Is Internal Audit Irrelevant?
Richard C. Anderson made a great presentation this week at the IIA’s International Conference in Atlanta. One of his points was that internal auditors have been humiliated – because nobody has held them to blame to any degree for the collapse of the banking sector, the failures in corporate governance and risk management, and the tremendous loss in value of investors’ shareholdings all over the world.
Richard pointed out that the Walker report (in the UK) on the causes of the banking crisis didn’t even mention internal audit. We are irrelevant.
Now that’s not totally correct. If you see these posts, here and here, you will see that the questions were asked. Some, including me, said internal auditors should shoulder at least part of the blame.
The point is important, and points to the need for growth in the profession. We will get recognized when we deserve it.
- Where are the NYSE standards that require internal audit to provide an independent assessment of the adequacy of governance, risk management and related controls? It only calls for the presence of internal auditing, without definition of what it does
- Where are the NASD standards that require internal auditing?
- Where is the National Association of Directors’ guidance on the use of internal auditing to fill the board’s assurance function?
- When COSO issued guidance for improving corporate governance, why was there no mention of internal audit?
- Why do so few internal audit functions audit and issue formal opinions on governance processes, risk management, and related controls?
When we are seen as vital by boards, not for detecting fraud but for assurance on governance and risk management, then we will deserve a seat at the table – and be relevant.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I am the Information Assurance lead for the UK Division of a major Irish Banking Group that was hit hard in the recession. For my part, I have worked hard over the past 3 years to build a strong working relationship with our Group Internal Audit, Operational Risk and Regulatory Compliance teams. I now have arrived at a position where Group Internal Audit are a fundamental pillar and critical success factor of my information GRC framework adding a strong independent attestation to all my IS Controls assurance work.
Agree, but I don’t expect the NYSE, NASD, or NACD to issue standards. It is up to internal audit to prove itself, and to promote IA to the board and the audit committee. It needs an organization (IIA) to do it. Also consider, is internal audit being passed by GRC?
David Tate, Esq.
http://davidtate.us (audit committee, D&O, etc. materials).
David, thanks for your comments.
There is a great difference between GRC and internal audit.
1. Internal audit is part of the governance function, and therefore one of GRC functions/processes
2. Internal audit provides assurance on the effectiveness of GRC processes
What I’m wondering in some of those big stories of the Financial Crisis is: did Internal Audit raise the flags (as I supposed it should)? Then the problem may be that IA was not listened to, or even silenced.
There is always a lot of talking about the need for more (or better) regulations, changes in the corporate culture towards risk, etc….
Making sure IA is never silenced and /or irrelevant is probably part of the new desirable culture….