Do Internal Auditors Deserve a Seat at the Table?
The 1999 definition of internal auditing says it is about providing assurance (and consulting services) on the organization's governance, risk management, and related internal controls.
If we don't provide that assurance, what are we doing?
The definition of internal auditing doesn't say we should test for duplicate payments, seek out and investigate fraud, or find millions in contractor overbillings. Those all add value, but they are not our core mission.
Can we look in the mirror and say we are effective because we saved the company millions, when we did not report on the condition of risk management — and that is non-existent or immature?
I have great respect for Richard Chambers, who I believe is moving our profession forward in the right way. But I have to admit I got a reaction from him when I posted on Twitter (I am @normanmarks and he is @IIACEO) that 'internal auditors deserve a seat at the children's table if they don't provide a formal opinion on risk management." I believe internal audit should also provide an opinion on governance processes — at least those that represent a higher risk to corporate success. But let's start with risk management and graduate to governance processes.
I still believe this, so despite Richard's reaction, I will say it again:
internal auditors deserve a seat at the children's table if they don't provide a formal opinion on risk management.
Providing opinions on individual audits is something (incidentally, not every internal audit department does this), but its not enough in my opinion. The board and top management deserve and should expect a formal opinion on how well the organization manages the risks that matter to organizational success. (By the way, this is required by the King III code in South Africa).
The only time I would not expect such an opinion is where internal audit is providing consulting services, helping management implement or develop their immature risk management program. But even then, the board and top management have to know that:
The greatest risk many organizations are running today is their inability to manage risk.
Do you agree?
Posted on Jun 6, 2011 by Norman Marks
Share This Article: