Is Your Internal Audit Function a Positive or a Negative Influence on the Business?

Internal auditors have a deserved reputation for what I would call “risk paranoia.” They have yet to see a risk they think management should retain. When they report the results of their audits, they point out all the risks if no action is taken to correct the "deficiencies" they have found.

But, is that good for the business?

Has internal audit become what I refer to as a “department of NO”?

Dilbert captures the concept well. But, if an organization doesn’t take risks it will not survive; it will not make a profit. 

The key is for the organization to take risks – at the desired level. The risks shouldn’t exceed the organization’s tolerance levels.

A recent article in Bloomberg Businessweek should be required reading for all internal auditors. Note the section “Leaders must welcome risk” and the quote from Anne Mulcahy: “Taking risks is something that a leader has to do in order to really perform and keep the company moving forward."

If we are to be a force within the organization, and a positive influence rather than the department of NO, internal audit must do the following (IMHO):

  1. When auditors assess the potential impact of a perceived deficiency, they should compare the risk level to the organization’s risk tolerance. Is the risk level too high – in which case consideration should be given to reducing it through improved risk responses (which include controls)? Is the risk level too low – meaning that there may be an opportunity to cut the cost of control? Or is the level of risk just right?
  2. Auditors should have a discussion with management about the level of risk they are prepared to take. If management doesn’t understand the concept, and this might impair their ability to manage risks in their area, the auditor should consider this as a deficiency of its own.
  3. Internal auditors should be the department of HOW. Rather than just pointing out that management has a problem, internal audit should provide suggestions on the way forward, how management can address the issue. This doesn’t mean that internal audit take responsibility for management of risk or operational processes; it means that they should provide value-add assurance and consulting services to improve the effectiveness of governance, risk management, and internal control processes.
How is internal audit perceived at your organization? Are they the department of NO or the department of HOW? Are they seen as a bunch of sadists?

Posted on Dec 30, 2010 by Norman Marks

Share This Article:    

  1. Norman:

    Great blog post. 

     I have believed for more than two decades that the primary role of IA should be to ensure that senior management and the board are aware of and OK with the organization's residual risk status. The simple rule I have used with work units is "You can accept any level of residual risk you think is OK provided you are also OK with being responsible for the decision,  and having management and, in very serious cases, the board of directors aware of the residual risk status acceptance decision.

     IA departments that do tradtiional audits and reach subjective opinions on whether internal control is "effective" and/or  whether IA thinks there are "significant or material control weaknesses" often results in conflicts between IA and management.  It can also result in cases where management is forced by reward systems and politics  to address control issues identified by IA and use scarce resources to address the points raised by IA  when there are other areas of the business with far more dangerous residual risk status that the resources should be directed to.

    I believe IA should do all audit work using a methodology similar to ISO 31000, provide those assessments including risks identified and ratings attached with the related risk treatments and residual risk status to management.  If they are going to make decisions on acceptability of risk they should be required to describe exactly how they determined that the residual risk status is outside of the organization's risk tolerance.  In my experience very few organization's have explicitely articulated their risk tolerance for all types of objectives.

  1. Tim, first I want to thank you for your kind words.

    On your comment: this sounds very much as if you advocate IA being the risk assessor, rather than the auditor. As I read your comment, you are suggesting that IA should assess the residual risk (i.e., taking the effect of controls into account) and provide that to management - who then determine whether the residual risk levels are to their liking.

    Why not require management to establish their risk tolerance (the level of residual risk they are prepared to take) and assess actual risk levels? Then IA should evaluate and provide an opinion on (a) whether the risk management process, including the establishment of tolerances and assessment of risks, is adequate, and (b) whether the residual risk level is above approved risk tolerances.

    It seems to me that you are asking IA to perform a management responsibliity. If you argue that management doesn't perform risk management to enable this audit approach, then my reply is that failure is a deficiency that should be reported as high as necessary, including to the audit committee. IA should not fill the management void - although, if approved by the audit committee, IA can facilitate risk assessments.

  1. Norman:

    For the minority that have a robust self-assessment framework I agree completely with your comments above.  I absolutely do not agree that IA should be the primary risk assessor.

    In my experience only a minority have robust and demonstrable self-assessment systems in place.  Unfortunately, IA and other specialist assurance groups still act as the primary group risk/control analyst/reporters. I agree that in cases where work units do little or seriously deficient risk/control assessments this is a deficiency that IA should report. Recent surveys done by COSO indicate that a large percentage of US companies are still at that stage.  

    More and better traditional internal audits where IA acts as the primary/risk control analyst is not the answer but it is an easy role to continue doing, particularly when senior management and boards are OK with it.Many IA departments are still measured primarily on whether they complete their planned number of traditional internal audits.
    In 1985 at Gulf Bruce McCuaig and I concluded that IA had to get out of the role of being primary risk/control analyst/reporters. Our response was to terminate tradtional internal audits, provide a full explanation to senior management and the board and focus efforts on implementing a robust risk/control self-assessment framework.   

    My wish for 2011 is that the IIA do everything in its power to help IA departments that function as their company''s primary risk/control analysts and reporters transition out of that role to one that focuses on reporting on the maturity and effectiveness of the organization's risk management frameworks, in particulary its ability to provide reliable information on the organization's residual risk status.

