‘Seize the Moment!’: An Interview with IIA Chairman Betty McPhilimy

By Donald E. Tidrick

E-mail Story Print Story

In addition to being a CPA, McPhilimy is a Certified Internal Auditor (CIA) and a Certified Fraud Examiner (CFE). She is also the chief audit executive for Northwestern University, which has more than 7,100 faculty and staff members and an operating budget of more than $1.5 billion. An accounting graduate from St. Ambrose College in Davenport, Iowa, McPhilimy started her career in Chicago in the firm now known as Ernst & Young and later worked in the corporate environment before joining Northwestern University.

This interview took place in connection with McPhilimy’s March 2004 visit to Northern Illinois University to address the NIU accountancy students and faculty.

Donald E. Tidrick for The CPA Journal: Can you give a brief history of the Institute of Internal Auditors and a description of the IIA today?
Betty McPhilimy: The Institute of Internal Auditors was established in New York in 1941 with 24 members. Today, it is a global professional organization serving a membership in internal and IT [information technology] auditing, governance, internal control, risk assessment, security, and education. Membership has increased dramatically over the past decade and we now have 243 affiliates worldwide. The IIA has its own standards, a professional practices framework, and a code of ethics; certification programs; professional development and training; a research foundation; benchmarking and quality assessments; and other services that support internal auditors worldwide.

Slightly less than half of our members reside in North America. Over recent years, membership outside of North America has increased significantly, especially in China and Europe. The IIA standards have been translated into 21 approved languages in addition to English. Translating the standards, definitions, and ethics for different languages and cultures is very challenging.

CPAJ: How difficult is it to manage professional ethics in a global environment that encompasses so many different business customs?
McPhilimy: The fact that IIA affiliates all over the world are communicating their ethical concerns to IIA headquarters indicates that ethics are a global focal point of the profession these days. Despite societal and cultural differences, there are some universal ethical principles. We have a global ethics committee that does more than just monitor the code of ethics and keep it current. It has launched a multiyear training initiative along two dimensions: first, to provide internal auditors with a better understanding of how ethical issues impact what they do; second, to help internal auditors advocate high ethical standards within their own organizations. There is a huge need for this. We often hear that internal auditors are aware of sensitive situations but lack a process for discussing ethical issues and getting help in dealing with these matters within their organizations. Such issues are within the purview of the IIA’s Ethics Committee.

CPAJ: What are the strategic issues that the IIA is currently addressing?
McPhilimy: We revisit strategic planning activities with a clean slate every three years and we are engaged in that process now. We start by analyzing our mission and vision statements to make sure they provide a forward-thinking approach that validates our goal of being the global voice for the internal audit profession. The impact of IT has grown rapidly and dramatically, so technology continues to be a key area of emphasis in everything we do. This includes adding training programs and expanding web-based resources to help our members enhance their knowledge and professionalism. A global perspective is essential in effectively representing the internal audit profession and in enhancing certification of our membership. Issues that are being widely discussed in America, such as risk management and corporate governance, are also topics of global concern to our members and other stakeholders.

Even the new definition of internal auditing, which the IIA adopted in June 1999, has generated lively discussion: “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” This broader definition reflects the direction in which the profession has grown over recent years. Today, internal auditing is recognized as a vital cornerstone of effective corporate governance, along with the audit committee of the board of directors, executive management, and external auditing.

Another strategic issue has to do with the IIA’s staff. The sudden and untimely death of IIA President Bill Bishop in March 2004 drew the IIA Executive Committee’s attention to disaster-recovery issues and how to best support our excellent full-time staff. Although Bill had already announced his retirement plans and we had begun the process of searching for his replacement, we had hoped to have a transition period during which Bill could provide assistance and convey his extensive institutional memory to his successor. In April, the IIA named Dave Richards to succeed Bill as president, and Dave assumed that role in May.

CPAJ: What are your priorities as IIA chairman?
McPhilimy: The theme for my year is “Seize the Moment!” That theme reflects many recent events that have placed a renewed spotlight on the important role of internal auditing. Positioning internal auditing as part of the solution, capitalizing on the strength of the IIA as the global professional organization, growing the reputation of our credentials and state-of-the-art professional development offerings, and providing important value-added services for our members and their organizations—these are my main priorities.

