Changing Board and Management Expectations for Internal Audit

This last week, I was in a discussion about aligning board (audit committee) expectations and internal audit activities. Frankly, I have seen a lot of guidance that says that the internal audit leadership should seek to understand board and top management expectations, and act accordingly.

I don't think this is right.

In fact, I think it is deathly wrong.

Too many boards and top management members do not understand what internal audit is capable of delivering. They are used to internal audit functions that focus on financial controls, fraud, compliance, and some operational and value-add projects. They do not appreciate the value we can bring by providing assurance over risk management and governance processes, or performing other value-add services (such as in the case of M&A activity).

If we simply meet these limited expectations, we are not delivering to the level of which we are capable.

Instead, we should seek to explain and persuade the board and top management that we are able to provide far more. We should educate them and raise their expectations. Then, if course, we need to deliver.

1. Do you agree?

2. Can you share how you have achieved this?

Posted on Nov 18, 2011 by Norman Marks

Share This Article:    

  1.  Do you t hink perhaps in many instances the Board is much smarter (not always) than we think  they are and they are not impressed with our skill sets to be able to deliver more than what we have been delivering to date?  Have you thought about  this?

    I would say that in many instances internal audit should be delivering more. In some cases they do have the skill sets to do it but more often than not they do not (e.g. providing assurance over integrity of the entire risk management system)


  1.  Norman:  Thanks for the post.  Great internal audit shops can and should be providing these services.  When running my department, I tried to focus on risk assessments as a gateway toward convincing Management of my team's additional value-added services.  It's funny to refect on my career, but when I was an auditor with Costco, I got my start with M&A (Costco-Price Club Canada).   I tend to think it's a natual match between IA and value added activities.  


  1. I think this is a function of the impression senior management has of internal audit.  We still bring up insignificant issues and recommendations that are not viable.  We have improved, but still have a long way to go.

  1. When the IIA Research Foundation sends out a university driven research case study asking about whether there should be an overall opinion on internal control, it suggests to me that the IIA and academia are 10 years behind the times. IA should be about helping companies create and preserve value, not internal control opiners!

    Norman, the Chief Audit Executive responsibility used to be an officer-level position. SOX relegated it to a middle management role. I have offered to discuss the state of the profession with some of the best IAS CAE recruiters at Korn Ferry, Paula Park, Chuck Eldridge and Ellen Williams.

    Personally, I am very happy helping companies to Govern, manage Value and Perform better (GVP) as this is how I grew up as an Internal Audit professional.                   

  1. Thanks for the post. Whilst I appreciate your views to educate the customer (management), the customer unless is desirous of using our services it would not be worthwhile. Many a times internal audit department exists only because it is mandatory to establish the IA Department.

    I think even if we choose any area for internal auditing, if the objective of performing a review moulded from Governance angle to cover the risk assessment and thereby making value additions to the processes, there management expectations wouldn't be different from what we do. Moreover, if the area selected for review is out of Management's concern, we need to take care only to delivery the quality auduit finding fulfillig the objective. Rest all will fall in place.

    To conclude, its our approach and interpersonal skills will change the scenario.


  1.  I strongly believe that IA professionals should avoid scope creep - venturing into value-add areas is all very well but as we have repeatedly seen, had auditors performed their core functions more rigorously and thoroughly, many corporate failures would not have happened. 

    IMO, the answer is not SOX or ERM or GRC or any of the many acronyms dreamt up to expand IA scope and muddy accountability and responsibility. The answer is - go back to basics and do what the profession was originally chartered to do - act as a watchdog for the stakeholders!


  1. The value added function is an auxilary function since the IA dives into the data and have intimate knowledge of the transactions. The basic and real function of IA is to work for determining the integrity of employees and compliance of rules and policies of the company by them.   

    After performing the basic job the other functions can be done provided you are properly trained to do that otherwise you may attract unwanted criticism.

  1. Norman - Agree with your observation that too many boards and top management do not understand what internal audit is capable of delivering.  Would be interested if you and others believe a significant reason for this is driven by the composition of Audit Committees?  Specifically, there appears to be limited representation of former CAE's (or equivalents) on Audit Committees.  Why is that?  If there is limited representation, does the IIA have a related strategic objective?  Easier to influence from inside the committee vs outside.

  1. Norman, you are absolutely on point! I am a Chief Audit Executive (CAE) and my observation is that most Audit Committee Chairpersons are not Internal Auditors. They are in most cases either Accountants or External Auditors. I have been both in my career, a financial accountant and an external auditor with PWC. I can tell you that the profession of internal auditing is a totally different world from those two disciplines. As you correctly point out, internal audit's primary focus is on providing assurance on the effectiveness of risk management, control and governance processes. This goes way beyond internal financial controls which is how far accounting/ external auditing primarily stretches. The professional standards governing the three professions tell the whole story.

    We therefore need to teach our Audit Committees who we really are and what we exist to do - but most importantly we need to demonstrate our value through our reports. In the end we are there to serve the Board & Management. 

  1. internal audit leadership should seek to understand board and top management expectations, and act accordingly however,i have areservation on the management's role here,this will entirely depend on the intergrity of managers they may divert the attention of the internal audit team to irrelevant areas at the expense of critical isues so i urge auditors to advance the interest of the entire stakeholders.take management advice when appropriate, this also applies to that of the board.Abalanced board  composing of independent individuals will always have alot for the team to learn from than ideas that may not be clearly understood of the internal audit profession.


    okurapa samuel ACCA,CPA,CIA,IIA.


  1.  While I have never worked in an internal audit capacity, I don’t doubt the author’s assertion that experienced internal auditors are capable of providing far more than just assurance over controls, and the like.  Accordingly, I would side with the notion that internal audit leadership should have a more collaborative relationship with its respective board and top management.  As with any member or department of an organization, I feel that much more can be accomplished and more growth can be achieved when expectations are created through a democratic process.  As the saying goes, “Teamwork makes the dream work.”

    In addition, why would any competitive organization purposely underutilize its assets?  To me, it simply does not make sense.  If an organization has truly competent internal audit leadership, what is the justification for not maximizing their utility?  In theory, wouldn’t doing so only lead to missed opportunities?

Leave a Reply