The Transformation of Internal Audit

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


Two individuals I respect collaborated on an article with this title in the August issue of the CPA Journal (see page 32). Gaurav Kapoor is the CEO of GRC software vendor MetricStream and Michael Brozzetti is the CEO of Boundless LLC, an internal audit and risk advisory firm.

The article makes some excellent points. It starts with this assertion:

The field of internal auditing has transformed significantly over the past decade. Several factors have contributed to this change, including the increased complexity of a globalized marketplace, high-profile fraud and corruption scandals, new laws and regulations, and increased demand from stakeholders for greater assurance.

Gaurav and Mike also state that a focus on improving risk management remains a priority for the audit committee, and refers to IIA guidance on providing opinions on governance, risk management, and internal controls. Excellent!

But do they go far enough to advocate that internal audit plans should be focused on the more significant risks to the organization, the matters that are discussed in the board room and at the executive leadership table?

Do they take on too much of a role for internal audit when they ask IA to provide “leading indicators about risk”? Shouldn’t IA be working to stimulate and encourage management to do that?

Is there too great a focus on technology for managing the internal audit function rather than using technology to monitor and audit risks? I know where I would spend my limited funds! (See this prior post on IA use of technology).

In fact, are they talking about where the internal audit practice is generally at today rather than where it needs to be, where it needs to go?

I welcome your comments.

Posted on Oct 4, 2012 by Norman Marks

Share This Article:    

  1. Thank you for sharing your thoughts and comments Norman.  

    The theme of internal audit becoming a source for risk information is premised upon IA’s governance duty "to communicate risk and control information to appropriate areas of the organization; and coordinate the activities of and communicating information among the board, internal and external auditors, and management," as highlighted in the IIA's Governance Standard 2110. In my view, this governance role should extend well beyond just ad-hoc reporting of risk information and be aligned with the concept of a portfolio view of risk management. Management should be playing an active role in establishing risk information, however this should not preclude internal audit from aggregating this information for the purpose of communicating new insight and perspective to the board, management, and other relevant stakeholders.  

    In my mind, risk management is a two way street. It must take into account the matters being discussed in the Board room (Top-Down,) but it also must take into account the risk information rising from within (Bottom-Up.) Taking this approach can help validate that the matters being discussed amongst the Board are the right ones or, to the contrary, it may help validate the need for new matters to be brought to the table for Board deliberation and judgment. As Mark Twain stated - "It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so.”  My full commentary can be found here >>>

  1.  Norman, 

    I like the thinking displayed in this article. IA is far too focussed on its own processes and on process auditing in the business. With the evolution of the 3 lines-of-defence and (particularly in financial services) the maturing of risk management, the focus of IA for adding value to stakeholders is to address the risks related to the strategic drivers in the organisation (a given within this is providing assurance that risk management, compliance and the governance (control) responsibilities of the first line-of-defence are working as intended).

    By providing assurance on the risks (not processes) related to the drivers of the boards strategy IA will be providing input to executive discussion and decisions - the things that concern the board.

    This will require a different skills mix for IA teams and a real attention to the deliverable. Not many CAE's have thought through the implications of this and as one said to me "...but that's hard to do ...". Enough said !


  1.  Mike, I read 2110 differently. It says to audit governance, and communicating risk information is a governance activity:

    2110 – Governance

    The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives:

    · Promoting appropriate ethics and values within the organization;

    · Ensuring effective organizational performance management and accountability;

    · Communicating risk and control information to appropriate areas of the organization; and

    · Coordinating the activities of and communicating information among the board, external and internal auditors, and management.

    Organizations may ask internal audit to step into the shoes of management and lead a risk management program (I have done that). But that is an additional function they are taking on, IMHO, rather than an extension of internal auditing.


  1.  I agree that understanding the risks that are discussed in the trenches may give you insights as to whether the top of the organization has a complete understanding of the risks that matter. However, I believe that should be part of assessing how the organization as a whole manages risk (part of an audit of risk management). When that program is effective, we should rely on their risk assessment rather than perform our own.

    I also agree that it essential to assess the design of the controls. My understanding is that most internal audit departments have been doing that for quite a few years.

    You and I will disagree on the value of a broad GRC set of solutions that integrates with itself rather than with enterprise applications, such as the financial system and ERP. Even when I had an internal audit department of 50 people, because I always had only a rolling 3-month plan I didn’t place a lot of value on audit management. I was much more interested in risk monitoring, analytics, fraud detection, and continuous auditing – and remain so today.

  1.  Doug, that is well said.

  1. I am fundamentally opposed to this "new" methodology now being espoused that appears to get IA directly involved in the risk management process. I often times tell students and workshop participants that IA and risk managers can live together but should not sleep together. I sometimes wonder, and I am sorry if this sounds harsh, if this is not intentional on the part of the audit profession. Can this then be perceived as encroachment?

    IMHO, one of Audits most important role ought to be the assurance that the risk management function (and all that comes with it) is optimal.

  1.  Ken. do you believe that IA should audit and work to improvce the risk management process? Is it only that you think IA should not encroach on management's responsibiilty to manage risk?

Leave a Reply