So, Who Are Internal Auditing's Stakeholders?

Richard Chambers, CIA, CGAP, CCSA, shares his personal reflections and insights on the internal audit profession.

In my last blog entry, I cited some emerging challenges and identified five key priorities that chief audit executives (CAEs) should be pursuing as 2011 gets underway:

  • Assess key stakeholder expectations, identify gaps, and implement a comprehensive strategy for improvement.
  • Assess internal auditing’s contribution to risk management and “step up to the plate” as needed.
  • Deploy a strategy for internal audit business knowledge acquisition.
  • Streamline internal audit processes and operations to enhance value.
  • Coordinate and align with other risk, control, and compliance functions.

I have spoken on these themes at several forums in recent weeks, and one question has arisen on multiple occasions: Who are internal auditing’s stakeholders? While there is no universal answer to the question, I thought it might be worth exploring here.

The IIA’s International Professional Practices Framework refers frequently to the relationships that the CAE and internal auditing have with a number of parties. However, the precise term, stakeholders, isn’t used very often. defines stakeholders as: “a person or group that has an investment, share, or interest in something, as a business or industry.” Where internal auditing is concerned, I have often bifurcated stakeholders into primary, secondary, and tertiary segments. I’ll share my personal views as to each of these segments.

Primary internal audit stakeholders: For me, this one is the most obvious. I believe the primary stakeholders include:

  • The audit committee and the board.
  • The CEO (or head of the enterprise).
  • The chief financial officer or individual to whom the CAE reports administratively.
  • Potentially, the other chief officers of the enterprise.

Secondary stakeholders include:

  • Business unit executives/leaders not identified as primary stakeholders.
  • External auditors and regulators (the first time we think of stakeholders potentially residing outside of the enterprise).
  • Investors and creditors.
  • Citizens and taxpayers (for government audit functions).

Tertiary stakeholders include:

  • Employees (and potentially retirees) of the enterprise.
  • Investment analysts and others with an interest in the performance and effectiveness of risk management, and internal controls of the enterprise.
  • Potentially, the general public.

Now that I have shared my totally subjective view of who the stakeholders are, what should be done with them? As I often state, internal auditing must recognize that it exists to serve the needs of the various stakeholder groups, and that their expectations are constantly evolving and rarely aligned. Internal auditors and CAEs who lose sight of that fact are at substantial risk of long-term failure.

In the next blog, I will share my thoughts on effective ways to prioritize stakeholders and to identify and respond to their changing expectations. In the meantime, I welcome your views on who our stakeholders are and where my inventory diverges from yours.


Posted on Feb 9, 2011 by Richard Chambers

Share This Article:    

  1. Richard:

    This is indeed an important topic and you are bringing out some strong points, however some clarifications are in order :

    It is not internal audit’s job to identify and communicate with all the stakeholders. This is management’s job to do. It is however their job to communicate with some of the stakeholders by virtue of their reporting relationships and need to get the job done.

    It is internal audit’s job to assure that management has identified all of the company stakeholders (e.g.  Customers, union officials, fishermen, contractors, environmentalists are not on your list as just some examples but there are others depending on the type of company ) and has a formal communications plan in place with two way communication of the right kinds of information and at the right time. Currently, most internal audit functions do not do this even though it is part of their job to do so.  Most importantly, the recent IIA guidance on assessing adequacy of a company's risk management system is quite deficient and will need to be redone or comprehensively updated. The audit of communications would be one of several things in the document.

    (Continued below)


  1.  continued from above

    It is difficult to impossible to prioritize stakeholders that management needs to communicate with and it is not necessary to worry about this. What is necessary to worry about is whether the needs of the stakholders have been factored into the strategic objectives of the company and thereby the underlying risks (e.g. on BP-two stakeholder groups were the contractors and the fishermen). It does not appear that these groups were identified early on but they sure were identified after death of the eleven contractors and after 30,000 fishermen lost their livelihoods, were they not?



  1.  One clarification above- when I referred to strategic objectives and risks- should also have indicated the risk appetite/attitude. So when one is thinking about the stakeholders and  their needs, one also needs to be thinking about the nature/types and amounts of risk one is willing to assume. This sets the risk appetite of the company.

  1. Richard:

    I am looking forward to your next blog post.  Although little research has been done in to the role of IA in major corporate governance failures I suspect that in many cases the CAE faced the difficult decision of deciding who they owed first and primary allegiance to because there was a conflict.  In cases of a domineering CEO the CAE better have the full protection of the board and, in my experience, many don't.  Even a great severence package may not be enough in the case of a vindictive CEO and/or CFO.  In some cases a CAE might even be faced with a bigger problem - a board that is willing to support improper conduct of senior executives because of their own self-interest.  This is likely the biggest problem a CAE might have to face in his/her career.  

    As a general rule, my belief is that a CAE's job is done once the board is fully aware of the risk status. If the board is incompetent, unethical, or worse,  that is the shareholder's problem.  The new ICGN guidelines for board oversight are a great step in the right direction.

    Perhaps Congress should pass an act that financially protects CAEs that do the right thing and jeopardize the balance of their career????. CAEs are excluded from financial gain for blowing the whistle

  1.  Tim:

    I would think that most CAEs have the courage to call situations the way they see them regardless of the consequences and in this day and age, an overly domineering CEO surely must understand the repurcussions of his/her actions. We are ten years into some of the worst disasters from the Enrons at the beginning of 2000 to the financial institutions at end of the decade. No, I think a must bigger disaster looms out there for the CAE and this disaster is called "the blind leading the blind" meaning- the board and CEO do not have a comprehensive well thought through understanding of risk and neither does t he Head of Audit.

    When the dust settles, internal auditors will get blamed for some of the problems unless they step up to the plate and make sure that among other things that they provide robust  assessments on the adequacy of risk management systems and if such opinions call for boards and chief executive officers to be trained, so be it. The IIA has recent submitted for proposal one such document which the respective researchers will have a good time with as I think one of the conclusions will be that CAEs did not have the right risk management skill set. But stay tuned.

    Best regards,




Leave a Reply