Home > Risk > Internal audit risk

Internal audit risk

January 23, 2013 Leave a comment Go to comments

Internal audit may be quick to point out the errors and deficiencies of others. They may – and should – assess whether the organization as a whole and each individual department is effectively managing risks to the achievement of their objectives.

But, does internal audit ever consider risks to the achievement of its own objectives?

They should. Whether independently or with the assistance of a corporate risk management function, internal audit should practice what they preach.

For example, the internal audit team should assess these sources of risk:

  • Failing to understand, in a timely fashion, a significant business risk and as a result leaving it off the audit plan
  • Failing to fully appreciate business needs and recommending change that does not address the real business issue
  • Recommending change that addresses only the symptoms of a problem instead of its root cause
  • Failing to obtain full value from the audit staff, whether from a lack of training or motivation
  • Failing to be heard by management. Again, the causes of this may be many, including an inability to communicate, not demonstrating value that is appreciated by management, acting in a way that disrupts the business, and more
  • Performing work that doesn’t really matter
  • Inefficiency
  • Reporting that is untimely
  • An inability to effect change, with recommendations not being implemented. Reasons could include not being persuasive or failing to make the right recommendation
  • An inability to recruit the talent needed to be successful
  • Insufficient resources
  • Poor relationships with the audit committee and/or executive management

It is time to walk the talk. Do you agree?

  1. Mike Corcoran
    January 23, 2013 at 7:36 PM

    Those of us that have served some of the best and push the business model for value creation have little tolerance for suboptimal capabilities. I would expose opportunities in one day for free if interested.

    January 24, 2013 at 8:59 AM

    which is precisely why internal audit will eventually be outsourced yet again. in order to walk the talk, you need to understand what the problems are and then be willing to look at yourself in the mirror and say, gee we better do something about this because if not, we will become irrelevant.

    the question for you Norman, is how you believe internal audit got to this level of deficiency? Where do you suppose they learned this from?

    • January 24, 2013 at 3:48 PM

      Arnold, do you really believe any outsourcer is better? No, I think that just as risk management experts tell others about risk management but don’t practice it themselves, so have internal auditors failed to realize the need.

  3. Jay R.
    January 24, 2013 at 11:16 AM

    Great post, Norman. One cause of some to the sources you list is putting the wrong people / skillsets on the audit projects, which leads to failure to identify the right risks in the processes or activities. We are undertaking a strategic planning exercise to ensure we clearly deliver across the board. I encourage others to network with me about their experiences and ideas in this area.

  4. January 25, 2013 at 8:06 AM

    My experience has been two-fold. Many years back when management (and the entire company) tended to view audit as the black hat enforcers, no one cared as long as audits were performed and the plan generally executed. Then, when the IIA added the ‘value-creation’ language to their definition of internal auditing, and management and the audit committee realized internal audit could do more than generate audit findings and provide talent for the finance organization, the issue of internal audit’s capabilities and audit department’s risk management arose to the forefront. That generated the first big wave of out-sourcing/co-sourcing agreements for internal audit.
    As audit director, while i never referred to it as risk management, I always had conversations with both the executive team and the audit committee (particularly the chair), about our group. Some of it was obvious, when reviewing audit plans and performance, and at budget time when reviewing staffing and other needs. Other times, particularly over dinner or a drink, just talking about the department and challenges it faces.
    If the audit director can’t have those conversations with the Audit Committee chair in particular, then both the department and the company have a relationship / expectation issue that overshadows everything else on Norman’s list.

  5. January 26, 2013 at 1:47 PM


    Risks are normally expressed in terms of the effect of uncertainty on the organisation’s objectives. You article therefore begs the question: who cares what are IA’s objectives and risks – apart from the inhabitants of the IA department?

    What we should really be asking is whether the way that IA is currently conducted and organised is a source of risk for the organisation. In fact, expressing risk as you have highlights to me, what may be one of the major sources of risk to the organisation: that in seeking to be ‘independent’ IA no longer enables the achievement of the organisation’s objectives. In other words, in the way it performs its role it creates rather than reduces uncertainty.

    IA is accountable to top management and external stakeholders (and not just to God as one IA once told me!) and as such it should facilitate the creation of value. That cannot occur if it uses a language and paradigms that are inconsistent with the way that top management and stakeholders think. Ultimately its role is to support decision making and the business process, not to impede it and confuse it.

