Home > Risk > Internal Audit has to STOP focusing on internal controls

Internal Audit has to STOP focusing on internal controls

Earlier this year, PwC reported (in their 2013 State of the Internal Audit Profession) a significant gap between the expectations of the board and the performance of the internal auditing activity.

Now, the software firm of Thomson Reuters Accelus has released their own State of Internal Audit 2013 that may explain why.

According to Thomson Reuters, the #1 area to which internal auditors are devoting their attention – and expect to continue to focus in the future – is “assurance on internal control processes”. Assurance on the effectiveness of either risk or governance processes barely merits a blip on the radar, according to their report.

Now unless Thomson Reuters has a major flaw in their survey, this seems to say there is a major flaw in the priorities of internal audit departments across the globe. While IIA Standards and modern practices dictate that internal audit should “evaluate and improve the effectiveness of risk management, control and governance processes”, CAEs are satisfied with only providing assurance on internal control and boards are failing to demand that their CAEs step up.

It is not enough to answer surveys and show dissatisfaction. Boards need to act and demand more. When CAEs fail but don’t change, that is a failure of the board.

Let’s take the challenge to the next level….

  • Risk is the effect of uncertainty on objectives (per both COSO and ISO).
  • So, let’s not just report that the level of risk is or is not higher than desirable.
  • Let’s let the board and management know which objectives are at greater risk. Sometimes, they need to change their objectives!

I welcome your comments:

  1. Do you agree it is well past time to stop providing assurance on internal controls and start providing assurance on the effectiveness of the organization’s processes for managing the risks to objectives?
  2. Do you agree that internal audit should start being specific about which objectives are affected instead of making the board and top management guess by only reporting on risk?
  1. July 8, 2013 at 3:53 PM

    I say #1.

  2. July 8, 2013 at 4:34 PM

    Are you kidding me? Blah blah blah blah blah, internal controls are passé? Sorry, but not smart at all. Hip, topical, avent garde, new, fresh……perhaps. But smart? I don’t think so. I could be wrong. Put it in context, using real life examples, and describe how a focus, any focus, on internal control weaknesses would have been misguided, please. I’d like to see (read) some compelling specific arguments.

    Discourse is a positive activity, in my humble opinion.

  3. Norman Marks
    July 8, 2013 at 4:41 PM

    Freak, internal controls exist to modify risk. While they remain important, the focus needs to be on whether the risks that matter are managed properly.

    Time to catch up? It’s 2013 and this has been the definition of internal auditing per IIA Standards since 1999.

    • July 8, 2013 at 4:50 PM

      No examples? No specifics? No case study? All I can conclude is, no substance. I don’t know what value is added. Who does it wrong, and who does it right? How do they differ? What are the consequences?

      Where’s the beef?

  4. Norman Marks
    July 8, 2013 at 5:28 PM

    You want me to give examples because IIA Standards and even COSO internal control framework (the other ICF) are not sufficient for you?

    OK. Just look at any company that failed over the last ten years. Why did it fail? According to the authoritative studies in the US, UK, and by the OECD organizations failed due to a failure in governance and risk management.

    When is the last time a company failed because of poor controls in accounts payable?

    Focusing on internal control and not assessing the context within which controls operate is foolish at best. Freakishly foolish.

    This is not a fad. It is not a newfangled idea (except perhaps to some).

    It is accepted best practice – just check out IIA guidance and listen to leaders like Paul Sobel, Larry Harrington, Richard Chambers, and

    • BTech2009
      September 28, 2013 at 10:03 PM

      Norman, how could I have missed risk management blogs like this? Regarding business failures, I would like to know if this case template in enterprise risk management is realistic yet comprehensive enough:

      You are performing an enterprise risk management audit for a growing private company. Before a spree of recent acquisitions, this company already has a domestic subsidiary or two, plus a foreign one.

      Recently, the company has made two or three strategic acquisitions. One acquisition was that of another private company’s total assets and total liabilities, and no share purchases were involved. Another acquisition was enough of another private company’s common shares to exercise control. Between these two or in a third acquisition is a potential fraud case, an earnout dispute, or some other forensic accounting application.

      Meanwhile, as a result of these acquisitions, the company has had to change key information systems. Despite best efforts, the systems transition has resulted in a second forensic accounting case, this time in computer forensics, and the company is in the middle of an information systems audit.

      Furthermore, the growing company has detailed plans to go public.

      Through your conversations, the board has required you to, in general or in specific, directed parts:

      1. Report on the adequacy and effectiveness of the business valuation processes leading to the recent acquisitions and, if applicable, to the planned initial public offering.
      2. Report on the adequacy and effectiveness of any financing arrangement process involved in the acquisitions.
      3. Report on the adequacy and effectiveness of the business combination’s current and planned financial reporting processes leading to the necessary reports (annual and quarterly, consolidated and single-entity).
      4. Report on the modifications needed for the information systems audit program and possibly other internal audit programs, in light of the computer forensics situation.
      5. Report on the adequacy and effectiveness of the growing business combination’s strategic planning processes and systems.
      6. Report on the adequacy and effectiveness of any applicable transfer pricing processes involving the foreign subsidiary.
      7. Report on the adequacy and effectiveness of the tax risk management function.

      • Norman Marks
        September 29, 2013 at 7:09 AM

        BTech, it looks like you are being asked to do a lot of work by the board – always a good situation. But they are not asking you to assess the adequacy of risk management. Is that correct?

        • BTech2009
          September 29, 2013 at 8:35 AM

          Norman, the adequacy of risk management is addressed throughout, including the last part on tax risk management.

          The case template is a ten-hour, individual capstone examination proposal of mine that ties together business valuation, corporate finance, forensic accounting, income taxation, IS auditing, IS strategy, internal auditing, and strategic management, as well as varying levels of financial accounting and management accounting. In the US, it would be cap off the last course in MAcc programs.

          Part of fulfilling the first requirement is the evaluation of the enterprise valuation and subsequent acquisition activities that the company performed, versus the alternative of simply purchasing enough common shares to exercise control. Assurance, finance, and taxation competencies must be demonstrated in sufficient depth beyond reaching competence, as applied to business valuation, internal auditing, forensic accounting, and corporate income taxation fundamentals.

          The second requirement requires the demonstration, in sufficient depth beyond reaching competence, of competencies in assurance and finance, as applied to internal auditing and advanced corporate financial management.

          The third requirement may or may not be related to the computer forensics case, but the ongoing information systems audit must be considered. Governance issues must be considered, as well. Assurance, financial accounting, and information systems competencies must be demonstrated in sufficient depth beyond reaching competence, as applied to internal auditing, information systems assurance, advanced financial accounting, and some intermediate financial accounting.

          Part of fulfilling the fourth requirement is auditing the feasibility analyses leading to the systems transition. Assurance, finance, and information systems competencies must be demonstrated in sufficient depth beyond reaching competence, as applied to lower-level corporate financial management, internal auditing, information systems assurance, and forensic accounting.

          Part of fulfilling the fifth requirement is communicating any advanced strategic framework or elements of such that are missing from among these and perhaps more: Diamond-E frameworks, critical success factors, value chains, competitive forces, political-economic-social-technological analysis, and third-generation balanced scorecards. Without this and then relating to the adequacy and effectiveness of existing decision support systems and executive support systems, competencies in assurance, management accounting, strategic management, and information systems, as applied to internal auditing, strategic management accounting, general strategic management, and information systems strategy, would be demonstrated in insufficient depth, reaching competence at best.

          The sixth requirement, if applicable, requires the demonstration, in sufficient depth beyond reaching competence, of competencies in assurance, management accounting, and taxation, as applied to internal auditing, strategic and operational management accounting, and lower-level corporate income taxation.

          The seventh requirement requires the demonstration, in sufficient depth beyond reaching competence, of competencies in assurance and taxation, as applied to internal auditing and advanced and lower-level corporate income taxation.

  5. Deb
    July 8, 2013 at 10:35 PM

    Norman: Topical and forward-looking views, as always. If we consider control, risk and governance as steps on a ladder, many (most?) IA functions are probably poised somewhere between the first & second rung.

    However, it may not be totally accurate to heap the responsibility for this only on CAEs. Besides the fact that Board and Audit Committee expectations are mostly wanting (something which can perhaps be remedied to an extent with aggressive persuasion), there is in many cases active resistance to Internal Audit looking into certain corners, whether it be high-level risks or governance issues.

    It may be quite easy to say that in such cases conscientious CAEs should look for other suitable places to better utilize their skills and potential, but it’s not as easy to actually do, much less in the present economic and job market conditions.

  6. Gary Lim
    July 8, 2013 at 11:23 PM

    I would like to comment from an Asian perspective, maybe should be a Malaysian perspective. IA how I understand is on FINANCIAL and it is on check and balance hence unlikely things would go wrong BUT with GREED and pressure from the top to meet the top and bottom line, the Check and Balance just vanished, somebody overruled the SOP. Take for example with IT system in place how can there be UNLIMITED of fund being channeled out without an approval to overrule the limit set?
    I believed IA are trained in various techniques when it comes to risk, one of the main tool is CSA, Control Self Assessment and this is something only a trained accountant can implement, to the laymen it is a tough thing to learn.
    I believe unless there is an major overhaul of the thinking especially in Malaysia corporate context, IA will always take the lead whilst Risk Management will take a back seat. Sharing my personal views on this matter…..could defer significantly with the experts who are reading this posting.

  7. Temel TOKGOZ
    July 9, 2013 at 12:38 AM

    I do not agree with you. An effective Risk Management covers, objectives, risks and internal controls. You can not say stop focusing on internal controls. Without assessing you can not assess the risks, So the risk you mention to Board will then be inherent risk which is useless.

  8. Temel TOKGOZ
    July 9, 2013 at 12:39 AM

    Temel TOKGOZ :
    I do not agree with you. An effective Risk Management covers, objectives, risks and internal controls. You can not say stop focusing on internal controls. Without assessing the internal controls you can not assess the risks, So the risk you mention to Board will then be inherent risk which is useless.

  9. Zeeshan Dossani
    July 9, 2013 at 12:50 AM

    A well drafted piece of writing. The only thing I would like to point out is that perhaps the title should have read differently. Provided the sustaining importance of Internal Controls, inter alia; the title should have used another word instead of ‘STOP’. For instance it could say that Internal Audit has to shift focus from Internal Controls, or something similar!

    Apart from that, an excellent article!

  10. Obadah
    July 9, 2013 at 1:00 AM

    I do agree. IA should start focusing more on the organization’s strategic objectives and whether their risks are addressed and managed by the management and by the existing business processes.
    I believe (Studying) the business plan while planning IA activities adds a lot to the IA plan and keeps it (close) to what board and committees are thinking of.
    My only concern is the overlapping that takes place here. Many new functions like risk management, compliance, internal control and different committees are joining the risk management (scene) . By the end of the day we know that the organization should get its position evaluated in this regard, but we do not want to end up getting this task done by all risk related functions. The question is, is IA should be the one doing it or somebody else? Are responsibilities clearly segregated?

  11. July 9, 2013 at 3:18 AM

    I we accept that internal controls are part of risk management as you mentioned on your blog post headlined “Is Risk Management Part of Internal Control or Is It the Other Way Around?” http://www.theiia.org/blogs/marks/index.cfm?postid=424, you are right. We should focus on risk management instead of internal controls. Focusing risk management will contain focusing in internal controls anyway.

  12. Norman Marks
    July 9, 2013 at 6:42 AM

    I want to share the comment made by a former CAE and current member of the board:

    Norman, you are spot on with both conclusions.
    I’m an NED as well as having been a CAE in major FTSE listed companies. Sometimes I have found it hard to convince my fellow directors that the CAE has anything worthwhile to say because s/he is unwillingly to venture a professional opinion on the management of risks to objectives but prefers to comment only on the degree of compliance with internal controls found in internal audit assignments. (I have compared it to tipping out the pieces of a jigsaw puzzle on to the AC table rather than turning those pieces into a picture.) The resulting bottom up IA-introverted reporting is a complete turnoff for most directors who expect a robust, top down opinion on the state of risk management in the context of the organisation’s objectives, business model and environment. That opinion has to be founded on evidence but as professionals we need to interpret what that evidence is likely to mean for our organisations – which is future focused and therefore inherently uncertain. Unlike compliance (perhaps) internal auditing is not a simple black white, yes no, on off.
    Another problem in concentrating on the compliance with internal controls is that some IAs fail to analyse the adequacy of internal controls before checking on their operation. We need to be expert and intelligent enough to assess whether controls singly or jointly are likely to prevent/detect/correct error, accident and/or malfeasance within the accepted tolerances of the organisation. There is no point reporting either compliance or non compliance with controls if their design has not been assessed.
    By Sarah Blackburn

  13. July 10, 2013 at 8:03 AM

    This is all just semantics. You’re defining internal control in a (narrow) way that supports your assertion that IA departments have a “major flaw.” Perhaps these flawed departments recognize a broader understanding of the term that covers these areas appropriately. Without looking at the actual substance of what IA departments are doing, it’s an exercise in wordsmithing.

  14. July 10, 2013 at 10:05 AM

    I agreee Norman. That is why Navigant Consulting developed an Enterprise Risk Intelligence Solution (SAAS platform) to help companies with ERM education, evaluation and evidence. Here is some further information http://www.slideshare.net/slideshow/embed_code/24063022. Well received at major, multinational firms.

    Sometimes it is hard to change.

    Internal Control as a focus like COSO 2013 is a one-legged stool.

  15. Don Turnblade
    July 10, 2013 at 12:58 PM

    Reporting an inventory of risk is not the same as showing value. It is an easy substitute to make. When risks are not direct technical measurements they do not require one to actually do an inventory, just make a table that looks long enough and show progress bars.

    With such an invention, we can look like Project Managers. We show the progress of status in Controlling Risk with Internal Controls. Internal controls can be drawn from a list so we can shut down part of our thinking processes. Then the Internal Controls we picked from a list look vibrant, good and have traceable status. “See, Dear Board, we produce activity for your dollar; all is good here — “These aren’t the Droids your looking for. Move along.”

    Matching real risk to a genuinely traceable business value creation steps. This actually is valuable. This looks very similar to the camouflage “inventory of risk” copy. One has to get at the question underneath the charts. How is it even possible to say my firm is well controlled if I have no idea what each transaction is worth in terms of revenue and cost? Why is allow a computer to perform that transaction 10 times faster summing up more profits than losses?

    Really, I can use a computer to print labels with my customer’s SSN data even faster and so breach more records that I could without the computer. Speed of more profit is a business good; Speed of more liability is a legal nightmare. This all turns of the revenue gain vs loss of each transaction. Without maps of the migratory habits of my data, does it do anyone any good to look like it is under control? After all, everyone printing breached data on address labels passed a great background check in the Identity Management process.

  16. July 10, 2013 at 1:00 PM

    I agree with you. If internal controls are not set or updated with a risk management process, we can not know if internal controls are weak or strong, excessive or shortcoming. We can only fill simple or complex check lists by auditing internal controls. In today’s world there are too many variables for corporations on reaching their missions. A change in a variable might create a risk on reaching targets. A dynamic risk management can only makes us confident on internal controls’ accuracy and validity.

  17. Don Turnblade
    July 10, 2013 at 1:06 PM

    Was that concrete or was it “blah blah blah … value chain … blah blah blah … controls ..”
    Really, you might want to check to see if Address Mailing labels have Credit Card and SSN data buried in them. It is a very effective way for staff to store data in a form that contrary to the published process for “efficiency” reasons. Lots of firms make that mistake. It can take years to clean databases of all records once this has happened.

  18. scott tscharke
    July 10, 2013 at 6:43 PM

    i think my dinner is burning!

  19. Raymond A.
    July 10, 2013 at 11:16 PM

    Norman, it’s been a long time. I trust you are well.

    I think many have interpreted IA’s focus on internal controls as “compliance with established controls” or a “tick the box” exercise, with the assumption that the internal controls have been established to mitigate certain identified risks after a robust risk assessment exercise (i.e. relating internal controls back to risk, and risks back to the original objectives).

    Internal controls can be seen as the “tools” to managing and monitoring the identified risks, and while some IA shops focus only on whether internal controls have been adhered to, many internal auditors do step out of the box to consider if the internal controls are sufficient or still relevant (e.g. business conditions may have changed, thereby altering or even eliminating the risk). IA assessing the risk assessment process and risk management framework is not unheard of. Should internal auditors venture further to assess if achievement of objectives are being threatened? Or even further still whether the objectives themselves have been properly set? (e.g. has all relevant information been given and reasonable assumptions made? – risks in decision making). We might want to be careful here. Perhaps we need to draw a line somewhere so that IA is able to assess the risk management and objective setting processes, without being accused of being a PART of those processes.

    • Deb
      July 11, 2013 at 2:54 AM

      Raymond: You bring in a very good perspective. It’d be unfair to, sort of, ‘villify’ (if I may use that term) internal control verification without considering all these ramifications. Besides the reassessment of the utility of the controls, IA is also constantly on the lookout for (a) missing controls (for instance, lack of SOPs in an area of significant risk) and (b) redundant controls (e.g. where a form is filled for every purchase, without regard to value and thus the potential risk involved).

      After all, don’t we say that we look into all three aspects of controls – existence, appropriateness (which should include risk-level sensitivity) and adherence (which is what a limited view of control assurance assumes as the be-all and end-all).

  20. Omer
    July 11, 2013 at 12:04 PM

    I totally & strongly agree that internal auditors are not only there to test the controls of management, instead an in-depth understanding of the organisation both internal & external contexts as well as customer focus, revenue / cost models opportunities, best practices, and definitely objectives assurance providing to management real value improvements both continual & continuous breakthrough moves.

  21. Muhammad Khalil
    July 11, 2013 at 11:16 PM

    Internal Auditors should have the strength to move the organization in the right direction. The Board/Audit Committee should utilize services of Internal Audit to increase the probability of achieving the organizational objectives. If its just internal controls in a select areas that Internal Audit of an organization is focusing on then i do not consider that a meaningful job. Governance and Risk Management are related to the decision making process and if Internal Auditors ignore this aspect and do not provide any comments on the system that supports decision making, communication and implementation then they and the audit committee are definitely not aware of the purpose they are meant to serve. I hope that state of the internal audit profession takes a direction where experienced IA professionals are appointed as advisors to Boards and Audit Committees.

  22. Norman Marks
    July 12, 2013 at 7:18 AM


    I wrote the post because of the survey reporting that most internal auditors’ #1 priority was providing assurance on internal controls (not on the management of risk through controls), and both risk management and governance were hardly to be seen.

    Internal controls are the mechanism by which management ensures risk is maintained at desired levels.

    I believe we should plan our work to address the risks that matter most to the organization as a whole. You say that always includes financial reporting and fraud. That’s another discussion.

    Internal audit should identify the risks to audit and then assess the adequacy of the design and operation of the controls that manage those risks.

    The trouble is that most IA functions prioritize their work based on identifying a key business process, unit, or location, and then assess all the controls within that area. The may now be assessing controls that relate to risks of far less significance, and missing controls required to address the risks that matter.

    For example, some risks are managed by a combination of controls in different locations and at different levels of the organization – such as at a factory and a shared service center. If you only perform audits at one of these, you cannot really know whether the controls are adequately designed to address the risk to the organization as a whole.

    My suggestion is that we identify the risks to audit (based on what matters at the enterprise level) and then figure out how to assess all the controls relied on to manage that risk.

    Then, our end product can be worded in a way that provides assurance to the board and executive management that the risk is being managed by an effective combination of controls.

    This is more than reporting and providing controls assurance. It is more than saying that controls in a business unit are working. It is saying that the organization has the appropriate set of controls to manage risks to the enterprise, and they are working.

    Do you agree or disagree?

    • July 13, 2013 at 8:49 AM


    • Marianela
      July 14, 2013 at 1:00 PM

      Wow!!!! Excellent!!!!

  23. Norman Marks
    July 12, 2013 at 7:31 AM

    Let me add one more comment.

    Internal audit needs to use the language of the business and make sure they are not just looking at what matters but answering questions relevant to the board and executive management.

    When the latter think about controls, they are thinking of SOX, compliance, and fraud.

    When they meet to run the company, they are thinking and talking about their goals and what may enable or stop them from achieving their goals.

    They need to know if they can rely on the organization, people, systems, and processes (including controls) to operate the machine of the enterprise. They need to know that if they steer the car in a certain direction and use either the brake or the gas pedal, the car will respond as commanded.

    I think that need to know is answered by assurance.

    Consulting complements and augments our assurance work in a proactive way. We make sure that when there are changes in the systems or processes, risks are not increased due to missing or faulty controls or security. We help management improve their controls with our counsel and advice.

    If we are to be of value to the board and top executives, we have to fill a need. I believe providing assurance that the car is properly maintained and will respond to their commands is valuable and valued service.


  24. Kelvin Arcelay
    July 13, 2013 at 5:03 AM

    The opportunity lies in lessening in the time invested in checking the box (compliance needs) and increase efforts in company culture education and “real” risk and process management activities.

  25. July 13, 2013 at 8:43 AM

    If we say that the Internal Auditor as an objective CONTROL Specialist that evaluate CONTROLS , determine and provide an opinion on RISK materialisation and OBJECTIVE achievement. I agree, (Note; Senior Management and Board receive information from many specialist in expertise field example: Strategy Advisors, Dedicated Committees,. Executive Directors, Independent Assurance providers , External Audit, Financial Comptrollers, Operational reporting, HSEQ, ISO, fraud prevention, compliance, risk management activities that report on ERM, monitor KRI trends, Incidents, Assess Evaluate Risks on an on-going basis, Internal Audit that evaluate CONTROL systems as part of a the total governance and management process..etc). I have been an Internal Auditor since 1987 and recognised that there are other methodologies and roles,including compliance audits, But for me the Internal Auditor is a “CONTROL specialist” and the Internal Auditor primary role is evaluating and testing CONTROL systems specially those that manage processes in areas of uncertainty / high risk . Example: As part of my audits I will evaluate and test CONTROLS and then determine RISK materialisation and analyse the EFFECT associated with the CONTROLS evaluated / tested and then recommend improvements pertaining the CONTROL system. Thus I do not only provide assurance on the CONTROLS, but by definition are able to express opinions on RISKS and OBJECTIVE achievement linked to the CONTROL system. Please explain if you disagree ? I also wonder how timing and technology will influence the Internal Audit Activity in future : 1) I find that Board, Audit committees and Management issues is with timing of reporting . 2) From an internal audit perspective, I experience the lack of timely tracking of management actions or actions not timely implemented a waste of time and money. 3) I also observe that more and more, Boards, Audit Committee members and Management connect and communicate through various mobile application and reporting are shifting to real time, Technologies like Big Data, Hadoop Voice Reporting… integrated cloud and mobile systems that enable fast detection of weaknesses for action. ETC,

  26. Norman Marks
    July 13, 2013 at 8:54 AM


    You can start with controls and then assess whether deficiencies create a risk.

    Or, you can start with identifying the risks that matter and only then assess whether the controls provide reasonable assurance that the risk is managed within desired levels.

    The first is auditing controls and providing controls assurance.

    The second provides assurance on whether you have the right controls to manage the risks that matter: risk (and controls) assurance.

    Now, some argue that IA doesn’t have the skills to take the second approach. My answer is that is an excuse and not a reason.

    When you provide assurance on controls, you may or may not be assessing all the controls required to manage the risks that matter – especially when an enterprise risk relies on multiple controls at different levels or locations within the enterprise. What I will guarantee is that you are auditing controls that may be important to a location but are not important to the enterprise as a whole.

    Do you accept from a process owner that he should continue doing something because that is the way he has always done it?

  27. thiru
    July 13, 2013 at 10:40 PM

    From this post, it appears that the survey kept effectiveness of risk management, control and governance processes outside the scope of internal controls , which is fundamentally wrong. COSO, OMB, GAO, etc. they all include controls at all levels as part of internal control objective.

  28. July 15, 2013 at 8:16 AM

    Norman, I am not sure I am clear what the question is here. I wonder if this is a simple conflation of risk mitigation actions and controls. If an internal audit function follows the IIA’s risk based audit approach it would do a single audit of risk management systems. If this system is found to be excellent and functioning then it would stop there and rely upon it. For if risks are being well managed by a risk management system, one could argue that providing an assurance opinion over the management of risks is thus simple.

    I think what the survey is saying is that the risk management systems are generally not good, or at least not excellent. Thus auditors support their work by auditing controls. Now for me controls are interchangeable for risk mitigation actions. In effect you are controlling for risk. So as a consequence I, as for most CAEs, need to test the control environment. We should only do this as far as it related to controlling or mitigating relevant business risk. Hence a ‘risk-based’ audit. Perhaps what you are criticising is non risk based audit? i.e. auditing of controls for controls sake?

    On the point about providing assurance over risk exposure what is wrong with this? If risk is too high (i.e. above risk appetite) then why not report it?Given a suitable system one could report by how much above. It will be above because controls are not sufficient or adequate. Yes I agree that auditors should audit risks not controls, and relate controls to their risk mitigation capacity. But when we CAEs responded to the survey I am sure that that is what we meant when looking at ‘controls’.

