbanes-Oxley and the recent crises in financial services and the automobile industry, new career opportunities are arising. It is up to internal audit to grasp and use these opportunities.
 

For example, if you are in the insurance industry, compliance may mean - “did we get the right forms to the State of Ohio so we were not fined?” In banking, it may be - “did we use the right credit risk calculation?” In the manufacturing industry, the answer to risk management may be – “there is no regulation to comply with so I do not care.” All of these answers are WRONG!!! In many companies, the only individuals with the best-- but not always the complete answer -- to risk and compliance management, are within the internal audit group.
 

Outside of the US, Board management responsibilities to shareholders and other stakeholders are often more codified. Though not currently codified in the US, with the recent financial crisis and pending legislation/regulation, this may change. Should this occur, members of a Board will need to demonstrate good corporate governance, including strategic risk assessment, corporate policy development and proof that policies were communicated and understood.
 

Internal audit will need to ‘step up to the plate’ to assist the Board to meet these responsibilities. Risk assessment will no longer be focused solely on the financial statements. There will no longer be a fixed, annual internal audit plan. Rather, the plan will evolve as risk changes throughout the year. Undoubtedly, internal audit teams will need to tap external expertise to supplement existing knowledge around risk management. And we can expect that internal audit risk assessment will be integrated with all other risk assessment activities within an organization.
 

In short, the internal audit function is at a turning point. Based on my many years experience in this field, I see internal audit becoming an integral part of meeting emerging Board responsibilities and should no longer be considered an adjunct to external audit (with the primary goal of keeping audit fees low). If ready for the challenge, internal audit can evolve to become a ‘strong arm’ of the Board, representing the interests of stockholders and other stakeholders.