CPAJ: How do professional organizations such as the IIA and the AICPA interact?
McPhilimy: The IIA is actively involved with other national and global organizations on many levels. A recent example is the Association Summit, which consisted of the American Accounting Association (AAA), the AICPA, the Association of Government Accountants (AGA), Financial Executives International (FEI), the Institute of Management Accountants (IMA), and the IIA. We meet annually for networking and benchmarking. Sharing ideas with the representatives of these organizations is tremendously helpful, and the relationships are strong and collegial. Along with the IIA, most of these organizations are also a part of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a voluntary private-sector organization dedicated to improving the quality of financial reporting through business ethics, effective internal controls, and corporate governance.

CPAJ: Changes in the CPA exam have garnered a lot of recent attention, but many people might not know about the IIA’s efforts to update and revise the Certified Internal Auditor (CIA) examination.
McPhilimy: The CIA is the premier global certification for internal auditing—a crown jewel that we strenuously protect to make sure that it continues to reflect the appropriate priorities for internal auditors. Changes to the CIA program and syllabus went into effect in May 2004. The IIA undertook a global research study to focus on the knowledge, skills, and abilities underlying a common body of knowledge for the CIA exam. One major change involves the three parts of the exam that comprise the core global syllabus focusing on corporate governance and risk considerations. A fourth part focuses on general business management issues. To become a CIA, candidates must possess knowledge of both the core global syllabus and either specialized audit-related subject matter or general business management. Candidates already possessing an approved certification are granted credit for part four. Currently, there are 17 approved certifications in the United States, including CPA, Certified Management Accountant (CMA), and Chartered Financial Analyst (CFA). [See www.theiia.org for the complete list of approved certifications.]

The IIA also has three specialty internal audit certifications that are included among the approved certifications to waive part four of the CIA exam: Certification in Control Self-Assessment (CCSA), Certified Government Auditing Professional (CGAP), and Certified Financial Services Auditor.

CPAJ: For a time, Enron was the poster child for outsourcing internal auditing. Is that topic of continuing concern to the IIA?
McPhilimy: The New York Stock Exchange has been a strong proponent of requiring listed companies to have internal audit departments. And, of course, the Sarbanes-Oxley Act has established that internal auditing should be separate and distinct from the external audit function. We have heard a number of anecdotes about companies that had outsourced their internal audit departments and subsequently brought those functions back in-house. As a result, outsourcing is not really the threat that it was initially perceived to be. In contrast, the IIA has received a number of calls from entities seeking guidance and support for their efforts to establish their own internal audit activities. “Co-sourcing,” on the other hand, is fairly topical these days as a way to enhance the capabilities of internal audit staffs by supplementing existing skills with the specialty skills of an outside service provider on an as-needed basis.

CPAJ: What is your impression of how the Sarbanes-Oxley Act will affect the internal audit profession, and will there be an effect outside of the United States?
McPhilimy: Sarbanes-Oxley has been helpful to internal auditors and their organizations by enhancing organizations’ corporate governance and control structures. Internal auditors are heavily involved in implementing Sarbanes-Oxley requirements, although the original deadlines have been pushed back somewhat. The IIA has added several new sessions of Sarbanes-Oxley–related educational programs, because demand has been so heavy.

It may seem natural to presume that Sarbanes-Oxley would not interest people outside of the U.S., but businesses tend to be global and people around the world have easy access to information about U.S. events. Internal auditing really is a global profession, and important matters like Sarbanes-Oxley are followed with interest worldwide.

CPAJ: What is your view of Sarbanes-Oxley section 404, which mandates internal control requirements?
McPhilimy: Section 404 is probably the most onerous of all of the Sarbanes-Oxley requirements. This is clearly a hardship for relatively small companies, but even large, well-managed ones may benefit by firming up their control structures. When the IIA surveyed 160 chief audit executives, 63 reported that more than 50% of their staff time was being devoted to Sarbanes-Oxley.

