Should Internal Auditing Be More Transparent?

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.

I talk to quite a few members of the press in my travels for The Institute, and most of the time the questions are fairly similar. Recently, though, I was asked a new question: “Are you concerned that there is not enough transparency in internal auditing?” The reporter’s concern was that, with a few exceptions, corporate internal audit reports are not available to shareholders or other outside stakeholders. 

My personal belief is that our role is to provide support to key stakeholders within the organization and that our reports should not be routinely available to the public. I’m not suggesting that it’s not appropriate for government internal audit reports to be publicly available. Government auditors have a key role in maintaining the public’s trust in our institutions. But if, starting today, all internal audit reports were made routinely available to the public, I think we would quickly see a chilling effect on the willingness of management and the board to have internal audit look at sensitive or high-risk areas that need immediate attention. 

Many times the best leads for high-impact internal audit projects come from managers who know something is broken but who want an independent assessment regarding causes and impact of the problem or the best alternatives for fixing it. As a former U.S. federal government inspector general whose audit reports were on the public record, I was told more than once by managers that they knew of significant problems — but that they would not ask me to look at the problems because they wanted to try to fix the issue before it became part of the public record.

I recognize that internal auditors are often champions for transparency, but I believe that if our reports were distributed widely to stockholders, the press, and other outside parties, over time our relationships with management might erode and our ability to add value would diminish. A price would be paid during our risk assessments in terms of candidness, and both assurance and consulting engagements could become more challenging. Obviously there is a strong need for independent reporting outside the organization. But I think that, with very limited exceptions, it is in the best interest of strong corporate governance to have separate internal audit and external audit functions, only one of which reports routinely to outside parties.

At the same time, I recognize that there are real benefits to transparency, and I respect the views of others who feel differently on this issue. I would appreciate hearing from you. Are there times that internal audit reports should be publicly available? If so, when should the reports be public? What do you think?


Posted on Nov 9, 2011 by Richard Chambers

Share This Article:    

  1. I agree completely with your position.  While not directly on point, the fact that the CAE, at least in our company, sits on the disclosure committee ensures that material information resulting from IA's reports and other activities are appropriately disclosed in SEC filings. 

  1. There is one response here and 25 on the LinkedIn page.  Should we respond here or on LinkedIn?  Where will the most IIA members see a discussion? Social media is confusing!

  1. The public and regulators for example in financial services and public listed entities are increasingly showing interest in a corporate governance structure that has a functioning internal audit function. Where regulators are placing reliance on internal audit as part of their surveilance role on institutiions, there are arrangements that internal audit reports are made available to the regulator similar to arrangements that exist with external audit. Where such an arrangement has matured, internal auditors profile and practice bar tends to rise and earn respect from the organisation, regulator, external audit and the public at large on the continuous independent audit assurance internal audit provides. Such organisations go further to publish in their annual reports on how internal audit is helping to strenghen governance, risk and control processes. Over time, it is my view that this reporting development might culminate with the internal audit opinion being included in the annual report under the governance section.

  1.  Richard and others:

    Internal audit has a responsibility to provide support to key stakeholders as is indicated above and those key stakeholders are generally the Audit Committee, CFO, CEO etc. But part of that responsibility is providing assurance over integrity of the risk management system. As you are aware, Internal audit has not been exactly doing a good job in this difficult area and hopefully that will change going forward.

    That assurance that I refer to above recognizes that there is a new game in town and that game is that there are a wide variety of stakeholders in any company both internal and external and the company must be responsive to not only have a two way communications process with such stakeholders but provide these stakeholders with the necessary assurances. When internal audit opines on the risk management system, this is part of what it needs to be doing. Therefore if there exist external stakeholders in the company that need to receive written reports for whatever reason, the risk management system needs to be responsive to this and internal audit needs to be opining on how well this is being done.

    So I say stop worrying about internal audit's reporting to the public and start worrying about what needs to be done so that internal audit can adequately discharge its responsbilities in risk management.



  1. Promoting Organizational Transparency is the future of IA opportunity. So it stands to reason that we have to begin by being transparent... Where we are strong, where we are not and what strengths we are planning to build.

  1. I agree with the point about controlled distribution of Internal Audit's reports. Distributing the reports to the appropriate clients,impacted areas, and to the Audit Committee contributes to the transparency process. Further distribution of the reports may in fact, as indicated by Mr. Chambers, impact our relationships with management in a negative way and my preclude smooth agreement and acceptance of findings and recommendations.
  1. good morning;

    I very well remember my earlier days when I was on the other side of the table (being audited; since 1995 I am in this side, auditing).  If there is a strong issue, which, if noticed by regulators or external examiners, the issue was not included in the audit report; however, it was taken up under a private and confidential memo and followed up promptly. In this case I am not sure whether the auditor is right; however, I personally feel that if the issue is not a criminal issue, there is nothing wrong in the process. Experts' opinion is solicited.

  1.  What is the objective of internal audit? Assessing risk areas, building / improving systems, controls etc. Conversely, anything that impairs the achievement of this objective cannot be part of internal audit function or responsibility. I dont see how making a report public to investors or outside stakeholders will help achieve those objectives, especially in the long term where fear and - perhaps - denial pervades working relationships with auditees.

    I also fully appreciate the apprehension stakeholders may have in calling internal audit into a preventive role, if even that would be public domain information. 

Leave a Reply