The Path to Excellence for Internal Audit

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


Earlier, I reviewed PwC’s 2013 State of the Internal Audit Profession.

Protiviti has added insights through their 2013 Internal Audit Capabilities and Needs Survey, which identified these areas as needing improved understanding:

  1. Social media risks.
  2. IIA Standards on functional reporting (1110) and providing opinions on individual audits (2010 and 2410).
  3. IIA guidance (GTAG 16) on the use of data analytics, the standard on providing overall opinions (2450), and risks associated with cloud computing.
  4. The IIA’s GAIT Methodology, guidance (GTAG 13) on fraud, the ISO standard (27000) on information security, and the upcoming updated COSO Internal Control–Integrated Framework.
  5. IIA guidance on assessing risk management, on auditing IT vulnerabilities (GTAG 6), and fraud risk management.

These are all important and Protiviti’s survey is a valuable read for CAEs and their mentors on audit committees.

While I like and respect both PwC’s and Protiviti’s views, I suggest a different path forward.

  1. Recognize that the role of internal audit is not just to perform audits. It is to provide assurance to the stakeholders, primarily the board (or audit committee of the board) and top management.
  2. That assurance should be in the form of an annual, formal statement of professional opinion.
  3. The statement should reflect that it is the professional opinion of the CAE, based on the engagements (both assurance and consulting) and other activities (such as participation in committees, conversations with management, etc.) conducted during the period.
  4. The opinion should be whether the systems of governance, risk management, and the related internal controls provide a reasonable level of assurance that the more significant risks to the achievement of the organization’s goals and objectives are managed at acceptable levels.
  5. Recognize that consulting activities that are designed to add value are a secondary role for internal audit; they should not interfere with the primary assurance role by, for example, limiting the resources available for assurance on significant risks.
  6. As appropriate, discuss the form and timing of the opinion with the chair of the audit committee, top management, and general counsel. Explain the value of the assurance, why it is consistent with the IIA’s definition of internal auditing, and any implications on projects that matter to them.
  7. Establish a vision for internal audit that has as its primary product an opinion as outlined above. Understand that the audit plan has to identify the engagements required to support such an opinion. The audit plan should be based on a risk assessment process (where possible, leveraging management’s risk management program) that identifies the more significant risks to the organization’s goals and objectives — the risks that matter.
  8. Build a risk assessment process that is continuous, so that the audit plan always includes projects to address the risks that matter in an environment where risks change constantly.
  9. Ensure that the internal audit function has the staffing required to address the risks that matter; this will probably require some level of co-sourcing to add expertise in certain topics.
  10. Ensure that the audit committee understands the risks that internal audit has the resources to include in the audit plan — and therefore in the audit opinion – and which will not be addressed.
  11. Communicate the new approach to all affected stakeholders and obtain the engagement and support of the internal audit team.
  12. Deliver on the vision.

I realize that while there is a growing number of internal audit departments that provide overall opinions, this remains a minority. However, if internal audit is to realize the vision expressed in the 1999 IIA definition of internal auditing and be relevant in a world of rapid change and turbulent risk, I strongly believe it is the one path forward to excellence.

I welcome your comments. 

Posted on Mar 26, 2013 by Norman Marks

Share This Article:    

  1. Norman:

    Thanks for focusing on what needs to change in the Internal Audit paradigm going forward.  

    I believe that a simple way to approach the subject is to focus, at least initially, on the "end game" not the  more granular "how to" elements.  

    IMHO the number one goal of internal audit should be to ensure senior management and the board are aware of significant residual risk positions in the organization linked to key value creation and potentially value eroding objectives.  How this is accomplished will vary greatly. 

     In some organizations management may be unwilling or unable to provide reliable information on significant residual risk status areas and this may have to be done by specialists including internal audit.  The preferred solution however is for the organization to have effective risk management processes that produce a materially reliable consolidated report on residual risk status that the CEO should deliver to the board.  The role of internal audit should be to report on the effectiveness of the risk management processes that produce the report and provide an opinion on the reliability of the report provided to the board.

  1. Norman, this is an interesting approach.  Would an annual statement of audit opinion be more effective than the periodic audit opinions expressed in the audit reports?  Or are we assuming that audit reports will no longer incorporate an opinion (as some IA shops have moved to already)?  And is such a statement going to enhance or detract from the statement of internal controls from the CEO and CFO that SOX requires?