CPAJ: Executive compensation continues to be controversial. Do internal audit departments ever collaborate with compensation committees on this issue?
McPhilimy: Internal auditors would primarily focus on the structure of the process within their organizations in terms of who makes up the compensation committee, how it is controlled, and the committee’s familiarity with relevant issues. Internal auditors might play a role in setting the board and governance structures, including coordinating committee jurisdictions and oversight responsibilities.

CPAJ: What impact will COSO’s enterprise risk management (ERM) framework have, and is it a meaningful addition to the audit literature?
McPhilimy: Many people are very interested in this ERM framework because of widespread concerns related to identifying and managing relevant risks. They’re looking for a template or formula for dealing more effectively with those issues. The COSO pyramid and related concepts have undoubtedly led to more rigorous analysis. And there is a lot of renewed interest in COSO’s 1992 Internal Control Integrated Framework. The new ERM project reflects the increased complexities of business today by presenting multiplatform structures. It is applicable across industries and across systems within various operating units. There is a lot of buzz about the ERM framework, because it focuses on risk management, which is the name of the game these days.

CPAJ: How has your career benefited from your active involvement in the IIA, at both the local and international levels?
McPhilimy: I’ve benefited in many ways—educationally, professionally, and socially, in terms of the contacts and friendships. The IIA provided a great deal of support to me, like other members, when I moved into a management position within an internal audit function. In college, I did not have much exposure to internal auditing, which is why I support so strongly the IIA’s Endorsed Internal Audit Program as a way to promote and encourage internal audit curricula at more colleges and universities in the United States and around the world. The IIA guidance and professional materials helped me in my aspiration to become the best auditor I could be. The certification programs inspire confidence in our own capabilities and enhance our credibility in the eyes of others. The contacts I’ve made at the local level in Chicago have resulted in some of the closest relationships with colleagues that I have. And now, at the international level, I’ve gained a perspective of what auditing is like around the world. My involvement with the activities of the IIA has helped me understand the organizational management of the internal audit profession in terms of shaping the framework of the profession going forward. I’ve had the privilege of meeting many outstanding people across a wide range of industries and countries from around the world, and I’ve had the opportunity to travel extensively to interesting places that I would not have otherwise seen.

CPAJ: How would you compare your experience of internal auditing in a corporate setting with the not-for-profit sector now that you are the chief audit executive for a major research university?
McPhilimy: There are many similarities. For example, I have never hired anyone for the university’s internal audit staff who had previously worked primarily in higher education. I look for an individual’s audit “instinct,” which is applicable to any organizational context. Internal auditors need to have curiosity, inquisitiveness, professional skepticism, integrity, and an analytical mind to anticipate what could go wrong. For example, whether auditing an accounting function, athletics, or research compliance, the internal auditor’s instincts and skills are based on a broad range of prior experiences that will largely determine effectiveness. In general, internal auditing adds amazing value in both the public and private sectors. Unfortunately, one cannot always quantify the benefits of enhanced controls and improved risk management.

I’ve felt very fortunate that the administrators I have dealt with at Northwestern University have been consistently receptive to the internal audit process. They have been sincere in wanting to do the best possible job and improve their operations in terms of efficiency, effectiveness, and compliance. In my experience, corporations may sometimes be more political and subject to bureaucracy. As a result, corporate managers may be less receptive to hearing audit results. My staff and I work very hard to ensure that audit customers realize that we are there to help them. We don’t evoke a “gotcha” attitude in any way.

CPAJ: In conclusion, is there anything else you might wish to say?
McPhilimy: The corporate “hits” that have made front-page news across the country have caused a lot of concern within organizations around the world. By and large, the internal audit profession has emerged even stronger. Of course, some weak spots in internal auditing have been identified, but recent events have clearly supported the need for organizations to have an effective internal audit function. I am very excited about auditing and passionate about what the IIA provides. I encourage all CPAs to explore the vast resources and benefits of IIA membership and local and global involvement by visiting our website, www.theiia.org.