Maybe We Should Redefine the Purpose of Internal Auditing
This morning, I was replying to a comment in LinkedIn's Chief Audit Executive's group (those interested in internal auditing should be members of the IIA group, and those in IA management should be in the CAE group) when it struck me that a redefinition of internal auditing might be useful.
You will remember that the IIA IPPF definition asks that we provide assurance and consulting services related to governance, risk management, and the related controls (my version of the wording). But what does this really mean?
Perhaps, instead of talking about three different but related sets of processes, we should be talking about what they represent when taken together.
I believe we have to tell our stakeholders whether the organization's processes and practices provide reasonable assurance that the organization's goals and strategies will be achieved. Those processes and practices include the management of risks to objectives and rely on appropriate controls. Compliance is included because failure to comply is a risk to the achievement of objectives.
After all, how do we assess whether governance, risk management, and related controls are 'adequate' unless it is within the context of achieving strategies, goals, and objectives?
Isn't this what we are really supposed to do? If not now, shouldn't we be moving to do this?
I would love to hear your views.
Posted on Jun 10, 2011 by Norman Marks
Share This Article: