Past Performance or Future Potential: Why Is Internal Audit on Regulators' Radar?

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 


With attention comes attention. Internal audit has been looking to elevate its “seat at the table” for as long as I can recall. And, in 2013, internal audit is being given that seat more and more as a result of regulatory intervention. Internal audit is getting attention.

As you have likely noticed, internal audit is increasingly finding itself on the radar of regulators around the world, particularly those overseeing financial services. We saw this in the U.S. Federal Reserve Guidance that came out earlier this year. And, in response to concerns being raised by financial services regulators in The U.K., The Chartered Institute of Internal Auditors published Effective Internal Audit in the Financial Services Sector: Recommendations From the Committee on Internal Audit Guidance for Financial Services. Even the New York Stock Exchange and NASDAQ have been proposing potential changes to their listing requirements where internal audit is concerned. A common thread in the regulators’ efforts seems to be a quest for more independent, more effective internal audit functions with better access to company boards.

The question is: Why? Is it because they think we haven’t done a good job? Or, is it that in their post-mortem analysis of the circumstances leading up to the financial crisis, they concluded that such measures would enhance internal audit’s potential to foster effective risk management and governance?

I think it’s a little of both. Most of us would agree that, as a profession, we didn’t knock it out of the park in helping to identify or having an impact on the way risks were being identified, discussed, and managed in financial services. I don’t think anyone has been shouting from the rooftops, “Where were the internal auditors?” But I do think that regulators realized that, in many cases, internal auditors hadn’t been given the independence and stature they needed to be effective.

Often, we didn’t have necessary access to the board. The resources for financial services internal audit, both in terms of numbers and talent, also were inadequate. A few months ago, the chief audit executive (CAE) of one of the largest global banks chronicled for me how his predecessor had his resources reduced by almost 40 percent between 2005 and 2009.

I think regulators are getting it right. Requirements, such as those put forth by the U.S. Federal Reserve Board and covered in my Jan. 28 blog, underline what we at The IIA have been promulgating and recommending for years:

  • The CAE should report administratively to the CEO.
  • Internal audit management should perform knowledge-gap assessments at least annually to evaluate whether staff members have the knowledge and skills commensurate with the organization’s strategy and operations.
  • Internal auditors generally should receive a minimum of 40 hours of training annually.
  • The internal audit function should have a code of ethics that emphasizes the principles of objectivity, competence, confidentiality, and integrity, and that code should be consistent with professional internal audit guidance such as The IIA’s Code of Ethics.
  • The audit committee and its chairperson should have ongoing interaction with the CAE, separate from formally scheduled meetings, to remain current on internal audit department, organizational, and industry concerns.
  • The audit committee should receive, at least annually, an opinion on the adequacy of risk-management processes, including the effectiveness of management's self-assessment and the remediation of identified issues.
  • Internal audit’s risk-assessment methodology should address the role of continuous monitoring in determining and evaluating risk.
  • High-risk areas should be audited at least every 12 to 18 months.
  • Internal audit is encouraged to use formal, continuous monitoring practices as part of the function's risk-assessment processes to support adjustments to the audit plan as they occur.

This is not a complete list, but you get the picture. A well-designed, comprehensive quality-assurance program should ensure that internal audit activities conform with The IIA’s globally recognized International Standards for the Professional Practice of Internal Auditing as well as with the individual organization’s internal audit policies and procedures. The program should include both internal and external quality assessments.

Each institution should conduct an internal quality assessment annually, and the CAE should report the results and status of these internal assessments to senior management and the audit committee.

Regardless of why internal audit is on regulators’ radar, I see it as a very positive sign. What do you think?

Posted on Aug 5, 2013 by Richard Chambers

Share This Article:    

  1. Richard, thanks for the thought provoking post.  I'm questioning whether we really need to have the profession changed from the outside in?  Is it in the best interests of the profession to be empowered by regulators?  If a bank's internal audit resources are decreased by 40% over four years I would argue there was insufficient perceived value in what was probably an environment of overall cost costing.  Perhaps the CAE allowed the function to grow in cost over time without adding comensurate value?  For example, how would audit be perceived if a regulator forced the bank to invest a minimum amount in internal audit?  How would this guarantee of resources incent the CAE to continously prove the value of the department?

    I've always subscribed to the "mirror test."  In other words, what can "I" do to change something needing to change?  I believe if the profession did a better job of managing itself like the businesses it audits more value would be created and higher "seat at the table" could be earned.  I don't think internal audit will ever be the CEO's top advisor but it can certainly raise its stature  by ensuring its work is aligned to the needs of and valued by management and the audit committee.  I also think the profession is more valued than we believe - that's perhaps a different topic.  

  1. Richard, this is an eye openning article.  The landscape of internal audit has changed completely during the last couple of years.  We have to do more with less resources and also provide identified value to the organization.  CAEs have to strive to meet the expectations of the stakeholders and while maintaining a balance of objectivity and independence.  Internal Audit as a profession, has to continue to evolve and stay ahead of the curve without loosing its vision and perceived value to the organization in order to survive. 

