Internal audit risk
Internal audit may be quick to point out the errors and deficiencies of others. They may – and should – assess whether the organization as a whole and each individual department is effectively managing risks to the achievement of their objectives.
But, does internal audit ever consider risks to the achievement of its own objectives?
They should. Whether independently or with the assistance of a corporate risk management function, internal audit should practice what they preach.
For example, the internal audit team should assess these sources of risk:
- Failing to understand, in a timely fashion, a significant business risk and as a result leaving it off the audit plan
- Failing to fully appreciate business needs and recommending change that does not address the real business issue
- Recommending change that addresses only the symptoms of a problem instead of its root cause
- Failing to obtain full value from the audit staff, whether from a lack of training or motivation
- Failing to be heard by management. Again, the causes of this may be many, including an inability to communicate, not demonstrating value that is appreciated by management, acting in a way that disrupts the business, and more
- Performing work that doesn’t really matter
- Reporting that is untimely
- An inability to effect change, with recommendations not being implemented. Reasons could include not being persuasive or failing to make the right recommendation
- An inability to recruit the talent needed to be successful
- Insufficient resources
- Poor relationships with the audit committee and/or executive management
It is time to walk the talk. Do you agree?