A Challenging View of Internal Auditing

One of the fun things I do is use Twitter to monitor events, surveys, articles, and publications about internal audit (if you are interested, you can follow me here).

This morning, I came across an interesting article in The Hindu Business Line. I recommend a careful read to see how your internal audit function stacks up against the expectations described by the author, who is from PwC.

Here are a few quotes of importance:

The economic crisis has led to an increased attention on improved risk management for regulators, rating agencies, and boards. This represents an opportunity and a challenge for internal auditors.
Most of the internal audit departments can increase their support to corporate governance in a number of areas. Assessing key enterprise risks, measuring risk-mitigation effectiveness, assessing ethics and codes of conduct, and reviewing and assessing IT governance are among the top activities performed for boards and audit committees.
The gap between what internal auditors deliver and what their stakeholders expect is definitely growing... As internal audit confronts new and continually changing needs and expectations, it must take the initiative to redefine its role. That means expanding its skill sets and preparing to take a leadership role as a more powerful resource for senior executives, directors and boards in aligning strategy and risk identification, control and mitigation.

The author also talks about considerations when “offshoring” part of your internal audit function, but the point about redefining internal audit’s role is my primary interest.

What do you think?

Posted on Aug 30, 2010 by Norman Marks

Share This Article:    

  1. Norman, Interesting article and showing the (perceived) gap between what most Internal Audit shops deliver today and what they should deliver tomorrow. Shifting from a risk based process oriented era to become a strategic 'partner' in the governance area, hereby still ensuring that processes and controls are appropriately governed and operated. The challenge to my opinion is how IA can sustain it's independence and objectivety as IA get's quite close to the drawing board. And ensuring that (business) management understands it's own responsiblity in this as well.
  1. Norman: I couldn't agree more!! In our organization Ethics and IT Governance are at the forefront. Internal audit is at the table. Internal Audit has also been taking the lead in raising the awareness of risk management to senior management and the audit committee. In the public sector, this is a harder sell because elected officials do not like or are cautious of the word "risk" Education is the key and spending time raising awareness can be more valuable than "doing audits". This is a message that continually needs to be reinforced. The widening gap, to some degree, might be trying to sell internal audit as something more then the label or name indicates. I have been confronted with comments like "Does audit do that"? No matter how much we educate our name preceeds itself. This is a continuous obstacle that needs constant attention.
  1. Norman, well spotted - somehow my Google news search terms also highlighted this article in the 'Hindu Business Line' on an extended scope and role for internal audit. 

    As an active audit and risk chair I have my own opinions on this topic and I was pleased to see the debate being engaged from afar. I recently led an IIA 'heads of internal audit' workshop which created some really good new thinking for those attending.
    I've expressed some of these views in other debates, but in summary I find too much assurance focus on the 'tail' (post-financial, fraud and process audit) and too little on the 'lead' (Outcomes & KPI's, strategic choices, risk registers and management, change management, stakeholder management, procurement - what we actually buy etc)....
    All of these are more directly linked to 'value for money' or other good stakeholder outcomes and are also valuable levers to impact the trajectory of the organisation in good time, rather than 'too late' raking over the coals of a troubled organisation.
    While many internal audit departments may not be capable of providing assurance across all these areas (many of them are business assurance skills) I would expect that heads of internal audit can align themselves with the Audit & Risk chair's 'assurance framework' and the way it is used to ensure that the whole board is aware and engaged with regular review and decision making on risk management and other governance matters. Internal audit can then be directly involved in developing or finding the necessary new skills.... 
    More work to be done in this topic area yet - and I have already found many who are keen to engage. The article you identify makes some parallel points, which is encouraging. 
  1. I tend to agree more with Bryon. When I took over the position into IA as the CAE of a large airline, it was a surprise for me how much stress was given to governance and compliance and hardly any to being a business partner. It took me three years of persistence to change the outlook of the group to move to a risk based strategic partner with a focus on value add. This is highly appreciated by the Board, by Executive management and the branch level managers. The recent recession did highlight the need for change and many of us in the profession have made the change needed. One major factor that helped was that management felt the need for help in this area of risk management and value add consulting. Internal auditors, because of their broader knowledge ofthe whole corporation are often best placed to give good internal advise to evaluate and manage risk.
  1. I think if audit departments become strategic partners in the new era, this causes problems with regard to the objectivity of the internal audit professionals.

  1. The question on whether internal audit loses independence or objectivity when it moves to a 'strategic partner' role is interesting.

