The Role of the Chief Audit Executive and Internal Audit in General

ComplianceWeek continues to publish controversial (and some say mistaken) pieces on internal audit. Please see this discussion of the merits (or otherwise) of an October article "Is Internal Audit Lacking in Leadership Skills," together with my personal assessment of the state of internal auditing.


The latest is a blog by the managing editor of ComplianceWeek on the role of the CAE in the future. Unfortunately, this piece confuses the role of the internal auditor — assessing management’s processes for addressing risks — with management’s role of identifying and responding to risks, and running the business.

Here are some excerpts and my comments:

·         “First, we discussed internal auditing's shift away from inspecting a company's controls, toward scrutinizing the company's risks. Then we pondered whether that shift changes the CAE's role in helping senior management make strategic decisions about the company.

o   Comment: the role of internal audit is to provide assurance on management’s governance, risk management, and internal control processes. It is not our role to “help senior management make strategic decisions.” If management needs help, that should be provided by the board.

o   Comment: the shift is from auditing controls to assessing whether management’s processes and controls are sufficient to address the risks. But we are still auditing the process, not whether the decision was correct.

·         “Through most of the 2000s, internal audit departments were overwhelmed with the Sarbanes-Oxley Act, where they had no time for anything but testing controls over the company's financial reporting.

o   Comment: this is a massive overstatement. While many audit functions spent a large part of their time auditing key SOX controls, in no way was that all they did. In the last few years, there has been a significant rebalancing of internal auditing and a return to including risks across the enterprise.

·         “A funny thing happened, however, on the way to reliable financial reporting: risks proliferated around your company anyway.

o   Comment: the risks always existed, including the ones given as examples in the blog, and have been included in the internal audit risk assessment process.

·         “The internal auditing department's job should be about (1) identifying the company's risks; (2) helping to reduce the likelihood of those risks; and (3) helping to ensure that when a risk does strike, it will cause the least disruption possible to the business.”

o   Comment: absolutely not! Management is responsible for all of these activities. Internal audit’s role is to provide assurance that management has reasonable processes to do so. This demonstrates a fundamental failure to understand the role of internal audit.

·         “Two particularly hair-raising statistics: 32 percent of the CAEs surveyed reported “no involvement” in discussions about mergers and acquisitions, and an astonishing 47 percent said the same for discussion about expansion into new geographic markets. Considering that most CEOs count M&A and emerging markets as the two primary sources of revenue growth in coming years, this is not good.

o   Comment: this observation comes from PwC. It is true that internal audit may provide consulting services that help ensure effective risk management, security, and controls relating to specific M&A and expansion into emerging markets. We should also consider risks relating to the processes for strategy-setting and management, M&A, new products and projects, etc in our risk assessment process. But, I don’t see any particular reason for internal audit to be involved in every new initiative as part of the management team. Management is responsible for strategic investment decisions with oversight from the board. It is not our job to second-guess management decisions.

·         “Several of the CAEs in the room, however, weren't entirely comfortable with the idea that they should advise on a company's strategic direction. That puts you more in the role of counselor, far from the traditional internal auditing jobs of improving efficiency or assuring that employees follow company policy.” 

o   Comment: they are right to be uncomfortable with taking on a management or board responsibility.

·         “’I'll offer my advice on what a process should be to implement a decision, sure,’ one woman said. ‘But is it really my place as the internal auditor to participate in what the strategic decision is? I'm not sure about that.’”

o   Comment: no, it is not.

In my opinion, the lady quoted above gets it 100% right and ComplianceWeek is 100% wrong. We provide the board and top management with assurance that the processes supporting a management decision are OK. It is not our job to second-guess management or the board.

I welcome your views and comments.

Posted on Nov 1, 2011 by Norman Marks

Share This Article:    

  1. One joke to continue the theme/// Who does live beyond…CAE or CEO? Answer that, sincerely and honestly.

  1. I agreed with all comments. Also I might add that in matters of strategy, Internal Audit might make a recommendation to management to improve on a particular issue. In other words, Internal Audit should not be passive but it should be active.  

    If anyone (manager, auditor, compliance officer, etc.) wants to know more about corporate and IT auditing and the various roles of auditors and managers (strategic and operational), they might check out my two books:


    (2) CORPORATE CONTROLS, to be published (1/2012) by:, co-authored with Dr. Frank Nasuti and Dr. C. Kyriazoglou. 

    For more information please contact me.

    Thank you,

    John Kyriazoglou 

  1. I am not suprised by the confusion around the role of Internal Audit.  I have heard some Internal Auditors indicate that they felt they should have a place at the decision table.  I think the intent by these individuals is to help identify the risks that may be involved with a strategic decision but not necessarily to be involved in making the decision.  It is a fine line and therefore, for the uninformed, I can see how easily things can be misinterpreted.  I agree with your responses.

  1.  What I think about the article, is that all individuals subscribing to Compliance Weekly should cancel their subscriptions. Perhaps by doing so,  they will no longer publish junk. I agree with 90% of your comments in here. This is pure rubbish. I believe as you know in taking a confrontational approach to publishing, but I  think that there needs to be fact that can support statements being made. I think you should continue to ratchet up the rhetoric on this until they formally retract the article. 

  1. Norman:

    I agree with you on all points.  The Compliance Week article demonstrates a fundamental failure to understand how an effective Internal Auditor operates within an organization and a (seemingly) dangerous agenda to promulgate a poorly-formed vision of what CW thinks Internal Audit is all about.

    I have worked with a number of Internal Audit clients recently to help them determine how the IA department can best add value to the merger/acquisition/IPO process.  As you stated, it is not by participating in decisions or by second-guessing management, but in observing management's decision making process, reviewing the rigor of the due diligence that management conducts and determining that the decision reached logically followed the framework established by the Board.

    Norman, keep bringing light to those in darkness!



  1. In any change process i think it is highly imperative to consider the legal merits that are associated with such a merger/divestiture, that is to say precisely that i concur that a consensus has to be met and a board resolution be made. Every executive should work on the basis of reporting back to the directors and shareholders to avoid grappling with the the middle man. Melvin
  1. Mark! I am happy to say that I agree with your responses 100%.

Leave a Reply