Ten Ways to Improve Internal Audit


Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


A highly respected (including by me) internal audit leader is Richard J. Anderson. He retired a few years ago after leading PwC’s internal audit practice, and is now with DePaul University as a Clinical Professor. Dick recently wrote an interesting piece in the Journal of Accountancy that listed 10 ways for the audit committee to “facilitate proper oversight and direction of internal audit.”


I will let you read and consider each of these items. For audit committee members, all are worth considering. Internal audit leaders should ensure they have good answers should the audit committee ask about any of these issues.

Let me put my spin on a few.

1. Dick suggests that the audit committee “Evaluate the current and projected scope of internal audit coverage of risk management and governance.” I believe that the audit committee should ask whether internal audit has considered the risk to the organization should there be failures in the management of risk by the company’s leadership, or in defects in any governance processes (which include the setting of objectives and strategies, oversight by the board, performance management, and more).

The audit committee should ask whether internal audit is able to provide an opinion, not only on internal controls, but on the combination of governance, risk management, and internal control processes. If they are not, they should ask why not. It is quite possible that internal audit has determined that these processes are insufficiently mature to merit a traditional assurance audit; instead, they working with management and providing consulting services to help those processes mature. If that is the case, the internal audit leader should have ensured the audit committee understands the current maturity level, the risk that it represents to the organization, and whether management is taking the steps necessary and appropriate to bring them to acceptable levels.

2. Dick’s second point is also important. He asks that the audit committee “Ensure that internal audit’s risk-based plan is flexible and responsive to change. As he explains “Amid complex and dynamic risks, many internal audit groups update their risk assessments and audit plans more than once a year.”

“More than once a year” is barely touching the surface of the problem! When the business environment is as dynamic and full of rapid change as it is these days, internal audit should ensure it is addressing the risks that matter today. The audit plan should be dynamic and responsive to the changing internal and external environment.

Personally, I have used a rolling plan where engagements for the next month or possibly two are firm, and after that the plan is subject to change.

3. Dick continues by suggesting that the audit committee “Determine how internal auditors are using technology,” “Assess the strategic vision and plan for internal audit,” and “Define how internal audit will provide value to the organization.” The order is curious, and I would change it.

Internal audit must understand the assurance needs of the organization. It should develop a vision and plan to develop the capability and then meet those needs. As Dick says, “Providing assurance is a core and expected value driver for any internal audit function.” Additional, value-added consulting services can be added once those core services are being delivered.

Technology is an enabler. So, the services that internal audit will deliver need to be defined before the use of technology is considered. I agree with Dick that technology can make an amazing difference to the quality and efficiency of internal audit services – although I do not agree that they should provide “monitoring and data-mining capabilities to improve business-unit performance”. That is a management responsibility.

4. One point that Dick did not mention, perhaps because it was not highlighted in the underlying IIA 2010 Global Internal Audit Survey, is that internal audit needs to communicate effectively the results of their work to both the audit committee and management. (Dick makes a different point about communications with the audit committee.) Most internal audit reports are excessively long and fail to communicate concisely and clearly what their stakeholders need to know. The audit committee should review the audit reports they and management receive and consider whether they can be trimmed to at most a page with a few pages of attached detail for significant issues only.

5. I will close with perhaps the most important point for audit committees, and one that is not mentioned: does the chief audit executive (CAE) have the respect and standing within the organization to be effective? This requires not only the appropriate reporting relationships (functionally to the audit committee and administratively to a top executive or the audit committee chair), but that the CAE has the executive presence and capability to be effective. Do the CEO and CFO, together with other top executives, demonstrate respect for the CAE’s ability to help the organization succeed?

I welcome your views and comments. 

Posted on Sep 4, 2013 by Norman Marks

Share This Article:    

  1. 'Ways [for the audit committee] to facilitate proper oversight and direction of internal audit'. I'm generally in agreement with the 10 ways mentioned plus the additional points you raise. I think there two important omission, which are my first two. 1. Check compliance with COSO's 17 principles. This is most important as it establishes the risk maturity of the organization and the control environment in which the internal audit department has to work. 2. Determine if compliance with COSO is sufficient to allow internal audit to provide an opinion on whether significant risks are being managed to within the organization's risk appetite. If not, instruct the board to ensure compliance with the principles. No point in requiring IA to focus on risk management if the organization doesn't! 3. Evaluate the current and projected scope of internal audit coverage of risk management and governance (point 1 in the article). Decide with the CAE what the audit committee requires from IA (hopefully an opinion on risk management), what it considers the minimum work necessary to reach an opinion (number of risks checked) and how progress to this opinion is to be reported (quarterly meetings). This will improve communications and define how IA will provide value (points 3, 4 and 5). 4. Assess the ability and standing of IA to deliver the opinion required. Does IA have the staff (numbers and knowledge), budget ($), standards and technology to meet the audit committee's requirements (points 2, 6, 9 and 10)? In addition, does the IA department command sufficient respect in the organization to carry out its responsibilities to the full and produce an independent and objective opinion? (Norman, your last point).

    This is a fantastic article, I thoroughly enjoyed reading. For those experienced and high calibre CAE's this is already a normal practice but for those who think they can lead and manage an internal audit department this would without a shadow of doubt pose as a threat to their competency and knowledge over what is happening around them and within their organisations. If I was the Audit Committee member and possibly involved in selecting a future CAE for the organisation I deal with, I would be very keen to ask those questions in order to judge if the potential candidate really know what they are taking on or are the internal audit function will be simply "tick box" excursive.
    The side of the coin is how up to date is the Audit Committee member with regards to recent internal audit standards, methodologies and approaches. I find it irritating that a member sit in the Audit Committee, happily criticises both the management and internal audit goes to collect his sitting fees but has no clue and never bothered to educate themselves about IA standards.
  1.  Norman

    I agree with your point 5 that to be truely effective, the CAE must have the respect of all leaders of the organisation, not just for their audit and risk skills, but for their ability to relate those to the real needs and demands of the business.

    I have a view based on this that the best CAE is not necessarily a career auditor, but someone who is seen as a high potential future leader, who has both broad commercial/business sense, combined with professional discipline to understand the role they need to play as a CAE. They can learn IA theory from their staff.

    In a recent CAE role, I promoted a philosophy that the IA group was an entry point to the Company for future leaders who wouldspend time with us before moving on. We set ourselves an accountability that at least 80% of the staff who left our group, moved to other roles within the organisation. We regularly achieved closer to 100% on this metric. One of the things we did to promote this was develop a training program for our staff of which over 50% related to skills other than audit/risk.

    This is not dissimiliar to point 8 in the article where it comments on the role IA plays in addressing the talent needs of the organisation.

  1.  I would like to add skill of managing human relationship with top management and functional manager, as a contributor to make IA effective. 

    Internal auditor has to use this skill to assure auditee at all levels that objective of IA function is to support their endeavors to achieve departmental and entity level objectives. His ability to bring functional mangers to the process of joint working on corrective measures and risk mitigation plans will really make IA a value adding function. In my experience I have observed that giving credit to respective audittee of defining corrective measures and effectively implementing the same resulted in setting up of a very positive relationship and improvement processes. 

    Same way internal auditor has to update Audit Committee members about latest IA approaches and practices and how adherence of the same by IA has resulted in positive results to the organisation.

Leave a Reply