The CAE's "Real Challenge" - Ethics, Courage, and Complacency

The other day, somebody replied to one of my blogs — and got my blood boiling! So, here is the rant for the week.

Essentially, what they said was while it was good in theory for the CAE to focus on providing assurance, in practice the CAE has to be very conscious of and responsive to management expectations. Management wants to see real value from internal audit, and therefore internal audit needs to demonstrate tangible savings in costs, and such. If internal audit is to get management support for its existence, a reasonable budget, etc., then focusing on providing assurance is not the answer.

Do you remember the Roman Emperor, Nero? He is famous for paying attention to his music and enjoyment while the barbarians were attacking, overwhelming, and then pillaging his capital. He "fiddled while Rome burned."

Well, I think this is a good analogy for those CAEs who focus on building a scorecard that shows how much they have saved their organization (through audits of benefit programs, vendors, etc) but are not assessing the risk management program. They are doing the fun stuff but failing to address the risks that could (and have in some cases) caused the failure of the business.

It's fine to supplement essential assurance activities with the tangible value-adding programs - and I have done a lot of that in the past. But, the assurance work has to be covered or (in my opinion) internal audit is failing to do its job. When that is a conscious decision, I have to question the ethics — and the courage — of the individuals involved.

When I talk about complacency, I am talking about the tendency for some CAEs to continue the same internal audit program, using the same tools and methods, in the face of new technologies and approaches that can deliver massive additional value. I simply don't understand the reluctance to:

  • Take advantage of emerging and improving technologies for data analytics, continuous auditing, etc — including social media
  • Provide opinions, both on individual engagements and overall. (As an aside, it is well past time for this to be mandated by IIA Standards. How can you provide assurance when you don't express an opinion?)

I welcome your comments.

Posted on Jun 15, 2010 by Norman Marks

Share This Article:    

  1. Perfect.  I responded elsewhere that if we are trapped into accounting for ourselves by mere cost savings then as a profession Internal Audit is dead.  The real value comes from understanding management, the business, and the risks, and providing an early warning system coupled with an assesment of impact when activities deviate from the expected control framework.  I agree an opinion is valued.  

  1. Well said .

  1. Can you please let me know what recommendations you may have for tools we can use to perform data analytics.



  1. Would you please elaborate on the use of social media (twitter, facebook, etc) by internal audit?

  1. I completely agree that there has to be a value addditons and cost saving can be one of them and nothing more. It cannot be the objective why internal audit exist.

    I also agree with the though that data analytics, continuous audit are the way to go for internal audit to be increasingly effective.

    All the above objectives becomes difficult to achieve when one faces regular hurdles from management ( eg budget) and also from audit committes. To me some of the fundamental questions need to be answered for future improvement of Internal Audit.

    1. What is the incentive for a highly skilled employee to join audit vis-a-vis a front office job?

    2. What is the audit literacy of the audit committe members? I have not come across any best practice that makes it mandatory to have at least one such memeber with a audit background. While there is always a recommendation to have a financial expert. The argument can be the financial expert suffice the audit requirement also, which i think is not the case, other than exceptions.

    3. Why the board plays safe when it comes to decide the budget of the internal audit? As then the increment  or incentive kitty for the internal audit then falls into  another the back office job bracket !!

    4. With all the emphasis on finance, to me the audit committes are more of finance committees than audit committees. Should there be some parameter for the time share of internal audit and fianancial results?

    5. Should share price increase be the reflection of quality of the board or share price is left as a KPI of CEO and maturity of risk management be the measure of quality of board?

    6. Who is talking about having a safety net for the auditors, who raise issues not comfortable to the management? Samsung being the latest addition but there the whistle blower was the Chief lawyer.

  1. All good comments.  It takes leadership and an organization to make these ideas move.  Dave

  1. I totally agree, Norman. I truly believe internal auditors should be adding value to their organizations, but that they should do so by way of their primary purpose. Perhaps it was a situational, or individual company, perspective that was offered on your previous blog. If the management of that company doesn't recognize the value added by their internal audit group, then perhaps that group is incompetent. Of course, I can't make that call precisely. I like the analogy you reference regarding Nero. It is true internal auditors should focus on those activities that could (and perhaps will) cause serious damage to the organization's success. Internal auditors have a role and serve a very important purpose. It is up to the auditors to stand firmly and not be deterred by management's objectives. In my opinion, it's almost repulsive that management could suggest the internal audit group isn't adding value. I say this because if the auditors are providing proficient risk management assessment and assurance, the value is added by those recommendations to avoid or reduce their risk findings. Why wouldn't management recognize that? It's as simple as 1-2-3. If the assurance work is not covered, then the audit function is indeed failing to do its job.

Leave a Reply