Two Recent Surveys Provide Food for Thought

The  Association of Chartered Certified Accountants (ACCA) held its annual conference in May. It asked participants to vote on a number of issues. The results (shared by Prof. Andrew Chambers) included:

  • Do you agree that boards operate in a partial assurance vacuum? 60 percent agree and 24 percent strongly agree.
  • Do you believe CAEs should provide overall assurance opinions? 78 percent said “yes.”
  • Could internal auditing fill the board’s assurance vacuum? 26 percent said “substantially,” 40 percent “much more than currently,” and 35 percent “to some extent.”
  • Should it be mandatory for boards of public interest entities to receive independent assurance about the management of external and internal risk?” 95 percent said “yes.”
  • Do you believe that the internal audit organization is taken more seriously than it was two years ago? 82 percent said “Yes.”

Also in May, the Open Compliance and Ethics Group (OCEG) published the results of a One-Minute Poll on the issue of internal auditing. OCEG’s members are already committed to and actively interested in risk management, so the results are probably not indicative of the entire population. Even so, they are informative.

  • Should internal auditors, including those at major banks, insurance companies, credit agencies, etc., share in the blame for the current global economic crisis? 48 percent said “Yes,” 27 percent “No,” and 25 percent “Not Sure.” 
  • In answer to the same question, 38 percent of the internal auditors who answered the poll responded “Yes.” 40 percent responded “No,” and 22 percent were not sure.
  • But 70 percent of finance professionals said internal auditors were at least partly to blame; more than half the risk officers and about half of those responsible for compliance agreed. 52 percent of lawyers were not sure, but almost everybody who had a view thought internal auditors had fallen short.
  • Is the internal audit profession capable of evaluating the effectiveness of an organization’s risk management system? The overwhelming answer, with a nod towards variation in skills among auditors, was “Yes” (97%)! Auditors self-assessed at the same level.
  • Has the internal audit function at your organization assessed and reported on the effectiveness of its risk management system? 43 percent answered “Yes.”
So what conclusions can you draw from these surveys. This is what I make of it:
  1. Internal auditors are essentially alone, among those who have an opinion, that we share in the blame for the current global crisis.
  2. The fact that we have such a different view implies we have work to do in the advocacy area.
  3. There is an assurance role at the board level that we can and should fill, through assessments and reports on management’s risk management process.
  4. The argument that internal auditors do not have the capability to assess the risk management process and provide a formal report to the board and executive management team is not consistent with the views in the surveys.

I welcome your comments.

Posted on Jun 8, 2009 by Norman Marks

Share This Article:    

  1. I meant alone in so few auditors blaming themselves or the profession

  1. Norman:

    Thanks for hilighting some of the more interesting findings from these polls.  I agree with you that it is a very bad sign that few people other than some internal auditors think internal auditors should share part of the blame for the current economic crisis.  I would rather be viewed as relevant and told I need to improve than considered irrelevant and impotent. 

    I also think that the 1992 COSO Internal Control Integrated Framework should also share part of the blame.  The IIA is a member of COSO and should join with the IMA in lobbying for a full update to the 1992 framework used by virtually all banks at the root of the crisis to conclude their loan loss provisions leading up the collapse were effective.

  1. There are so many results that the numbers may not be clear: Many more non-auditors believed internal auditors share the blame than auditors. Auditors need to take this seriously.

    With respect to the COSO ICF Framework, I actually find it quite effective as an internal control framework. What we need desperately is a governance framework like King III. That would link overarching governance activities, risks to their achievement, and the controls required to manage the risks within organizational tolerances.

    As I have said in prior posts (such as when I discussed the OECD report), the failures were in governance and risk management, not generally in detailed internal controls. From a COSO ICF perspective, they are in the Control Environment. From a COSO ERM perspective, they are in the Internal Environment.

  1. The views on IA responsibility and the need for improvement in the COSO framework are interesting.  Only problem is that in the end, no matter how effective IA is assessing and reporting risk mgmt issues to the Board or how strong the internal control & risk mgmt framework is, if company management decides to ignore the risk for any of a number of reasons, neither IA nor the framework will have any bearing on the outcome. 

    From what I've read in the many reports, articles, and analyses about the issues behind the financial industry failures, management's ignorance of or failure to properly consider the risks inherent in their policies was a major factor in the meltdown.  One example of this is allowing (and in some reported cases, demanding) that mortgages be written without underwriting or credit checks, which has been reported several times as being common practice in mortgage companies and some banks in the years immediately before the meltdown.

    It is inconceivable that the instruments that were being written could have been considered low risk just because an analyst put together a complex valuation model and everyone assumed that real property values would never decline again.

    In the end it was investor, management, and financial broker-dealer-underwriter-seller greed that trumped any risk management practices that the organizations had in place.  Investors wanted the same high returns from their shares that they saw people getting from investments in other financial institutions.  Management and the financial crew wanted their bonuses and stock options.  Please tell me how an IA function will be able to overcome that kind of behavior, since it doesn't have authority over management, and how even the best internal control-risk management framework will prevent actions based on decision maker greed, arrogance, and ego.

    Before I blame IA groups at the institutions, I would like to see research that reports the number of IA groups that attempted to report risk mgmt failures to the audit committee, but were overridden or ignored, compared to the number that did not attempt to assess risk mgmt practices or that did not identify ineffective risk mgmt programs in risk mgmt assessments in the relevant areas that were actually included in their audit plans.  Also, the number of annual audit plans in which the CAE's initial proposal included risk mgmt program assessment in the area of the instruments that were the basis for the financial meltdown, but for which company management was able to convince the audit committee that it was such a low risk area that it didn't warrant extensive attention.  I would not be surprised if both of those conditions existed.

Leave a Reply