  1. If senior manager's recognize the value-proposition in internal audit, appropriate resources will probably be assigned. However it is up to IAs to continually market that value-proposition. We must pro-actively touch our clients, selling that value.

  1. This is an encouraging article. It appears that the profession will become more empowered as a result of a push from the outside.  I hope that the IIA will intensify its lobbying efforts at this critical moment and facilitate rules changes and/or legislation that will facilitate internal audit independence and objectivity.

  1.  I would venture that you hit the nail in the head with your sugesstion that, "Most of us would agree that, as a profession, we didn’t knock it out of the park in helping to identify or having an impact on the way risks were being identified, discussed, and managed in financial services."

    We have to learn to utilise better the implicit power of consulting engagements to multiply our efforts and as the best way to contribute to the improvement of governance, risk management and control processes, rather than assurance engagements, which on a incremental basis can only reveal a current state of affairs.

    Once we see our job as influencing the whole organisation into a particular direction pointed out by the adopted risk managent framework of the organisation, we would be in a better position, based on ongoing and periodic assessment done by all the organisational units, including the internal audit activity, to better target our assurance and further consulting activities in a way which demonstrates proper exercise of due professional care.

    Harold Geenen seems to have encapulated internal auditing rather well after all when he said, "Management must manage". Our job is to help management to do just that by giving them the tools and techniques to do so and when appropriate to assess how well they are using them.

    When we do that, there can be no question of the value, from the everyday perspective, that we provide.

  1. Richard, I noted with interest that you flagged conformance with the IIA's Standards. I thought the IIA in the UK really missed a trick by not demanding that this be included in the "Guidance" for financial services document that it published in July. While the Standards would not necessarily cure all the ills, I agree it should form the bedrock of any good internal audit function. Even the Financial Conduct Authority's own Internal Audit Division refers to the Standards - an extract from in "Information Pack" it published in April 2013 includes the following:  

    "Standards of Audit Practice - Internal Audit supports and, where appropriate, applies the Standards for the Professional Practice of Internal Auditing of the Institute of Internal Auditors" (

    As always, a thought-provoking column; keep up the good work!

  1. Richard, thanks for initiating this interesting discussion. I also note that some of the regulators such as the UK FCA have been asking internal audit to review the controls in market risk before the actual waiver submissions, both initially and on an annual basis. In this case, internal audit helps the business save a lot of capital under Basel 2.5 or even Basel 3, which is another value-proposition for internal audit. To a certain extent, the regulators are pushing some of the work they used to perform in the past to some internal audit departments. For these departments, they should take pride that the regulators trust the capability of the internal audit function.
  1. Sometimes Internal Audit obstacles and weakness comes from within, namely the Chairman of the Audit Committee, who could have all or some of the following : He is not concerned with the company due to his own other commitments, or knows little about the company's products and nature of risk, or he has a personal or business interest with Management to protect, that if it doesn’t make him biased, at least he will soften his comments as much as he could. Statistically speaking, it has been noticed that more CAEs have been replaced than CEOs. I have been in all roles. Auditor, CAE, Audit Committee member and now Chairman of an Audit Committee. It may not be a bad idea to have the hiring and firing of the CAE to be a Board responsibility, not an Audit Committee responsibility. Hamad S Alomar
  1. Here is another document from Basel Committee on Banking Supervision - The internal audit function in banks ( published in June 2012, which clearly refers to standards, such as those published by IIA.

    Richard, I do agree with all the points you mention. I also think that regulators’ attention will increase the awareness about the Internal Audit profession and the value of International Standards for the Professional Practice of Internal Auditing. However, I also think that if in a particular company the Board and top managers do not want to foster good governance, including respected Internal Audit, no regulation can fill the gap.


  1. Richard: I encourage all readers to Google and download a copy of the Financial Stability Board's February 2013 report "Thematic Review of Risk Governance". The purpose of the review was to review progress countries were making addressing core risk governance weaknesses exposed by the 2008 global financial crisis. It calls on boards to satisfy themselves that they are receiving timely and reliable information on the true state of retained/residual risk across the entity.In Canada our financial regulators has referenced the conclusions of this review in a number of public speeches. The conclusions, while focused on the financial services sector, are generally applicable to all types of organizations, public and private sector. A key recommendations is that boards should receive an annual "independent assessment" of the organization's risk management processes. This is an enormous opportunity for the internal audit profession and, equally, a major risk if the profession isn't equipped to deliver high quality assessments of an entity's risk management processes for boards. This report represents a lever that the IIA should promote and exploit to advance the profession.
  1. I have enjoyed the debate and wish to congratulate all the contributers for such a short but insightful contributions. This will indeed be benificial to students and practioners of IA. It has enlightened my thinking of late about the actual role of today's Internal Auditors as compared to the past and their acceptance in organisations.

Leave a Reply