My Top 10 Priorities for Improving Internal Auditing

Dan Swanson recently posed the question, "Where should IA focus its efforts over the next 1-2 years?" This was my reply:

My suggestion for IA is:

  1. Work with management to improve risk management processes.
  2. Work with the board to improve risk oversight.
  3. Move to formal periodic reporting on the adequacy of governance, risk management, and related control processes.
  4. Move to an internal audit program that is focused on providing assurance and consulting services relative to the higher risks to the business as a whole. Move away from bottoms-up auditing (we have to audit the Sydney factory because it is large) and middle-down auditing (IT is important, so we have to audit IT general controls in their entirety), which are not based on risks to the business as a whole.
  5. Move to an internal audit program where the risk assessment is updated at least monthly, ensuring that today’s risks (and perhaps tomorrow’s) are being addressed, rather than yesterday’s.
  6. Improve the use of technology, and consider building a continuous auditing program as described in the IIA GTAG or a continuous risk and control assurance program described in my paper.
  7. Address the issue of whether management and boards are receiving sufficient, timely, reliable, and current information on which to base their decisions. See this post.
  8. Address the risk of ineffective management, hiring practices, etc. See two posts, here and here.
  9. Have a formal strategy. See this.
  10. Be introspective and constantly ask whether IA is adding the value it can, how to be more of a rock star and drive improvements to the business, and how has technology and best practice changed — can I leverage it better?

You can also read my foreword to Dan’s book, shown here:

Do you agree?


Posted on Jan 6, 2011 by Norman Marks

Share This Article:    

  1. Norman:

    It is very difficult to disagree with the points above and so I must agree. However, I believe that if the top two items are addressed in robust fashion, then several of the subsequent items will get done naturally. The challenge is in the working with management and the board to improve the risk processes. As you know, there are specific skill sets needed to do this which at the moment your average internal auditor does not possess, but could possess with appropriate  training and focus, not to mention direction needed from the IIA. I kind of look at this as guaranteeing job security which is how we viewed internal audit in the 80s and 90s but no longer in the past decade. Just my thoughts.

    Best regards,





  1. Yes.  I fully agree with Arnold.  IIA curriculum should include more inputs for management buy-in for Internal auditor;s thoughts and inputs.  However the points summarised are excellent view of the present position of the internal audit.

  1. While agreeing all the points mentioned, I would like to add that  internal auditors keep facing -invisible-resistance from lower level management and  staff. Perception of the internal auditing remains unchanged since we do not really advertise our findings for department X, to  department  Y where we did not find any significant weakness. Changing that perception in cooperation with the top management should also be a priority.

  1. I also believe that the key to the future lies in #1 through #3. However, to get to #3 I believe we will find the solution lies in Auditors understanding more about what Good Governance and Good Management entail. Governance and Management have entire Universities dedicated to the successful execution of the role. If Internal Audit stops trying to create new language around risk and risk management and rather helps define good governance and management measurements using their own leading practice we will be half way there. If we can help promote good practices they are familiar with then we can create standards which will be amenable to them and with which we can begin to measure and report.

    Risk Oversight and Management only become valuable when placed in the context of current organizational strengths and vulnerabilities. Having gone down this path with our organization, I would make steps 4 through 10 about finding the right people with the talent to see the IA world from this perspective, then training and promoting them, so that they can train and promote the concepts to governance and management.

    My thoughts


  1. Ni Norman,

    Firstly, I agree with your list ( which takes account of Monday morning). I do believe there are other elements (over which the Chief Audit Officer has control) that need to be addressed before many of the items on your list can be effectively achieved.  Many of the problems facing Internal Audit arise from 2 factors, both of which we have to address if Internal Audit is to be seen as truly professional and effective in its' activities:

    a) We have to get management throughout the organisation to fully understand that the responsibility for effective risk management lies with them. Once this buy-in is achieved, then there develops ownership of the issues. It's relatively easy to get the executive board to buy in to this (in many countries there may be a legal or regulatory obligation), but the message needs to be ingrained into all levels and that is far more difficult;

    b) Internal Audit functions must be proprly resourced - not only in people numbers-  but skills, resources, and a "can-do" attitude.

    Hope this adds to the discussion.


  1. It is interesting that there is no word of new knowledge and abilities and self improvement of internal auditors. Risk management is still fancy phrase but what about the lessons learned from credit crisis and knowledge acquired from performing internal audits.

Leave a Reply