Did Internal Audit Failures Contribute to the Financial and Economic Crisis?

This is a question that should cause every practitioner to step back and think about his or her own practice. There are probably companies where internal auditing should have, but did not, detect weaknesses in board and management governance and risk management processes — resulting in corporate crisis. But, I suspect these situations were few.

But, how many internal audit functions had near misses — one or more omissions or defects in their performance that could have led to the failure to detect and correct governance or risk management process failures?

I have developed a list of questions that practitioners can use in a self-assessment; a "no" answer to any of these, I believe, is a potential defect. Not everybody will agree with all of these, but I suggest careful reconsideration before dismissing any item. I welcome your comments on the list, both items that should be removed and those that should be added.

  1. Did internal auditing assess the adequacy of the risk management process and provide a formal report to the board and executive management?
  2. Did internal auditing assess the adequacy of the governance processes, especially board oversight of risk management?
  3. Were risks relating to the control environment (as defined in the COSO Internal Control–Integrated Framework) addressed as part of the audit plan, including those related to executive compensation and to ensuring that bonus programs (at levels) are aligned with the longer-term interests of the organization?
  4. Did internal auditing provide management and the board with a report on the adequacy of internal controls to address all significant risks?
  5. Did internal auditing address all of the organization’s major risks, for example not leaving key areas to others (such as financial reporting controls or environmental, health, and safety (EH&S) compliance) without sufficient oversight or review to be able to provide assurance that the risks are managed within organizational tolerances?
  6. Were risks related to the extended enterprise (such as outsourced manufacturing, payroll, IT, or other services) addressed in the audit plan?
  7. Was internal auditing’s risk assessment and audit plan updated on at least a quarterly basis (with both additions to and deletions from the plan)?
  8. Do the metrics for measuring the performance of internal auditing exclude from consideration the percentage completion of the annual audit plan — recognizing the need to change the plan to ensure that current and not yesterday’s risks are addressed? Instead, is a metric used where the sufficiency of coverage of major risks is assessed?
  9. Did internal auditing give priority to providing assurance over governance, risk, and related internal control processes over generating cost-savings (e.g., through vendor audits)?
  10. If internal audit resources are insufficient to provide assurance on the more significant risks, does the audit committee have sufficient information on the assurance gaps to make an informed decision on internal audit resources? Do they understand and accept the risks involved?

I understand that I have not included compliance with The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), nor have I mentioned a quality assurance review (QAR). This is because I believe compliance with the Standards and passing a QAR are not necessarily conclusive when it comes to providing effective assurance services.

Posted on May 27, 2009 by Norman Marks

Share This Article:    

  1. Norman,

    Whilst I am not adding or deleting from your list I often wonder if we - as a profession - had a mechanism to identify, acknowledge and learn from our near misses and failures (in the same way that something like the medical profession does) whether we would be further advanced and more capable of at least calling up imminent risk management failures.



  1. Dear Norman,

    I am naive to overbearing financial audits as I understand operational and process audits are much more important.  Without process there is no product and without product there are no finances hence always feel the due importance is needed to have better clarity. Have tried to answer with all honest y and to best of my understanding. Would apprereciate comments.

     1.May be

    2. Apparently No

    3. No

    4.Even if provided may get overlooked.

    5. Seldom paid attention.

    6. Appears NOT.

    7.. Any unbiased and neutral, not even very proactive approach could have brought gaps to notice.

    8. Feel it is seldom adequately addressed.

    9. Obviously

    10. It is not as if resources are insufficient it is " honesty and clarity of application" that often changes results. 


  1. Norman, I think you did not directly address the standards but your questions get to the heart of the practical application of the standards.  These are very challenging questions to answer and deserve thoughtful consideration by all practitioners.

  1. A good list, but the reality is when companies are in trouble, our function is a necessary evil if that.  My experience has been the CFO doesn't want to hear it and is often in on it; the Board is just "riding it out" and doing as little possible, and noone really wants to talk "Risks, Governance".  How does an auditor tell the people he or she reports to (Audit Committee, Board) they are failing?

