Are There Lessons for Internal Auditing in All of This?

Richard Chambers, CIA, shares his personal reflections and insights on the internal audit profession.

The great French military and political leader, Charles de Gaulle, is said to have observed that “generals are always fighting the last war.” The reasoning behind this often-used quote is that military threats are always changing and evolving, and there is a temptation to assume that the next threat will look just like the last one. My fear is that internal auditors are tempted to fall into this trap. However, focusing audit coverage on “yesterday’s risks” can result in being ill-prepared when new calamities appear.

In the late 1990s, the corporate sector became enamored with the “value-added” concept of measuring the worth of corporate functions. Rather than defend their traditional value propositions, many internal audit activities sought to redefine themselves as consultants and business partners. In the meantime, corporate financial fraud was festering in many of the largest and most prestigious companies in the world. Following the implosion of Enron, WorldCom, Parmalat, and others, we quickly re-equipped ourselves at the behest of our stakeholders to focus extensively on financial risks. In some cases, corporate internal audit activities became so immersed in their new roles that all they did was consulting in the late ’90s and Sarbanes-Oxley support in the mid-2000s. As a result, many internal auditors were totally unprepared for the next “big risk” that their organizations faced.

Later in the decade, as we were sitting back congratulating ourselves on having helped our organizations navigate new financial regulatory requirements, spectacular risk management failures were about to be exposed in many of the largest companies in the world. Some have observed with interest that no one has asked, “Where were the internal auditors?” Others have observed cynically that internal auditors are notoriously focused on yesterday’s risks, and that no one seriously expects them to help prevent the type of calamities we have witnessed in the past decade. My instincts are to be offended by such dismissive comments; however, I understand that even the perception that we are focusing on yesterday’s risks should be a wake-up call for the profession.

The common thread in the missed opportunities of the past decade appears to be our reluctance to truly formulate and execute risk-based internal audit plans. The IIA's International Standard 2010: Planning clearly spells out the requirement. Yet, I have talked with many chief audit executives in recent years who still subscribe to “carve out” or “cyclical audit” philosophies. In each case, all or part of the annual plan is dedicated to preordained areas, regardless of risks. 

It is also disturbing to note the lack of internal audit activities that provide any assurance on the effectiveness of their company’s risk management. International Standard 2120: Risk Management mandates that internal auditing “evaluate the effectiveness and contribute to the improvement of risk management processes.” One could only wonder if some of the recent risk management failures could have been mitigated if corporate internal audit activities had correctly prioritized and been given the latitude to assess and report on risk management practices.

Going forward, we have another opportunity as a profession to assert our value as an independent, objective source of assurance about the real risks facing our organizations. This will necessitate some education of key stakeholders on the value we can bring. Many will be skeptical. Yet, I am confident that we can muster the talent and capabilities to deliver. If we don’t, we are destined to continue providing audit coverage of “yesterday’s risks.”


Posted on Feb 25, 2009 by Tim McCollum

Share This Article:    

  1. Richard,

    You correctly and appropriately point out the need for internal audit to provide risk management assurance and consulting services.  But there is a third leg: governance.

    The number of CAEs performing risk management audit work is far more than the number providing assurance on the full scope (or even the greater part of ) governance processes.  See my Governance blog for more on compensation issues.

    I pass it back to you: how can The IIA use its influence with practitioners to remind them that there are three elements of internal auditing in the Definition?  How do we encourage (and protect) them to assess and report on the organization's governance processes - including whether they provide reasonable assurance of effective governance?


  1. A very timely and pertient series of questions.  From an Australian perspective IIA-Australia aiming to get on the front foot in a number of ways:

    1. We were instrumental in pushing for and getting a new requirement for Stock Exchange listed companies which encourages Boards to get  to assess the varacity of their risk management systems.  This partners well with a new requirement for management to sign off on how well they are managing their material business risks (also driven by the IIA) rather than just saying they comply with COSO ERM or the new ISO risk standard.

    2. Governance requirements have been driven hard to focus on independent Audit Committees, Audit Committee Chairs and Chairman of the Board.  This is now the norm and Australian CAEs report to these independents.  This is also now permeating government agencies and departments nationally.  IIA has been instrumental in this and continues to drive the agenda.

    3. This year's SOPAC conference is focused on the topic of Trusted and Valued in Challenging Times which is sure to be a lively discussion.  The majority of key players in the Australian landscape will be there.

    4. Thought leadership papers have been produced on Auditng in Turbulent Times for the benefit of Australian CAE members.

    5. We're piloting a new course on strategic risk, which runs for the first time in Adelaide this Friday.

    Whether the Australian environment is more resilient as a result of all of this is debatable, but we're reasonably convinced that this has made a noticable difference, and been able to be on the front foot on some of the issues above.  We hope some of these aspects serve as a useful model for others.

    Challenging times ahead for all.

    Todd Davies
    Technical & Policy Director

  1. A small typo above.  Point 1 is getting internal audit to do that assessment of the veracity of their risk management systems.

  1. Great point you've presented.  Requiring internal auditors prove that their department truly meets their objectives and not just one objective (e.g. consulting or reducing compliance costs etc.) is important.  However, in the areas of smaller public companies, my concern is that Audit Committee Chairman rarely know about IIA standards much less what their role is to make sure those standards are being executed propertly.

    I hope the IIA will continue to use it's influence to inform Board members and offer training sessions for them in order to provide sufficient oversight.


Leave a Reply