the Moment!’: An Interview with IIA Chairman Betty
Donald E. Tidrick
McPhilimy is the 2004/05 chairman of the board for the Institute
of Internal Auditors, which represents approximately 95,000
members in 160 countries worldwide (www.theiia.org). An
Institute member for 20 years, she has served on IIA-Chicago’s
board of directors since 1984 and was the affiliate’s
president in 1988/89. Her extensive record of service to
the IIA includes serving as cochair of the Institute’s
1993 International Conference and serving as chair of the
International Conference Committee from 1996 to 1999. She
served a three-year term as a member of the IIA’s
Executive Committee, and was senior vice chairman during
addition to being a CPA, McPhilimy is a Certified Internal
Auditor (CIA) and a Certified Fraud Examiner (CFE). She
is also the chief audit executive for Northwestern University,
which has more than 7,100 faculty and staff members and
an operating budget of more than $1.5 billion. An accounting
graduate from St. Ambrose College in Davenport, Iowa, McPhilimy
started her career in Chicago in the firm now known as Ernst
& Young and later worked in the corporate environment
before joining Northwestern University.
interview took place in connection with McPhilimy’s
March 2004 visit to Northern Illinois University to address
the NIU accountancy students and faculty.
E. Tidrick for The CPA Journal: Can you give a brief history
of the Institute of Internal Auditors and a description
of the IIA today?
Betty McPhilimy: The Institute of Internal
Auditors was established in New York in 1941 with 24 members.
Today, it is a global professional organization serving
a membership in internal and IT [information technology]
auditing, governance, internal control, risk assessment,
security, and education. Membership has increased dramatically
over the past decade and we now have 243 affiliates worldwide.
The IIA has its own standards, a professional practices
framework, and a code of ethics; certification programs;
professional development and training; a research foundation;
benchmarking and quality assessments; and other services
that support internal auditors worldwide.
less than half of our members reside in North America. Over
recent years, membership outside of North America has increased
significantly, especially in China and Europe. The IIA standards
have been translated into 21 approved languages in addition
to English. Translating the standards, definitions, and
ethics for different languages and cultures is very challenging.
How difficult is it to manage professional ethics in a global
environment that encompasses so many different business
McPhilimy: The fact that IIA affiliates all
over the world are communicating their ethical concerns
to IIA headquarters indicates that ethics are a global focal
point of the profession these days. Despite societal and
cultural differences, there are some universal ethical principles.
We have a global ethics committee that does more than just
monitor the code of ethics and keep it current. It has launched
a multiyear training initiative along two dimensions: first,
to provide internal auditors with a better understanding
of how ethical issues impact what they do; second, to help
internal auditors advocate high ethical standards within
their own organizations. There is a huge need for this.
We often hear that internal auditors are aware of sensitive
situations but lack a process for discussing ethical issues
and getting help in dealing with these matters within their
organizations. Such issues are within the purview of the
IIA’s Ethics Committee.
What are the strategic issues that the IIA is currently
McPhilimy: We revisit strategic planning activities
with a clean slate every three years and we are engaged
in that process now. We start by analyzing our mission and
vision statements to make sure they provide a forward-thinking
approach that validates our goal of being the global voice
for the internal audit profession. The impact of IT has
grown rapidly and dramatically, so technology continues
to be a key area of emphasis in everything we do. This includes
adding training programs and expanding web-based resources
to help our members enhance their knowledge and professionalism.
A global perspective is essential in effectively representing
the internal audit profession and in enhancing certification
of our membership. Issues that are being widely discussed
in America, such as risk management and corporate governance,
are also topics of global concern to our members and other
the new definition of internal auditing, which the IIA adopted
in June 1999, has generated lively discussion: “Internal
auditing is an independent, objective assurance and consulting
activity designed to add value and improve an organization’s
operations. It helps an organization accomplish its objectives
by bringing a systematic, disciplined approach to evaluate
and improve the effectiveness of risk management, control,
and governance processes.” This broader definition
reflects the direction in which the profession has grown
over recent years. Today, internal auditing is recognized
as a vital cornerstone of effective corporate governance,
along with the audit committee of the board of directors,
executive management, and external auditing.
strategic issue has to do with the IIA’s staff. The
sudden and untimely death of IIA President Bill Bishop in
March 2004 drew the IIA Executive Committee’s attention
to disaster-recovery issues and how to best support our
excellent full-time staff. Although Bill had already announced
his retirement plans and we had begun the process of searching
for his replacement, we had hoped to have a transition period
during which Bill could provide assistance and convey his
extensive institutional memory to his successor. In April,
the IIA named Dave Richards to succeed Bill as president,
and Dave assumed that role in May.
What are your priorities as IIA chairman?
McPhilimy: The theme for my year is “Seize
the Moment!” That theme reflects many recent events
that have placed a renewed spotlight on the important role
of internal auditing. Positioning internal auditing as part
of the solution, capitalizing on the strength of the IIA
as the global professional organization, growing the reputation
of our credentials and state-of-the-art professional development
offerings, and providing important value-added services
for our members and their organizations—these are
my main priorities.
How do professional organizations such as the IIA and the
McPhilimy: The IIA is actively involved with
other national and global organizations on many levels.
A recent example is the Association Summit, which consisted
of the American Accounting Association (AAA), the AICPA,
the Association of Government Accountants (AGA), Financial
Executives International (FEI), the Institute of Management
Accountants (IMA), and the IIA. We meet annually for networking
and benchmarking. Sharing ideas with the representatives
of these organizations is tremendously helpful, and the
relationships are strong and collegial. Along with the IIA,
most of these organizations are also a part of the Committee
of Sponsoring Organizations of the Treadway Commission (COSO),
a voluntary private-sector organization dedicated to improving
the quality of financial reporting through business ethics,
effective internal controls, and corporate governance.
Changes in the CPA exam have garnered a lot of recent attention,
but many people might not know about the IIA’s efforts
to update and revise the Certified Internal Auditor (CIA)
McPhilimy: The CIA is the premier global certification
for internal auditing—a crown jewel that we strenuously
protect to make sure that it continues to reflect the appropriate
priorities for internal auditors. Changes to the CIA program
and syllabus went into effect in May 2004. The IIA undertook
a global research study to focus on the knowledge, skills,
and abilities underlying a common body of knowledge for
the CIA exam. One major change involves the three parts
of the exam that comprise the core global syllabus focusing
on corporate governance and risk considerations. A fourth
part focuses on general business management issues. To become
a CIA, candidates must possess knowledge of both the core
global syllabus and either specialized audit-related subject
matter or general business management. Candidates already
possessing an approved certification are granted credit
for part four. Currently, there are 17 approved certifications
in the United States, including CPA, Certified Management
Accountant (CMA), and Chartered Financial Analyst (CFA).
for the complete list of approved certifications.]
IIA also has three specialty internal audit certifications
that are included among the approved certifications to waive
part four of the CIA exam: Certification in Control Self-Assessment
(CCSA), Certified Government Auditing Professional (CGAP),
and Certified Financial Services Auditor.
For a time, Enron was the poster child for outsourcing internal
auditing. Is that topic of continuing concern to the IIA?
McPhilimy: The New York Stock Exchange has
been a strong proponent of requiring listed companies to
have internal audit departments. And, of course, the Sarbanes-Oxley
Act has established that internal auditing should be separate
and distinct from the external audit function. We have heard
a number of anecdotes about companies that had outsourced
their internal audit departments and subsequently brought
those functions back in-house. As a result, outsourcing
is not really the threat that it was initially perceived
to be. In contrast, the IIA has received a number of calls
from entities seeking guidance and support for their efforts
to establish their own internal audit activities. “Co-sourcing,”
on the other hand, is fairly topical these days as a way
to enhance the capabilities of internal audit staffs by
supplementing existing skills with the specialty skills
of an outside service provider on an as-needed basis.
What is your impression of how the Sarbanes-Oxley Act will
affect the internal audit profession, and will there be
an effect outside of the United States?
McPhilimy: Sarbanes-Oxley has been helpful
to internal auditors and their organizations by enhancing
organizations’ corporate governance and control structures.
Internal auditors are heavily involved in implementing Sarbanes-Oxley
requirements, although the original deadlines have been
pushed back somewhat. The IIA has added several new sessions
of Sarbanes-Oxley–related educational programs, because
demand has been so heavy.
may seem natural to presume that Sarbanes-Oxley would not
interest people outside of the U.S., but businesses tend
to be global and people around the world have easy access
to information about U.S. events. Internal auditing really
is a global profession, and important matters like Sarbanes-Oxley
are followed with interest worldwide.
What is your view of Sarbanes-Oxley section 404, which mandates
internal control requirements?
McPhilimy: Section 404 is probably the most
onerous of all of the Sarbanes-Oxley requirements. This
is clearly a hardship for relatively small companies, but
even large, well-managed ones may benefit by firming up
their control structures. When the IIA surveyed 160 chief
audit executives, 63 reported that more than 50% of their
staff time was being devoted to Sarbanes-Oxley.