    The reaction is more like "no kidding Dick Tracy."

  1. @RSE: And I thought I was in a minority while dealing with this attitude!  It seems widespread - this ostrich-like attitude of Managements in treating IA like a necessary evil.  Norman, with all due respects, I think the questions in your list can be asked of IA in only a few hundreds blue chip cos.  The rest of us IAs are sloggin it out trying to create just a little space for our function in the mindscape of the powers that be. 

    I am not one for over-regulation, but SOX (and other equivalents regulations in other countries) seem to have forced un-enlightened managements on the right path.  Maybe the recent S&P initiative to rate even non-financial cos. on their ERM processes would put the fear of God into complacent managements?  Amen!

  1. Norman:
    Great discussion.  A question that is not on your list that I think is relevant is this:

    Did Internal Audit provide annual reports on the organization's residual risk status? 

    A large percentage of IA shops provide the results of some number of point in time topic/location audits with a focus on deficient controls not residual risk status.   Information on residual risk status is more relevant in my opinion than subjective views on control effectiveness.  

    Unfortunately, SOX and U.S. regulators have taken the world down the road of subjective views on control effectiveness rather than disclosure of retained risk status.  In 2006 more than 1 in 10 of the subjective opinions on control effectiveness for large cap U.S. listed companies from management and external auditors  were subsequently proven wrong by restatements to correct material errors.

  1. Deb, I believe there is a point at which the CAE has to decide whether to continue in a role where internal audit is structurally ineffective (just enabling management to check the box) with the knowledge and approval of the board, or find another job. That decision is up to the individual CAE and his/her professional conscience.

    Tim, you have probably seen the discussions on LinkedIn around whether internal audit should just assess the risk management processes or extend that to provide assurance that all the risks have been identified and properly assessed. There is no unanimity, but the majority assert that internal audit will never have the insight and experience required to take on the larger task. What they should be doing is assessing management's risk management processes against the standard that they should provide reasonable assurance that risks (inherent and residual) are identified and assessed.

    One interesting point from an OCEG One-Minute poll (www.oceg.org) of members - therefore biased to organizations involved in risk management - was that while 51% of companies' internal auditors assessed risk management processes, only about 40% of respondents said their internal auditors were capable of doing so.

    With respect to the point that auditors should not, in individual audit reports, limit their comments to the effectiveness of control, I essentially agree. I believe auditors should comment on whether the controls manage risks within organizational tolerances. That may, or may not, require separate estimations of current residual risk.

  1. Norman

    Tim Leech has recentlyb written a blog on the ACCA UK website where he discussed the role of internal audit in the current economic crisis.  He particularly feels that it is not necessarily good that internal audit have not been specifically mentioned as part of the whole issue. 

    I think he is ciorrect.  I also think that you questions for internal auditors to ask are a great set of questions.  I would like to use these on my training courses for internal auditrors.  If I give you the attributions for these questions is this okay with you?  Many thanks, Gill

  1. Norman,

    I would add the question-"did management agree with internal audit's assessment of the adequacy of the risk management process and if they did not, what were the specific areas of disagreement.

    In terms of internal audit assessing the adequacy of the risk management processes- the internal auditors should be using a recognized framework to do this- for example the Institute of internal auditors- Australia has a framework called HB 158 which would be adequate. I forget whether the IIA -US has such a framework

    In terms of your comment to Tim, that internal audit will never have the insight /experience to be able to report on residual risk, I hope that you are incorrect-I hope  that they will. However, this insight/experience currently does not exist. But to Tim's point, the organization needs to get assurance that intolerably high risks are being properly addressed by management. You state this quite clearly.

    Deb's comment on S&P 's ERM initiative is a big question mark. We contributed comments that were reflected in the final document and I was very optimistic early on. S&P seems to be moving at a very conservative pace on this initiative but my instinct is that they need to be right on the mark because of the credibility issue that currently exists in the marketplace vis a vis their ratings of the financial service entities. We shall see shortly.


    Arnold Schanfield



Leave a Reply