The State of Internal Audit

Norman Marks, CRMA, CPA, is an evangelist for better run business, focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. The views expressed in this blog are his personal views and may not represent those of The IIA.


We have some recent surveys and reports on this topic.

Thomson Reuters, a software vendor that has provided internal auditors with audit management solutions for many years (formerly known as Paisley), has published State of Internal Audit report 2014: Adapting to Complex Challenges. Grant Thornton, a CPA firm, shared the results of their CAE survey, Adding internal audit value: Strategically leveraging compliance activities.

If you are going to assess the state of internal auditing, your survey has to ask the right questions. I am not persuaded that either organization did this.

Both talk about the increasing burden on internal auditing.

But while Grant Thornton talks as if internal audit is and should be consumed by compliance (implying that internal audit bears responsibility at least in part for compliance with ever-increasing compliance requirements), Thomson Reuters talks more accurately about the growing complexity of the world in which we operate:

“The survey has demonstrated that the world and work of internal audit continues to be as complex, and challenging as ever. Both the volume and diversity of issues that internal auditors need to understand and assess continues to increase globally and across all industries.”

To Grant Thornton’s credit, they talk about different risk areas. But, they fail to mention the need for internal audit to assess and provide assurance on the effectiveness of organization’s management of risk.

While all CAEs should have a quick look at the Grant Thornton survey, I find it lacking and without great value.

This is disappointing for an organization that provides internal audit services.

The Thomson Reuters document is better.

I especially like the fact that it discusses whether internal audit is doing enough with respect to governance processes and organizational culture. (The answer in both cases is “no.”)

However, like Grant Thornton, they don’t mention (except perhaps as part of the assessment of governance processes) the need for internal audit to assess the management or risk.

Whether they asked the right question or not, I am disappointed that internal auditors, according to the survey, remain entrenched in providing assurance on internal control processes and have not upped their game (or reached the new “floor” as PwC puts it) and moved to providing assurance on the management or risks.

Controls exist to manage risk and we cannot say controls are adequate without considering whether they manage the risks that matter to the business.

Which is of more value: saying controls are good or the management of risk is effective? Clearly, it is the latter.

Thomson Reuters start their concluding paragraphs with this wisdom:

“The future risk and control landscape for internal audit is evolving and in some areas is beginning to change quickly. Against that background it is notable that the results of the Accelus State of Internal Audit Survey, at a high level, have remained relatively unchanged for the last few years. Is there a risk that internal audit is being left behind, relying on outdated mind sets, historic practices and old methodologies? It is too early to tell, but there is no doubt that remaining unchanged in a changing world does no one any favors — not the firm, not the customer and certainly not the internal auditor.”

I am seeing some progress with internal audit departments getting more involved through assurance and advisory services to help their organizations manage risk effectively across and throughout the organization.

It is time for every internal audit function, including those in co-sourcing organizations, to upgrade their skills, tools, and mindsets — helping organizations navigate to achieve their objectives in a world of dynamic and disruptive change.

What do you think?

Posted on Jun 28, 2014 by Norman Marks

Share This Article:    

  1. Excellent comments Norman.  I think many internal audit groups have been raising the bar but for others there has not been much movement.  However I find this is not so much due to the auditor not wanting to up their game but CEO/CFO/Audit Comm. members who desire to have the "window dressing" appearance of internal audit but do not want it to perform at a higher level.  That is too bad for both the internal auditors and management since having the constructive tension and challenge that internal auditors can provide is good for the business and not something that needs to be feared.

    I think in many cases Norman it is the other stakeholders who are nervous to let internal auditors up their game out of fear of what the results would be.  I would hope that most internal auditors would be naturally motivated to want to up their game.

  1.  Tony, good points and I wish it were not so but my experience recently is that after all these years many audit committees, C suite, HR enablers, retained search firms in our profession do not get it and fail to unleash the sleeping dragon.  It used to be the CAE role was an officer level position. Not sure I see much of that anymore. It is how many you manage (Hay System) but the positive influence you have on improving the business model that creates value for stakeholders. There are a few that use as a competitive weapon -- kudos to their leadership. 

    Norman, you have not gotten to root cause why only 4% of CAE's planned to review the popular " management of risk" framework. Number 1 reason   --  it doesn't exist!   Probably why not in the two surveys you mention. Love to help develop this topic. Mike 



  1. Mike,

    Even when there is no risk management program in place - actually, especially when there is none - the internal audit department should be informing the board and top management that this represents a significant risk to the enterprise. How can you expect to be successful if you don't think about risk when you develop strategy, manage performance, and make business decisions in operating the company?

    It doesn't take long to do an audit when management has no program. Look; done; write the report.

  1.  I understand the point of auditing non-existent risk management program. Actually personally I have been annually reporting (in IA annual report), that there is no program in place. I think that has been enough.

    But even more challenging will be this year to thorougly audit risk management, when no formal process exist. The maturity will be low, but anyway some major risks are managed quite properly even though no process exist. E.g. there are some KPIs that statute good risk management thresholds for specific risks.

    On the other hand our IA will not be able to meet high-level criteria for "fancy" audits, because our organization  is still struggling with basic processes and controls. E.g. the need for auditing of third-party risk mgmt is not there, when organization still struggle with basic controls in procurement. What I am trying to say is that Our IA is not performing well when comparing to these researches, but still both Chairman of Audit Committee and Board are very satisfied and giving excellent feedback on both oral and written feedbacks. Actually they have asked to double resources.