    What an organisation needs is a form of independent assurance of controls that supports the organisational objectives – not one that creates further obstacles and restricts the creation of value. Of course, this requires the providers of that assurance, whether they be in house or external, to ‘fit in’ and frame their advice in a way that is consistent with the language and way of thinking of the organisation while at the same time, not cross the line and end up doing management’s job for it.

    Of course, this places big demands on auditors and their professional bodies. They cannot be part of a secret society with its own language and ways of thinking. They must be chameleonic – able to change and adapt so that their views and perspectives on controls are completely understood and fully appreciated by their customers – whoever they are on that occasion. However, when I look at what audit professional bodies offer I don’t see much that supports this. Rather I see the perpetuation and extension of a separate and parallel universe. They seem to encourage their members to be and think differently, not to understand and assimilate.

    It is certainly time to talk – but in the language and way of thinking of your clients and not your own.

  6. January 26, 2013 at 1:56 PM


    I love your passion! I am going to assume it is for an effective IA function that provides the assurance its stakeholders need, in their language and in a way that makes sense and adds value.

    I know that most CAEs desire to deliver that, although in my opinion many are less effective than they think.

    If the CAE and the Audit Committee are able to establish objectives, generally consistent with their charter, then they should be able to identify what could prevent their achieving or surpassing those objectives.

    Perhaps your problem, which I happen to share, is with internal audit functions that are not setting the right objectives!

    I am going to object to the idea of assimilation. That will lead to an inability to tell the emperor he has no clothes.

    But I do agree, and preach myself, that success for IA is achieved when we contribute to the success of the organization. If it fails while we watch, even if we have told management and the board of the issue, we have failed as IA. We should not measure success by the number of findings, but by the value of the assurance we provide and the change we have encouraged.

    Do you agree?

    • January 26, 2013 at 2:40 PM


      Thanks. As always, you and I are converging.

      I see many CAE’s working hard on their communications. However, I also see some reports from other IA shops, mostly external, where the language and approach is alien to how that particular management team thinks and communicates. One size does not fit all and one of the arguments against outsourcing must be the difficulty of tailoring the message when audit is delivered within a set price.

      Setting the right objectives is the key and those for IA must always be subordinate to the organisation.

      What I’m not sure about is whether the emperor will ever listen to you and will change his clothes if:
      – you speak a different language to him;
      – you look and think differently to him;
      – he does not see your objectives as being not aligned with his.

      On the other hand, if you think and look like him, you seem to be fully aligned with his overall objectives and he respects you, then maybe he will take your advice and put some suitable clothes on. That is what I mean by assimilation.

      Success for IA must not just involve getting people to do what you tell them. It must be seen in terms of education so that the organisation does and goes on doing the ‘right’ things that limit uncertainty for their objectives. This requires interpersonal, communications and influencing skills of a high order.

  7. January 26, 2013 at 2:56 PM

    Well said, Grant. I think we are close to full agreement. The professional skeptic in me (professional paranoid perhaps) says that I need IA to have objectives that are aligned with the long-term success of the organization as a whole. It is not as simple as aligning with the (often personal rather than corporate) interests of the CEO and other executives.

  8. Linda DiPaola, CPA CISA CGEIT
    January 28, 2013 at 12:41 PM

    Excellent discussion. I too believe, as a CAE, that the most value can be obtained by assimilating with management, yet maintaining independence (in reporting structure and in point of view). I personally feel successful if I can offer recommendations for process improvement that are accepted, and yet still be considered a go-to source for advice on applicable regulations, etc. – an independent auditor who is considered part of the team.

  9. roygarbarino@yahoo.com
    January 30, 2013 at 6:42 AM

    A clear and interesting perspective the embracing of which can identify areas that require attention. On the point about “Failing to be heard by management”; is management listening or willing to listen? Cultural and personal presets can create a daunting environment in terms of obtaining audit risk intelligence. This does not lessen the need to try but it can make it more difficult. The FRB’s recent “Supplemental Policy Statement on the Internal Audit Function and Its Outsourcing” is a good read on key structural elements of a sound IA program.

  10. CapitanFlamingo
    August 14, 2015 at 6:02 AM

    Do somebody know any International or national standards of risks in internal audit process?

  1. January 26, 2013 at 12:34 PM
  2. February 25, 2013 at 6:40 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: