Are You Auditing Up the Wrong Tree?

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 


One of the most important things internal auditors can do to meet stakeholder expectations is to ensure internal audit priorities align with those of the board and executive management. Risks that “keep our stakeholders up at night” also should be of concern to us.

If that sounds like common sense, consider that Thomson Reuters’ survey of internal auditors, The State of Internal Audit 2013 (PDF), found that while internal auditors are focusing on assurance of internal processes and IT risk, boards are more interested in governance, strategy, and strategic-level risk management.

If your internal audit function is stuck in the past, you risk becoming irrelevant or missing the real risks to your organization. Where I come from we call that “barking up the wrong tree.”

Misalignment is natural during times of rapid change. As the environment around us is changing, the internal audit function is undergoing one of the most dramatic periods of change in the history of the profession. Internal auditors are being asked to address more complex risks with fewer resources and under more intense scrutiny.

To survive and thrive in this environment, we need to step out of our comfort zones and into the more qualitative world of culture and governance. A robust dialogue with your stakeholders will not only allow you to zero in on their priorities, but it will also solidify stakeholder relations and help you avoid some of the pitfalls I discussed in my recent blog, Five Red Flags That Your Internal Audit Department May Be Losing Stakeholder Support.

So are you aligned? Ask yourself:

  • Have I asked the stakeholders about their priorities? Two-way communication with the chief executive and audit committee is critical.
  • Do we have the right skill set to meet those needs? Continuing education is key.
  • Do we have sufficient resources? Once you know what you need to focus on and are sure you have the skills to provide assurance, you still need to have the resources to make sure you aren’t being pulled in too many directions.

Assurance of internal controls will always be at the core of the internal audit function. But we need to expand our horizons and make sure our goals, skills, and resources are aligned with the growing demands on executive management and audit committees.

The recently updated Internal Control–Integrated Framework (PDF), published in May by The Committee of Sponsoring Organizations of the Treadway Commission (COSO), is a good starting point. It expands on the original 1992 COSO framework to provide additional insights into governance, globalization, regulatory oversight, and other board-level concerns.

The IIA’s new Certification in Risk Management Assurance curriculum is another good resource. In addition, The IIA Research Foundation recently added an entire volume on governance, risk management, and compliance to the 6th edition of Sawyer’s Guide for Internal Auditors.

These resources should go a long way toward helping you with the “how” of aligning audit priorities. For the “what,” I’d say the best source is going to be your audit committee and executive management — they know what keeps them up at night.

Are you auditing up the wrong tree? There’s no way to know without asking.

That’s my perspective. I’m sure most of you are dealing with this right now. I’d love to hear from you about ways you’ve achieved alignment. 

Posted on Jul 22, 2013 by Richard Chambers

Share This Article:    

  1. Richard: Great post. The need to align with stakeholder expectations is key. What is also key is that internal auditors know that the type of services and products they produced in the past and received positive feedback from the board and sometimes senior management are no longer good enough. They don't meet what boards need. I have often told the story of the CAE who was told by his key customers "We're very happy" "We're happy" "You're fired" to illustrate that sometimes there won't be any warning when a customer's needs change and the supplier keeps delivering the same product. Your post above actually illustrates a good example of "barking up the wrong tree". I would argue that your statement "Assurance of internal controls will always be at the core of the internal audit function" is an illustration. It's time internal auditors raised their game and provided opinions on the full range of "risk treatments" and how management generally manages risk. Internal controls are only one way of managing risk. Risk transfer, risk sharing, risk financing, avoidance of risk, elimination of risk sources and others are equally important options to "treat risk". The key is to manage risk so it's within an organization's appetite/tolerance. I will be presenting on this topic at the IIA All Star Conference in New Orleans in October. Thanks for continuing to alert the profession that there is a real and urgent need for transformational change.
  1. Reporting objective is the key. Basle has stated eloquently the reporting objectives about internal audit function for the financial services industry.
  1. hai sir,, image and business of an organisation and they can drive away existing and potential customers. - thanks for sharing ...,waiting awesome posts from you regularly ,,
  1. hai sir... image and business of an organisation and they can drive away existing and potential customers. thanking for sharing ,,,expecting awesome posts from you regularly..

Leave a Reply