Do Internal Auditors Deserve a Seat at the Table?

The 1999 definition of internal auditing says it is about providing assurance (and consulting services) on the organization's governance, risk management, and related internal controls.

If we don't provide that assurance, what are we doing?

The definition of internal auditing doesn't say we should test for duplicate payments, seek out and investigate fraud, or find millions in contractor overbillings. Those all add value, but they are not our core mission.

Can we look in the mirror and say we are effective because we saved the company millions, when we did not report on the condition of risk management — and that is non-existent or immature?

I have great respect for Richard Chambers, who I believe is moving our profession forward in the right way. But I have to admit I got a reaction from him when I posted on Twitter (I am @normanmarks and he is @IIACEO) that 'internal auditors deserve a seat at the children's table if they don't provide a formal opinion on risk management." I believe internal audit should also provide an opinion on governance processes — at least those that represent a higher risk to corporate success. But let's start with risk management and graduate to governance processes.

I still believe this, so despite Richard's reaction, I will say it again: 

internal auditors deserve a seat at the children's table if they don't provide a formal opinion on risk management.

Providing opinions on individual audits is something (incidentally, not every internal audit department does this), but its not enough in my opinion. The board and top management deserve and should expect a formal opinion on how well the organization manages the risks that matter to organizational success. (By the way, this is required by the King III code in South Africa).

The only time I would not expect such an opinion is where internal audit is providing consulting services, helping management implement or develop their immature risk management program. But even then, the board and top management have to know that:

The greatest risk many organizations are running today is their inability to manage risk.

Do you agree?

Posted on Jun 6, 2011 by Norman Marks

Share This Article:    

  1.  Great blog Norman. But here is the $64,000 dollar question. And that is: How did you reach the conclusion  that our profession is being moved forward in the right kinds of ways, if right now internal auditors are still not providing overall opinions on the risk management systems in companies? Can you kindly walk us through your thinking on this- specific baby steps please? Thank and keep up the good postings

  1. Let's be honest. Does "management" want auditors' assurance on risk management? A balanced or risk averse management may be excited to have internal auditors opinion/comments on the subject, but any management keen on taking risks will likely ignore such opinion. I guess it has a lot to do with the tone at the top and the control environment in which the internal auditor operates. 

  1.  Tunde:

    I cannot follow your thinking here. What does auditors assurance on risk management have to do with taking of risks? These are two different  thoughts that have nothing to do with each other. Are you suggesting that management wants to take excessive risks beyond what it is supposed to take? And if so, when it comes time to go to jail, who should be the one to go?

    Now what I will say is that management does not even know what it wants because it does not understand t his area well. And even if it did understand it, internal auditors do not understand this area well.


  1. The definition says that IA is an assurance and consulting activity designed to add value and improve an organizations operations.  It does not categorically say that IA provides assurance  on "risk management (RM), internal control(IA) and governance (GV) processes. It says it brings a systematic and discilined approach to evaluate and improve the company's RM, GV and control processes.

    But semantics aside, in my view, there are two important things about assurance on risk managment and on internal controls. The CAE's job is to help the people running the business, as an outsider, to improve and strengthen the capabilities in RM, GV and IC, so that the company can fully achieve its goals and objectives. 

    Despite what IIA and we all say we know that the responsibility for expressing an opinion on the adequacy and effectiveness of internal controls over financial reporting is the responsibility of the CFO and CEO as per SOX and its equivalents and not of the CAE. Similarly, the Board and shareholders continue to look at the CEO and CFO to provide assurance on the status of RM and on Risks faced by the organization, not the CAE.

    The only thing the CAE can do (and many  are still debating even this point from a liability perspective), is to provide a quarterly and annual "opinion" on the adequacy and effectiveness of RM, GV and IC processes. But does IIA specifically require this formal opinion from its members? I dont think so. Do CAE's provide such an opinion today? Very few. Do CAE's have the resources and expertise to do undertake the depth and breadth of work required to reach an overall conclusion on this? I doubt it.


  1. Mohammed, this is the definition of internal auditing in the IIA's IPPF:
    Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.  It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. 

    Can you or anybody else explain to me how IA can provide assurance or evaluate the effectiveness of risk management, etc. when it does not provide an opinion? 

  1. Mohammed, we start now to get to a very interesting point.

    While the definition of internal auditing says IA should provide assurance, and evaluate the effectiveness of these areas, the Standards does not - as you correctly point out - require a formal opinion.

    Why you may ask? I did. And the answer I received (informally, from some of the members of the IIA Standards Board) is that the internal audit world is not yet ready to provide an opinion. Basically, the IIA is reluctant to set as a standard what less than half the practitioners are doing. It's a matter of philosophy. How far does the Standards Board go in moving the borders ahead of practice?

    While I don't like the decision, I certainly understand it.

    But the absence of a Standard doesn't mean that it's OK not to deliver assurance.

    BTW, I believe the resourcing and audit plan should be built to deliver the opinion. On that, we agree 100%.

  1. Arnold, your question is a good one: "How did you reach the conclusion  that our profession is being moved forward in the right kinds of ways?"

    Richard and others are strong advocates of a 'loud' internal audit (a rock star) that is more involved in helping organizations build strong risk management and governance into their operations. Rather than coming into the room and pointing out there is a dead body on the floor, people like Richard are pressing internal auditors to help companies prevent the dead body.

    We need to recognize that the great recession hit the IIA hard. They had major financial problems and had to cut back in a lot of areas. The IIA leadership has got through and past that, and I am hopeful that continued progress will be made.

    The fact that more internal audit shops than before are providing opinions, are assessing risk management, and are providing proactive services is healthy. But, there is still a very long way to go!

  1. Internal Audits as I have come across are flawed and often result in providing comfort cushion to the Management Representatives. Internal Auditors need to come out of the cove of being Management Body to what it is supposed to be as an Independent Body that represents the Interest of the Stake Holders. Internal Auditors need to ensure that they present the right Risk Spectrum to the Management by plotting the actual picture on the Risk Management Practice. If they fail to do that, I agree with you that they need to go back to the Kindergarten benches rather than being on the Audit profile.
  1. Norman - During the past year, I do not believe there has been anyone more vocal than me on the urgency for internal auditors to "step up to the plate" and provide assurance on the effectiveness of risk management.  I believe it is a role that could truly define our profession in the coming decade.  Where you and I appear to part ways is that you would mandate that internal auditors issue a "formal opinion."  I would not.  I deeply believe in a "client centric" model for internal auditing.  If the audit committee and management want an opinion, internal audit should be free to give one.  However, in my view, mandating opinions (whether they be on the effectiveness of internal controls or risk management), will erode the ability of internal auditing to be truly responsive to the needs and expectaions of individual clients.

  1. Richard, thanks for your comments - and vocal support for providing assurance on the effectiveness of risk management. You and I have talked about this in the past.

    I support the client-centric model to a degree: IA has to lead the audit committee sometimes in terms of expectations, such as complying with IIA Standards or taking a risk-based approach to internal auditing. If you let some 'clients' alone, they would have internal audit focus only on SOX and fraud!

    I remain unconvinced that boards are being provided assurance if they don't receive an opinion. How do you assess effectiveness without providing an opinion? Is listing deficiencies enough? No.

  1. My background is in the UK health sector where Internal Auditors have been providing a Statement on Internal Control for some ten years or so. This is a formal document which is not only presented to the Board but also published as part of the Annual Report. It gives an opinion on whether risk management, control and review processes are appropriate and included comments on any significant issues.

    Of course Statements are better than others, depending on the scope of audits carried out, the position and relative autonomy of Internal Audit , and more generally the quality of governance in each organisation. However it is a routine annual activity and means that there are always audits of governance and risk processes throughout the year, with assurance and recommendaion provided.

    One of the key factors for me is that it is an assessment against a set of standards, not the (subjective)opinion of the CAE. It is I am sure relatively easy to produce standards for a huge organisation like the NHS, but I still find it hard to understand why organisations like the IAA have not produced schemes to evaluate risk management, control and governance processes, because without them how can IA really say that the evaluations they undertake are discipined or systematic?

  1.  Well Jacquetta. I will tell you why organizations such as the IIA have not produced schemes to evaluate risk management, etc. This is because they are truly not committed to this. For the past several  years I have heard alot of talk by the IIA about their commitment to this or that and strong rhetoric aimed at Heads of Internal Audit. However, they sit in a vacuum in Altamonte Springs and focus their attentions on promoting the IIA certification in one region of  the world after another or different sorts of strategic alliances. The material they have published on risk management and training seminars to date are pitiful. In addition the IIA is hopelessly wed to the authors of COSO. They also spend inordinate about of time on such things as GRC which is going nowhere in a hurry. The IIA bookstore's library on risk management material is quite pitiful as well in my opinion

    So in a nutshell what I would recommend to you and to all other internal auditors is to save your training dollars that  were initially geared to IIA training sessions in Governance and Risk and instead find materials and courses from the IRM in London- available on line, T he Conference Board of Canada and the Harvard Business School -Executive Program.

    Although I am a CIA and a member of t he IIA, I am clearly disappointed by all of their efforts in  risk management to date. It is time for the members to  take matters into their own hands




  1. Arnold, I cannot leave your comment with a reponse. I am working with the IIA to help them drive improvements in several areas related to risk management: guidance, education, advocacy (including participating in ISO activities), and certification. Progress is being made, but we have to remember they have limited resources so it won't be as fast as either of us would like to see.

  1.  Norman:

    You are the last individual that needs to make any excuses or give any responses as your distinguished record speaks for itself. At end of the day, it is only action t hat counts and we can say this or that. The bottom line is  that if is is important that internal auditors have certain skill sets and  they do not have  these skill sets,  then they need to find the organizations that will give them these skills. If the IIA can do it great and if not, they should find outside organizations. I am perhaps more objective with regard to the IIA  than you are as I have no ties to them and from my viewpoint, the bottom line is t hat little to nothing has been done.

    We need to stop IIA leadership from running around the globe promoting this or that and instead sitting down and grinding out intensive risk management trraining courses and provide such courses. Then  you will have a right to say internal auditor's can only sit at the children's table. While the progress is being made, all members should take their hard earned dollars and spend it elsewhere as I pointed out above


  1.  I think that Norman hits the nail on the head with his question of how one evaluates the GV, RM & Ctrl processes and not have and provide an opinion?

    While Std 2450 provides guidance on the provision of overall opinion, surely an opinion is the logical result of every assurance engagement.

    Arnold's observation that management "does not understand this area well. And even if it did understand it, internal auditors do not understand this area well" is unfortunately too often true. We need to go back to the basics. The solutions are there in the Standards.

    It is relatively easier for IA to express an opinion on GV, RM & Ctrl processes, than on the controls themselves - there is a "one to many" relationship between processes and controls. Where the processes are adequate and effective, the controls themselves are more likely to be effective, vice versa. Surely IA should consider assessing the controls themselves only to the extent of verifying the effectiveness of the processes. This would be cost effective use of IA's time.

    If IA's fundamental focus is seen to be controls, should we then be surprised when management shirks from its responsibilities regarding controls, simply on the basis that IA will be there to identify any control gaps and required controls?



  1. Thanks for this debate. In my view, internal audit has to raise the bar by providing more of enterprise-wide assurance on key risks. The fundamental recipient of the audit report is the Board and certainly opinions on individual reports may not help them understand the key risks. I would recommend that internal auditors consider a thorough understanding of their company businesses, look at both existing and emerging risks and apply a truly risk-based audit approach that emphasizes efficiency and effectiveness of assurance and consulting. We have to communicate with impact and focus on those risks that could lead to demise of the company. We have no luxury of large internal audit budgets, hence must achieve more with less.
  1. Having worked as both an Internal and External auditor across multiple market sectors for many years, I would suggest that in most cases, Internal Audit tends to have good intentions but is often let down by two key factors - their level of independence and the level of skill which they can bring to bear.

    The actual skills required for an auditor now are often so varied that it is extremely difficult for organisations to maintain a team with the requisite skill-sets which makes it very difficult for them to "cover all the bases". Outsourcing to 3rd parties does not really mitigate this problem since there is little control over the level of skill acquired.

    One thing I have noticed is that there often seems to be a disconnect between the areas within the business which require oversight, and those which the Internal Audit team are actually given authority to investigate and this is often exacerbated when IA is outsourced since the 3rd party rarely has insight into the "troubled" areas within the business.

    A final point to make here is the lack of tools across the business and within the IA team to enable them to effectively interrogate the Information Systems in place.

    Taking all of this into account, it is probably no surprise that the level of assurance provided through the Internal Audit function is often lower than should be the case, and this relates more to the level of importance placed on Governance across the organisation (often substantially lower in practice than expected) than the role of the IA department itself.


    DISCLAIMER: Any comments made are my own and are not the views of my employer

  1. I think corporate governance is the duty of Audit Committee, not Internal Auditors.

    If Internal Auditors would like to audit risk management, they should discuss the issue with Audit Committee, and include the topic in Annual Audit Plan.

    The role of Internal Auditor is to assist Audit Committee to govern the organisation, not the other way around.

    To audit risk management should start from Audit Committee.

  1. Check that off the list of thigns I was confused about.

Leave a Reply