Are Organizations and the Media Playing "Fast and Loose" With Headlines About "Internal Audits"?

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.

 

As part of my ongoing engagement in social media, I routinely monitor the media for references to stories involving “internal audit.” The past few weeks it seems that the media has been overrun with headlines involving internal audits. Normally, I would be encouraged with such coverage. However, where recent headlines have been concerned, I suspect the “internal audits” weren’t actually internal audits at all. I believe this happens more often than many people realize, sometimes showing up in the media when internal reports generated by management or “second line-of-defense” oversight functions are mistakenly depicted as “internal audits.”

The distinction is significant: When an investigation is performed by an entity other than by internal auditors, it is important to know whether it was done independently and objectively and in accordance with professional standards. In other words, just how much can we rely on information in the report?

Take, for example, the U.S. Department of Veterans Affairs Access Audit Report that recently became front-page news. Scores of news headlines across the nation touted the results of the VA’s “internal audit.” When I started reading about this “Access Audit Report,” it seemed at first to be a conventional government audit. But when I read further, I found something quite different. The report seemed to flow seamlessly between the voice of the “auditors” and that of management, with little distinction between whose point of view the reader was hearing.

Normally, audits within the VA are done by the VA’s Office of Inspector General. But it appears that, for the Access Audit, the organization was reviewed by its own senior management team.

I don’t mean to imply that the Access Audit Report was inaccurate or misleading. Indeed, the report made it clear that the work was performed by management. Measures were taken to promote independence, and each site visit was performed only by people who did not work at that location. I also don’t mean to imply that the auditors had no relevant experience. The report states, “Staff members selected were senior leaders in the organization familiar with conducting audits and site visits, e.g., administrative investigations where sworn testimonies are collected; consultative site visits based on defined technical criteria.”

Despite these assurances, however, the report left me with more unanswered questions. What does it take for a document to bear the title of “audit report”? As far as I’m concerned, there are quite a few things that stakeholders — in this case citizens/taxpayers — should expect from internal audits, especially in organizations whose governing bodies have specified that internal auditing will be practiced in conformance with professional standards.

The VA report does not specify whether the Access Audit team’s work was performed in accordance with professional standards, and I don’t know whether their experience in “administrative investigations” included training in subjects such as audit standards. That’s too bad, because knowing that the engagement was conducted in accordance with professional standards might have relieved several potential concerns about the report.

While it’s difficult to tell from the report whether the Access Audit was performed in accordance with professional standards, there is reason for speculation. Both The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) and the U.S. government’s Generally Accepted Government Auditing Standards provide frameworks for conducting high-quality, competent audits. The IIA’s Standards require, for example, that each internal audit function have a formal written charter, that auditors should be independent and objective, and that a quality assurance and improvement program should be in place. The VA engagement team seems to have been selected on an ad-hoc basis, so I wouldn’t assume the group had a charter or a formal quality-assurance program. A few questions about independence and objectivity might also be justified. And while an audit performed in accordance with the Standards would necessarily disclose issues in any of these areas, a management report might not be expected to do the same.

The VA report is not an isolated example of “audits” performed by someone other than auditors. I also recently read about an “internal audit” at a global manufacturing company that raised some of the same questions. Yet, when I looked at the company’s 8-K filing, the same issues were said to have been disclosed by “internal testing” in the company — not necessarily by the internal audit department.

It’s not that there’s anything wrong with management reviews. To the contrary, you can’t manage an organization effectively if you never assess operations. But management reviews are fundamentally different from internal audits. Keeping in mind that the International Professional Practices Framework’s Definition of Internal Auditing states that internal auditing is an “independent, objective assurance and consulting activity ...”

I believe organizations and the media should refrain from referring to internal management and oversight reports as “internal audits.” To be sure, management reviews can be objective in both fact and appearance, but calling these “internal audits” can result in misunderstandings and provide a false sense of assurance to the reader.

It boils down to transparency. We should give credit where credit is due, ensuring that there can be no confusion between internal audit reports, management reviews, and the work of other assurance providers. We should also ensure that all our stakeholders know whether an “audit” was performed according to professional standards or other relevant criteria. If every internal audit report was transparent about these issues, our stakeholders might have fewer questions about the quality of information in our reports.

Posted on Jun 25, 2014 by Richard Chambers

Share This Article:    

  1. Dear Sir Richard,

    You are absolutely correct in saying that our Internal audit reports should have an edge over other information sources and for that to happen crystal clear transparency and adherence to standards in our performance are of paramount importance. An internal auditor has to feel himself that he is successful in the organization and for that he needs to win the pat  on his back  from key stakeholders on an ongoing basis. The strategies our team used to follow include, the art of lessening the difficulties of Management through objective finding reports enabling them to realise and act, making aware of the actual situations to the key stakeholders, and creating a consensus on the report contents among all. Thus, an auditor can survive as a water drop on the lotus leaf and preserve his objectivity and independence. But winning the control over double edged sword is the art with which report is to be mastered

    Dev

  1. Richard,

    I agree.  As you have pointed out there are many organizations that describe management process as audits.  They sometimes go further and include "auditor" in position titles for individuals performing management functions.  As a result what true internal auditors do is often lost in the noise and our profession is sometimes maligned by the actions of the unscrupulous "auditor".  Most people do not take the time to research the distinction.  Unfortunately, you too were guilty of this in your presentation at the 2012 GAM conference.  As you have detailed above, as professional internal auditors we must look at information, especially that presented by the press, with professional skepticism and if able point out these errors.

    Skip

  1. Hi Rich, As I believe I may have brought up to you before on Twitter, can you explain exactly how the Office of Inspector General's reporting structure is independent as per IIA standards? From what I understand, all IGs report up to the administrative branch functionally and administratively, and this always seemed to be a violation of IIA standards to me. Wouldn't a better functional reporting line be a Congressional oversight committee, made up of at least a few members of the CPA caucus??
  1. I had an interesting experience the other day and I thought I’d share with the readers of this article.  I was at an internal meeting that was attended by representatives of the internal audit, risk, and compliance functions and the question was raised: “What’s the difference between the work internal audit performs and the work our business assurance functions perform?”  A very interesting question indeed but what was even more interesting was the response—blank stares.  No one in the room could clearly articulate the differences and, to be fair, a lot of what the functions do in terms of assurance work often looks and feels very similar to the end-users.  Needless to say, we spent the rest of the meeting outlining the key points of differentiation, some of which included the points raised in this article.  My view: if we want to differentiate the work of the internal audit function from the work performed by other assurance functions it may be worth engaging in a discussion with those groups that generally perform assurance work to create clarity and a unified voice regarding the differences.  Let’s be deliberate about it and ensure that those performing the work can clearly articulate the differences so the message is clear and consistent.  Keep the mud out of the water.

Leave a Reply