Executive compensation continues to be controversial. Do
internal audit departments ever collaborate with compensation
committees on this issue?
McPhilimy: Internal auditors would primarily
focus on the structure of the process within their organizations
in terms of who makes up the compensation committee, how
it is controlled, and the committee’s familiarity
with relevant issues. Internal auditors might play a role
in setting the board and governance structures, including
coordinating committee jurisdictions and oversight responsibilities.
What impact will COSO’s enterprise risk management
(ERM) framework have, and is it a meaningful addition to
the audit literature?
McPhilimy: Many people are very interested
in this ERM framework because of widespread concerns related
to identifying and managing relevant risks. They’re
looking for a template or formula for dealing more effectively
with those issues. The COSO pyramid and related concepts
have undoubtedly led to more rigorous analysis. And there
is a lot of renewed interest in COSO’s 1992 Internal
Control Integrated Framework. The new ERM project reflects
the increased complexities of business today by presenting
multiplatform structures. It is applicable across industries
and across systems within various operating units. There
is a lot of buzz about the ERM framework, because it focuses
on risk management, which is the name of the game these
How has your career benefited from your active involvement
in the IIA, at both the local and international levels?
McPhilimy: I’ve benefited in many ways—educationally,
professionally, and socially, in terms of the contacts and
friendships. The IIA provided a great deal of support to
me, like other members, when I moved into a management position
within an internal audit function. In college, I did not
have much exposure to internal auditing, which is why I
support so strongly the IIA’s Endorsed Internal Audit
Program as a way to promote and encourage internal audit
curricula at more colleges and universities in the United
States and around the world. The IIA guidance and professional
materials helped me in my aspiration to become the best
auditor I could be. The certification programs inspire confidence
in our own capabilities and enhance our credibility in the
eyes of others. The contacts I’ve made at the local
level in Chicago have resulted in some of the closest relationships
with colleagues that I have. And now, at the international
level, I’ve gained a perspective of what auditing
is like around the world. My involvement with the activities
of the IIA has helped me understand the organizational management
of the internal audit profession in terms of shaping the
framework of the profession going forward. I’ve had
the privilege of meeting many outstanding people across
a wide range of industries and countries from around the
world, and I’ve had the opportunity to travel extensively
to interesting places that I would not have otherwise seen.
How would you compare your experience of internal auditing
in a corporate setting with the not-for-profit sector now
that you are the chief audit executive for a major research
McPhilimy: There are many similarities. For
example, I have never hired anyone for the university’s
internal audit staff who had previously worked primarily
in higher education. I look for an individual’s audit
“instinct,” which is applicable to any organizational
context. Internal auditors need to have curiosity, inquisitiveness,
professional skepticism, integrity, and an analytical mind
to anticipate what could go wrong. For example, whether
auditing an accounting function, athletics, or research
compliance, the internal auditor’s instincts and skills
are based on a broad range of prior experiences that will
largely determine effectiveness. In general, internal auditing
adds amazing value in both the public and private sectors.
Unfortunately, one cannot always quantify the benefits of
enhanced controls and improved risk management.
felt very fortunate that the administrators I have dealt
with at Northwestern University have been consistently receptive
to the internal audit process. They have been sincere in
wanting to do the best possible job and improve their operations
in terms of efficiency, effectiveness, and compliance. In
my experience, corporations may sometimes be more political
and subject to bureaucracy. As a result, corporate managers
may be less receptive to hearing audit results. My staff
and I work very hard to ensure that audit customers realize
that we are there to help them. We don’t evoke a “gotcha”
attitude in any way.
In conclusion, is there anything else you might wish to
McPhilimy: The corporate “hits”
that have made front-page news across the country have caused
a lot of concern within organizations around the world.
By and large, the internal audit profession has emerged
even stronger. Of course, some weak spots in internal auditing
have been identified, but recent events have clearly supported
the need for organizations to have an effective internal
audit function. I am very excited about auditing and passionate
about what the IIA provides. I encourage all CPAs to explore
the vast resources and benefits of IIA membership and local
and global involvement by visiting our website, www.theiia.org.
E. Tidrick, PhD, CMA, CIA, CPA, is an associate professor
of accountancy at Northern Illinois University, DeKalb, Ill.
He is a member of the IIA and its Academic Relations Committee.
NIU is an IIA Endorsed Internal Audit Program.