    1. I don't think there is a problem with internal audit raising its perspective to look at risks to the enterprise and being an advocate for change. We provide an independent source of perspective on events and changes that can affect the organization. For example, I have seen CAEs being the people who alerted management and the board to the need for disclosure committees and controls; enhanced risk management processes; whistleblower lines; and more.
    2. As long as we are only an advocate and not stepping into a management role where we make decisions, our independence remains intact.
    3. We can certainly be a strategic partner to the board and audit committee, since we report to them.
    4. We can be a strategic partner to management by providing services they need to run the business. I can remember two EVPs at Tosco: one said I helped his division remain efficient, the other told the governor of New Jersey that internal audit gave him a competive advantage through our audits of contractors, compliance, operational efficiency, and more. We are a strategic partner when they are willing to turn to us for advice and consulting services.

    Bottom line: we can change our attitude to be strategic thinkers and assurance providers. This will change the attitude of our customers, so they see us as strategic partners.

  1. Should audit be only risk based or should we equlaly focus on the opposite side of the coin: opportunity?

    Those who wear (de Bono's) black hats are often not popular in teams. 

  1. While I must say that most of the Internal Audit Functions are still majorly involved in compliance audits i.e. providing assuance for past event.

    Very few have reached a state of cautioning about what is on the way. Partnership is an imporant tool to picth the audit function at what is desired by the business and boards.

    I can see some clash with risk management. Will the heat map generated  by  IA , will be accepted?

  1. I too am concerned with the independence and objectivity of Internal Audit.  But, at the same time, I also agree that IA must be strategic in terms of how it sees its own function, but unless it works with upper management on how the outcomes of those strategic audits predict a future for the company, and how management, if it is awake and aware, can alter its course to avoid such a future with something like a partnership with IA (sorry, I cannot see a direct partnership), the business would not survive in the long term, or at least survive in good health.  IA should first, last and always be the ones who assure and opine on risk potential based on actual audit.  It is for the business to decide how to use such assurance and opinion. 

    If the business employs a risk management department in addition to IA, then there can be a direct conduit to the business on strategy and planning.  IA need not subsume its independence and objectivity to advise Risk Management who in turn advises and works directly in partnership with the business.  IA thus has assumed a greater, more strategic leadership role, within the context of assurance and audit opinion.  No sacrifice necessary.


    Having read the article provided by Norman and comments made to it, I must confess that I fully agree with the article and with Norman. Assurance is no longer the only function that companies expect from IA. Nowadays, when business environment is so rapidly changing, we should admit that IA has more information about the company than anyone in the company, therefore, IA is the only right person who can contribute to the company’s strategy by providing the board with both an objective assurance and recommendation for improvement of the risk management, governance, and control processes. There is no question about impairment of objectivity and independence until the IA does not involve into the management process.
  1. Hi Norman,

    I am actually looking for some speakers for my event in India on Internal Auditing i was hoping you could give me soem recommendations. I came across you blog and found it interesting because these are teh same issues that i will be including into the conference and i will be getting Internal Auditors for big corporate sin India to share their experiences and case studies.

    It would eb great if you coudl dropme a mail at indhujar@marcusevanskl.com


  1. Hi Norman:

    I had a chance to read the article well, look at the various responses to you and your summation of the problem and I concur precisely with your response. There is one problem though and it is a serious problem. That is, most internal auditors today do not have the skill sets to make the kinds of shifts in thinking you are suggesting that they  make. If they would have had the skill sets, by now they would have done this especially as stakeholder needs/expectations continue to demand more.

    Some may think they have the skill sets and certainly some of these folks do but and large, the training programs and courses delivered by the IIA in the past until now have not provided the necessary tools/qualities to become ingrained in the Internal auditors bag of tricks.

    As some examples of this and what the IIA needs to do about it, see the next response underneath this one following.




  1. Norman,

    Continuing from above, the author articulates several things that internal auditors need to do differently. He states

    "most of the internal audit departments can increase their support to corporate governance in a number of areas. Assessing key enterprise risks, measuring risk  mitigation effectiveness, assessing ethics and codes of conduct, and reviewing and assessing IT governance are among the top activities performed for boards and audit committees. Other opportunities include training and orientation of the board and audit committee, administering board and committee self assessments, executive compensation and disclosure"

    So just focusing on "assessing key enterprise risks and measuring risk mitigation effecitveness- has the author even suggested a process to do so for these two critical areas? I think not.

    Does the IIA even have any material on executing these two critical areas effectively? I also think not.

    Hopefully the IIA is now focused on a plan that can provide real focused leadership in the field of risk management in the areas of concrete training programs. Many of us believe that we will witness some concrete changes in this area. But this is what is needed  so that your average internal auditor can rise to the occasion before we witness yet another attempt by companies "to outsource their internal audit functions"

Leave a Reply