  1. As always, excellent issues put on a plate. Thanks, Norman. Clearly IA should progress and evolve with the business (at the very least), otherwise its added value will become increasingly limited. Indeed, providng assurance around controls, is only one part of a proper risk management. I would not only engage IA in assurance around risk management, but go even one step further towards advisory around process improvement beyond the risk management aspect. Do all the IA employees have the proper background and qualification for it? Clearly not, and here we may have another point. IA department should include officers with as diverse backgrounds as possible. But this is another discussion. There is no doubt in my mind that IA should upgrade its current status to add utmost value to the organisation.
  1. Gosh Norman. Are you in the value creation business or risk reporting business? It is ok if you like the latter but my choice has always been the former. If IA does a risk assessment in your scenario, no need for a report. Just get to a decision with your boss the audit committee chair. 

  1.  Internal audit’s ability to help organizations manage risk across and throughout their organization is directly proportional to the complexity and environment the organization operates in.  The more complex and fast paced the environment, the more likely that internal audit will focus on internal controls and compliance.  This is a result of three factors: 1) the ability of internal audit to understand the business and struggle to keep and remain relevant, 2) a lack of sufficient skilled auditors and resources to effectively assess how organizations are managing risks, and 3) a lack of accountability, particularly in the public sector area.  

  1.  Norman - As usual, you have your finger on the pulse of the state of audit. However, I bear bad news from the IA depts of some well known Fortune 500 companies. Seasoned auditors understand the importance of risk management assurance, ERM, and frameworks such as COSO, Basel, OCC and ISO. It is not the auditors who do not understand, it is the perception of IA's role by the Board/Sr. Mgmt that has been skewed through years of redundant SOX testing. 
    I am afraid I am witness to a dire picture of the future of internal audit from the Fortune 500/Global 2000 in Chicago. Internal Audit is being compartmentalized as merely a financial reporting testing /assurance provider. I will not name these public companies on this post, but several are downgrading their CAE positions one to two levels. At the same time, the Board at these organizations (not IA) have either greatly reduced or eliminated added value audit services from the audit plan such as risk management assurance and operational auditing. This is a rather new and disturbing trend. When it is one company it is an anomaly, when it is two you must scratch your head, but when it is 3 or more it is a trend. I have not investigated the private company sectors yet, but I do not like what I am seeing and hearing in public companies in Chicago. As a CRMA, I agree with your position that internal audit must take a more active role in risk management assurance (i..e the champion of RMA); it is clearly a more valuable role and the future of IA. However, it cannot do so without the support of the Board and Sr. Management.

  1. Norman:  I couldn't agree more with your conclusion: "It is time for every internal audit function, including those in co-sourcing organizations, to upgrade their skills, tools, and mindsets — helping organizations navigate to achieve their objectives in a world of dynamic and disruptive change."

    My concern is whether the IA profession will respond with the urgency and intensity necessary, or slowly deteriorate to the huge setback condition Mark sees "I am afraid I am witness to a dire picture of the future of internal audit from the Fortune 500/Global 2000 in Chicago. Internal Audit is being compartmentalized as merely a financial reporting testing /assurance provider"

    The Institute needs to see addressing this "risk" of compartmentalization as a SOX testing function as its number one priority.  I think they could start by sharing their key objectives for the profession going forward and any formal risk assessments the Institute has completed on how risks to those objectives will be treated/responded to/mitigated.   ERM isn't just a concept that should be used by organizations - it should be used by the IIA and all IIA members should have the right to see that risks to the profession are being managed effectively by the IIA.  I think it's time IIA's internal audit function completed and reported results on IPPF standard 2120, assessing and reporting on the effectiveness of risk management processes - if the IIA has an IA function.  If the IIA has no formal ERM program, the reasons for this should also be shared with members.

  1. Norman,

    At the basic level, risks are events that impact an organization's ability to achieve its goals.  Controls are put in plance to mitigate those risks.  That is the essense of risk management, although it falls short of the forma risk management process put forth in ISO 31000 or in COSO ERM (or any of the other equally valid frameworks).

    I would agree that internal auditors need to increase their knowledge of risk management practices and the various risk handing strategies to better assess the controls being reviewed.  It can only help when IA can state that a given control is unnecessary because the risk is better handled by being transferred rather than mitigated.  But I disagree that the IA focus should be on risk management.  Our focus needs to be so much more than that.  Control assessment includes evaluating the effectiveness of the control, whereas a review focused solely on the risk management aspects would address just the presence of the risk mitigation plan (and the tracking and management of that plan) without regard to whether a better control would be more effective.

  1.  Richard, we are close to agreement. A risk-based approach focuses on whether risks that matter are being managed at acceptable/desired levels. That includes whether the controls relied upon to manage those risks are adequately designed and operating effectively.

    We need to both assess the adequacy of risk management in general, and also how specific risks are managed.

    A focus on controls assurance runs the risk (pun intended) of saying a control is effective when it is not necessary (for example, when it is redundant or the risk it is intended to address has disappeared).

  1.  Norman:

    Your comments are on the mark and I hope several things


    First that you continue to write these blogs with this intensity and even more intensity

    Second that you continue to embarass the c--p out of the Big 4 and other service providers for really putting silly material into the marketplace


    Last- that all internal auditors think carefully before they spend their hard earned training dollars about which organizations they should take training from. I say that these problems exist because of leadership issues at the helm of the IIA and other organizations that do not step up to the plate. It is not the responsibility of internal auditors to step up to the plate if the leadership of the organizations that guide them does not provide them with the tools to do so. Therefore, I would rather bank my money on attending one of your training sessions before investing a dime with the IIA or with COSO

  1.  dear Norman,

    i am relatively new internal audit would appear it is bit different from external audit exam i took urig my aca finals.

    i have a start up situation in my hand,please advice on how i can go about settin

    g up a value added internal audit department?

    i have had of COSO internal control frawework,how do i go about using it to design the company internal control system or using it to access the internal control system of a company?




Leave a Reply