  1. Norman/Tim, as an Internal Auditor turned GRC program manager here are my 2 cents:

    IA can take the role of “control mechanic”, and weigh in on design of the control(s), particularly on aspects like:
    1) Is the spirit/intent of the legal/regulatory requirements met, or is management taking the “low road” towards token compliance?  IA is helpful in determining the threshold for “reasonable” as is research on comparable companies.
    2) Is there the right mixture of control types (preventative, detective, corrective) to move the meter on reducing the probability or impact of adverse events?
    3) Is the control’s scope adequate in terms of what assets are subject to the control (measure by coverage ratios)?
    4) Is the control “orphaned” or part of a cohesive risk management program (people, processes, technologies) which aim to continuously improve the effectiveness, efficiency, or responsiveness of risk mitigation?  Enter GRC …

    IA is good at playing the role of “risk arbiter”.  IA can also provide useful and independent advice on qualitative risk rating across categories and departments (what’s truly a high risk when quantitative estimates are fluffy).  IA’s rigor in validating risk remediation and ultimate closure is extremely valuable.

    I am living Tim’s 2011 wish as my role is all about measuring maturity, effectiveness, and residual risk tracking.  I’d close with what I see as en emerging contrast of approaches between IA and GRC roles. IA provides a specific, high accuracy, and discrete view of risk at a point in time, but the GRC program must provide a broad set of medium level accuracy risk measurements continuously, and self-identify and exceptions.  IA is a consumer of this GRC feed and can target more efficiently based on the quality of that feed.

  1. After reading the comments in reaction to the article, I hope I can sense some movement with respect to risk management and its relationship to audit. It is critical that risk managers and auditors understand each other and are willing to work together to precipitate course correction in both the public and private sectors.  There is so much more to say, and a lot further to go integrating the two effectively in business planning and practice. The more I learn, the more clear it becomes to me that the process of managing risk has become a mammoth task that we as practitioners are still trying to grok. Another good read, Norman, and thanks.

  1. Tim,

    Organisations in the financial services sector do have a risk management unit and an audit unit. The risk unit is expected to work closely and identify risks (control risk assessment) in business units. 

    Some regulators also inisist that the audit unit undertake an independent risk assessment of the orgnaisation independent of the risk unit. Hence, the audit team becomes key to risk management.

    These units are expected to work in close tandem to ensure that the organisation has a defined risk appetite and that operations are within this.  So while Risk based audit has become the norm, the understanding and consequent implementation varies across organisation even in this highly organised sector.

    As Tom has said it is a mammoth task and the twain should meet but that is not the case. This has led to a scenario where (in some organisations) the risk unit respond to the audit comments as opposed to the auditee unit. Having said this - it is not surprisng that the the audit unit is looked upon as as value adders!



  1. Determining risks is the first step. Determining risk tolerance and residual risk comes later. The important thing is that once risks are determined the decision process begins of whether to control or mitigate the risks or to share, transfer or accept the risk (residual). However, the costs of the risk should never out weight the benefits of the risks (revenues). This is the main focus of what auditors try to accomplish. Somehow the fact that auditors put so much focus on risks dilutes the effect of risk management making sure the costs don't out weight the benefits. Determing risks and controls can be time consuming but it can also save alot of money and time wasted on trying to recover from not knowing and responding to risks in advance.

  1. I am posting a question that came by email:

    Mr. Marks:

    I read your article "Is Your Internal Audit Function a Positive or a Negative Influence on the Business?" in the January 2010 Internal Auditor Online yesterday. I'm wondering if you could recommend any resources from which I could learn how to understand and define an organization's risk tolerance. I agree that audit findings and related recommendations should be made with the org's risk tolerance level in mind, but I don't know what that is or how to quantify it.

    I will reply in a separate comment.

  1. In response to the question, I would point to the ISO definition of risk tolerance: the "organization's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives". COSO, if that is your preference, uses the term risk appetite for the same concept: "the degree of risk, on a broad-based level, that a company or other entity is willing to accept in pursuit of its goals."

    See next comment for continuation

  1. In practical terms, some organizations have developed guidelines for each manager that details the level of risk they should take. But often, that is either not in place or is at such a high level that it is not useful in looking at individual situations or decisions.

    My advice:

    - If management does not have guidelines, and individual managers are making independent decisions on how much risk to take in important situations, that is an issue I would raise with senior management.

    - I would ask the process owners how much risk they believe they can afford to take. If they don't know, I will have an issue. I will certainly escalate to more senior management to see if I can get guidance on tolerance levels.

    - I will review any risk tolerance number provided for reasonableness and whether they are practical with respect to guiding every day decisions.

    - If management has not defined risk tolerance for the situation and I consider the risk from a business perspective high, I would include both issues in the audit report: (a) management does not have guidance on how much risk to take, and (b) the risks from processes/practices appear higher than prudent.

  1.  In my previous organization, audit department seen as a bunch of sadists for a long time. However, our department worked hard on to create some reasonable and cost-beneficial suggestions. Eventually, we succeeded. Therefore, audit departments, especially the newly established ones, should work extremely hard to break the misleading perceptions. Once they accomplish this, the rest of the audit job is going to be at least fifty percent easier. I would like to comment on risk levels but I think it could be a better idea to bring up a case and make the discussion based on that case.

Leave a Reply