Internal Auditors Should be 'Willing to Throw the Flag' Before the Play

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 


In a speech that I delivered last spring, I discussed the various roles that an internal auditor can play across what I called the “ethics continuum.” I noted that on rare occasions, when internal auditors become embroiled in a fraud or conduct, they are an “accomplice.” On other occasions, I noted, the internal auditor isn’t an accomplice. Instead, he or she simply sits on the sidelines and does not call out inefficiency, waste, fraud, or mismanagement. I called these internal auditors the “spectators.”

I also noted that from my experience, the most frequent role that internal auditors play is that of a “referee.” Much like a referee in a sporting event, internal auditors often observe the plays that make up the normal course of business operations, and blow a whistle or throw a flag when circumstances warrant. They are objective in assessing whether a “foul” or “infraction” has occurred, but they are still reacting to what took place in the past. From my experience, however, internal auditors cannot be fully effective if they are only willing to identify mistakes or fouls after an errant play. They must be willing, when circumstances warrant, to throw a flag before the play.

In a recent blog, I discussed the fiasco of the website rollout for the U.S. Affordable Care Act. Obviously the failures associated with the website rollout were not caused by the IG’s auditors. We still don’t know the entire story regarding the website problems, but it seems evident that opportunities may have been missed to sound warning bells. Either the auditors did relatively little proactively to warn agency officials of potential failures, or when warnings were given, they were less than effective in preventing the disaster. The result: One of the biggest public relations calamities to rock a government agency in recent memory.
I raise the example of the debacle again not to continue piling on. Instead, I believe this represents a perfect case study for when an internal auditor can throw a flag before the play. When complex IT systems or websites are being designed is the time for internal auditors to become engaged. If they observe inadequate planning, internal controls, or systems design, the time to speak up is before deployment. This is true for any new business or IT initiative. Waiting until deployment and potential failure adds no value and risks the reputation of the very enterprise they are entrusted to serve.
Just as a football referee will throw a flag for an “illegal substitution” infraction or a “false start,” an internal auditor should be willing to throw the flag before the ball is snapped.

I welcome your thoughts.

Posted on Dec 11, 2013 by rchambers

Share This Article:    

  1. Richard: Thanks for raising this important issue. I agree that in a perfect world Internal Audit would, as you indicate above, be willing to throw the flag before the play. Unfortunately, in my experience, on serious issues at the CAE level involving senior management, throwing flag can entail high personal risk to the internal auditor. In the absence of high support from the audit committee and/or a really good severance clause in their employment contract, this step needs to be carefully "risk assessed". If one looks at the number of major corporations that history tells us were engaged in high risk, sometimes illegal activities, the CAEs in those companies may well have decided to put their family and personal financial security ahead of idealism. These are not easy choices and in many cases the CAE has no one to discuss their dilemma with. The more the IIA can do to provide support and advice to CAEs faced with such moral dilemmas practical advice the better.
  1. Richard thanks for raising the flag and Tim your thoughts are so true. We also have a role of "coach" as well as we need to be proactive in ensuring our organisations are also playing by the most up to date rulebook and using the strategies that have found to be effective during gameplay. Taking on the role of educator and prompter of good practice provides a wider reach into our organisations.

    Being auditors may mean that sometimes we are not popular, but that comes with the role, as long as we have a long term strategic approach where we pick the "right" battles to fight to ensure that we don't lose the war (yes another analogy).

  1. Dear Masters,

    I see all of you has right, however, the substance is in all except in the Equilibrium of your sentences. Should we represent Always the same, should We Always take charge of the risks, Is anyone looking also at the weigh of the principles governing?

    The systems you are speaking about surely sometime will collapse as we have imperfections, as We anyway challenge high in just one of the sections, but miss to consider the value of the change among these sections instead of their frictions. As Jumping require to flex before to get higher and higher.

    If the System would be perfect we could take easy jumps, but we as the system are not perfect, if not in the pulse to get farer.


  1. Richard

    thanks for your role in mentoring internal  auditors,it has been the role of the auditors to watch on what management does  and some times they go wrong and even intentionally defraud shareholders.they can then come later and state the fact that they actively observed withought taking an action or playing areferee role at that point intime.

    what then is the use of reporting the loss of huge outflows that put the company in the verge of collapse.we should raise this issues when ever we are in the know to rasie aflag for the benefit of the company and shareholders such that an investigation is innitiated that could either put managers on their feet as there onlookers that can Act when wrong is sighted.

  1. Hi all, Questions: What is the scope of the audit? Where does the auditor sit in the organisation? Is the auditor too close to the activity? Cross audits are supposed to provide impartiality. What dos the business expect to achieve from the audit? If it is a "rubber stamp" exercise, it is a waste of time. Are your I/As auditors or coaches?
  1. Dear Richard, Your point is valid and aligned to the with core mandate of internal audit as adding value.So in the case of website design, I guess the internal auditor might have been involved. How is it also possible they missed the risk that plagued the system after it was deployed? What I know is that when a system has been designed there is the need for trial test among several people with various authority levels to determine that the system is working as expected. However, there have been time that though they are tested it is done by one person who logs in and out to perform each test instead of tests being carried out simultaneously by several people.

Leave a Reply