    It just seems to me that the path to excellence in IA should be slightly different that you've outlined.  For most organizations, the internal audit function provides an inward-facing assurance.  However, many of the risks faced by these organizations are external in nature.  Our path to excellence should be one that expands our universe to include these external risks.  We need to provide management with the assurance that there are mitigations for the external risks, that the controls over those risks are effective (which may require a cooperative effort with other IA groups), and that the residual risks are within the risk appetite established by the board.

    I'd be very interested to hear other thoughts on alternate paths to IA excellence.

  1. Hi Richard, thanks for the comment.

    Each individual audit report should have its own opinion on the narrow scope of that engagement: the risks it addresses.

    The idea of an overall opinion (called a 'macro opinion' in IIA guidance) is that it provides a high-level view and assessment of the overall system of internal control - not just for financial and SOX risks, but how management manages all the more significant risks to the organization's achievement of its objectives.

    The overall opinion answers the top question of the audit committee: "is there anything I should be worrying about", and its second question "do we have an adequate system of risk management and internal control?"

  1. Tim, thanks for the comment.

    As we have discussed on multiple occasions, I believe your approach is very limiting. It only talks about reporting of current risk levels (I don't know why you throw the word 'residual' in there) to the board, not about how well the management systems will work to maintain risks at acceptable levels in the future. 

    The'end game', as you put it, is the annual opinion,

  1. Norman:  As might be expected I don't believe the approach we are recommending is "limiting", quite the contrary.  We are recommending that internal audit focus on ensuring boards have the right type and quantity of information to discharge their responsibility to oversee management's risk appetite and tolerance.  We don't believe that traditional direct report audits, including binary opinions on control effectiveness from internal and external auditors, are well positioned to meet board requirements.

    The webinar I am presenting for IIA Canada today, "Board Oversight of Management's Risk Appetite and Tolerance: The New Global Imperative" covers this proposal in more detail.  The slides willl be posted on our website by March 28, 2013 for those interested at

  1. Tim, is the purpose of internal audit limited to ensuring that boards have information for their quarterly meetings? Why is it not to provide assurance that the systems of risk management, governance, and internal controls are operating effectively to manage risks at acceptable levels - all the time? That would include the communication to and enabling of the board; they are elements of governance and risk management.

    Which is the bigger and more valuable product? Obviously, it is the overall opinion.

    Of course, we agree that binary opinions on controls are not the path forward, and most CAEs would agree with us.

    Instead, we should be providing opinions about the ongoing management of risk to the achievement of objectives.

    Sorry, but I think you need to update your message. You can and do influence a lot of people and rather than talking about "residual risk reporting", I wish you would talk about assurance on the continuing management of the risks that matter. Your message is limiting as it only talks about enabling governance, rather than going further to provide the assurance spelled out in the IIA definition of internal auditing.

    I suspect you, in your heart, agree with what I am proposing. Why not add your voice and make the assurance message clearer and louder, instead of pushing what I consider was useful in its time but that time has passed?

  1. Norman;  With respect, I don't think you are reading what we are recommending.  We absolutely recommend that internal audit provide an opinion at least annually to the board on the effectiveness of the risk management processes.  

    I encourage you to carefully read the full presentation I delivered yesterday to over 400 internal auditors around the world outlining the need for internal audit and risk specialists to transition from "supply driven"/traditional IA and ERM approaches to "board driven/objective centric".  A link to that presentation is below:


    The message we are delivering is absolutely not past its time IMHO but rather the message that needs to be delivered to elevate the stature and value of internal auditing globally.  An e-mail I received from a an IA professional I consider to be one of the top IA practitioners globally that plays a very visible role in IIA Global is reproduced below FYI:

    "I just spent a few minutes going through your presentation.  Very nice job, and I’m aligned with what you’re preaching.  Keep up the good work with pushing the envelope of thought leadership and being vocal about what IA can/should be striving for"


  1.  Tim, you have a great deal of content in your presentation. If you are making the recommendation that IA should provide an opinion on the effectiveness of the management of risks, then we are aligned. I suggest, however, that it a message that is muted compared to the "residual risk reporting" call.

  1. Norman you proposed that: "The opinion should be whether the systems of governance, risk management, and the related internal controls provide a reasonable level of assurance that the more significant risks to the achievement of the organization’s goals and objectives are managed at acceptable levels."

    Governance - are you talking about Board governance, Management governance or Both?

    Isn't "acceptable levels" in fact "residual risks"?

    Also, your discussion is fine and dandy where the business model is geared to provide management and BOD assertions on GRC that can actually be validated by internal audit.  But in my experience most companies are not prepared for these assertions and that is where internal audit should be consulting/advising the BOD and management to get to an acceptable capacity/maturity.  Then, internal audit could move to the assurance role.  Otherwise this will not get done.


  1. Mike, how about we use the King III view of governance? That extends beyond the board to some management functions, such as establishing a vision, strategy, goals and objectives; monitoring and optimizing performance; etc.

    Acceptable levels refers to the level of retained risk (and that refers to the level of risk after consideration of controls, or what some call residual risk) that is acceptable to the organization - some refer to risk appetite or tolerance, while I prefer risk criteria.

    Why is this dependent on management assertions ( whatever you mean by "GRC")? It is not for me, and other than when required by regulators am not used to management making any such assertions.

    The absence of assertions has no limiting affect on IA opinions.

  1. Norman: The presentation was to both risk specialists and internal audit. In a perfect world an organization's risk management processes deliver reliable, real time information on the state of residual/retained risk to senior management and the board. This information should be designed to help management and the board make well thought-out decisions on whether residual/retained risk status linked to key value creation and potential value erosion objectives is within the organization's risk appetite/tolerance.  These processes should be developed and maintained by management with the assistance of any ERM support professionals.  

    The role of IA should be to assess the effectiveness of those processes and their ability to delivery materially reliable information on the state of residual/retained risk to management and the boards.

    In most companies IA will also have to play an important and sometimes key role helping their organizations design, implement and maintain those processes.  To the extent they are still functioning as the primary risk analysts/reporters via direct report audits we recommend they use assessment methods that aligned with ISO 31000 and consider the full range of risk treatments, not just "controls".

  1.  Tim, thanks for the clarification. The only quibble I have is that operating management as well as senior management need to understand and consider the potential effect of uncertainty (i.e., risk) in everyday decisions.

  1.  Norman,

    While I am in agreement with your 12 point 'plan' I have always had difficulty with internal audit using the word 'opinion'. My experience is that accountants (especially ex external audit partners) on audit committees have the external audit 'opinion' definition hard coded in their minds and you just cannot equate an internal audit 'opinion' on the control environment with an external audit 'opinion' on the financial statements.

    We need another word to break the mind set !

    Regards, Doug

  1. Norman: re your point above: operating management as well as senior management need to understand and consider the potential effect of uncertainty (i.e. risk) in everyday decisions - with respect, having built and sold a software company and worked with hundreds of clients in the public and private sectors I think management and boards are fully aware of the need to consider the effect of uncertainty on the achievement of their objectives.  The level of rigor they approach that task varies enormously and has often proven to be deficient or the process has been corrupted by self-interest.  (i.e. they understood the composite uncertainty and potential impact on the organization but opted to optimize their personal positions).

    Unfortunately the approach used by internal audit and external audit related to SOX 404  of providing subjective opinions on control "effectiveness" has not demonstrated to management or boards the power of formal risk assessment to provide a clearer more useful picture of the composite uncertainty related to the full range of objectives necessary for long term success. We have recommended for over two decades now that internal audit transition from subjective opinions on control "effectiveness" or "adequacy" to assessment methods that provide management and the board with reliable information on the composite uncertainty related to achievement of objectives.  We refer to the composite uncertainty status description as "residual risk status".

    Perhaps there are really no "quibbles" left on how we see the end game only how to best transition audit from "supply driven" methods that provide subjetive opinions on control effectiveness to helping management and boards better manage uncertainty.

  1. Hello Norman, I thought this was a great post. The back and forth with Tim Leech was a nice bonus! I think for this vision to be a reality, the organization would require a strong ERM program. Without that, IA would have too high a hurdle in terms of the evidence gathering required. In the absence of ERM, I would think helping the organization build up its risk assessment capabilities (at least within the COSO objective categories) would be a starting point. That might require an audit of the risk management program or a facilitated approach if management acknowledges the shortcoming in the risk management program without the audit. In our company, from the IA vantage point we have good perspective on the financial reporting risks due to the SOX program and coordination with our external auditors. However, we don't have as good a view into the other COSO objective categories (L&R Compliance, Strategic, Ops). Our board recently asked us to build out the Legal & Regulatory risk assessment process. The CFO is liking what he sees and is thinking through how we identify, prioritize and describe mitigation plans for strategic and key operational risks. Once we have the silos in shape, hopefully the board and top management will provide the oversight committee to lock it down so we have a solid ERM program. Then we would have the enabler for the opinion you mention. Thanks again!

Leave a Reply