  29. Martin Kicza
    July 15, 2013 at 3:12 PM

    I was with a number of thought leaders the other day in conjunction with a world renowned management school. They studied recent failures and why a number of key leading edge companies are considered to be resilient (ie what risk management is trying to achieve).

    Guess what, resilience is not so much about internal controls, implementation of a Coso or ISO framework, in fact these leading edge companies did not actually use a formal “internationally recognised” risk management framework.

    The key factors were:
    a) Values – the companies had branded values, a customer focussed orientation which created trust with all stakeholders. customers , suppliers and investors.
    b) Profit / Cash were not the only key values. Quality was the primary focus. If profit was a key motivator, ultimately companies did not survive.
    c) The quality standards had been defined to the basics, and could be easily verified and monitored.
    d) Staff were loyal to the values and as a result were loyal.
    e) Quality was a given, it was not a matter of auditing controls, rather understanding the high level trends.
    f) The companies primary statements were forward looking information or real time, not monthly / quarterly statements. This gave them the ability to act quickly and decisively.
    g) Collaboration – An understanding that the experts weren’t the auditors, governance experts but people within the line across all areas of the business.
    h) A commitment to continuous improvement
    i) A clear strategy was defined, with objectives, which had been challenged through various tools, be it stress test, war gaming. No executive glass ceiling, execs welcomed challenges and promoted it.
    j) Employees were properly empowered and trusted to make decisions.
    k) The companies understood mistakes are made, nobody;s perfect but learning the lessons was a key factor, the cultures did not penalise mistakes as long as the lessons were learnt and not repeated.

    Or in other words, act responsibly, focus on quality, look at the strategy, promote a culture which challenges it, communicate it well, empower your staff to execute it, focus on trends not individual cases , learn the lessons and improve. Implement it organisation wide.

    If I focussed 80:20, my primary focus would not be internal control.

  30. July 17, 2013 at 5:13 AM

    A few comments – The title of this article “Internal Audit has to stop focussing on Internal Controls” is probably too strong (specifically: you can audit internal controls (as long as they are the right ones!) and that give you great insight into the management of the associated risks) – but it does grab the attention .!.

    Norman has, as usual, stimulated a good debate and I agree largely with Norman that IA should be focussing on “organization’s processes for managing the risks to objectives” and IA should be “specific about which objectives are affected” – Most importantly I believe that auditing the generic risk management process is DANGEROUS since the general risk management process may appear to work well, but not work well in relation to a specific risk..

    Several further builds:
    ~ The importance of being wary of managements view of what these risks are (i.e. often the official description of risks is narrow, excluding key things)
    ~ The importance of addressing governance, risk and control DESIGN questions for the risk and agreeing the yardstick by which weaknesses will be judged (see risk appetite comment below)
    ~ The importance of IA addressing the risks that the objectives themselves pose (e.g. a cost cutting programme, implemented badly, may pose a risk to the organisation)

    Looking at certain controls CAN be an important piece of whether a risk is being managed, but these should be the relevant key controls (not every control, unless management has a very very low risk appetite)..

    Often this is where a big problem arises, creating the gaps between Audit and Management discussed above: The controls that are not working may not actually matter that much or likewise controls may be working but that doesn’t mean the whole risk is being managed (not every risk maps to a process!!)

    My key tip is:
    How clear is your organisation on what its material risks are?
    How clear is the organisation about what its key processes / actions / reviews (and yes – Controls!) are?
    How clear is the risk appetite in relation to these?
    Is audit (and other assurance providers) doing justice to all of this??

    The debate will continue I am sure and this is a topic for never ending vigilance.. Since false assurance (or ill defined assurance) is one of the greatest sins we can commit as auditors..

  31. John Fraser
    July 18, 2013 at 5:48 AM

    I really like the list in Martin’s comments above and I totally agree with them (who wouldn’t?). I would point out that every one of those”key factors” is (IMHO) an internal control. I think many people and especially many internal auditors think of internal controls only as things like approvals on invoices, and not as those things that mitigate risks to achieving objectives, like the items listed.

  32. Amr S. El Kasaby
    July 21, 2013 at 11:29 PM

    It seems that most of the survey takers were of the old internal audit perception (I.e. “the internal control” pillar). Remind you with the old internal audit definition.

    Since the internal audit function was redefined, a new perception was introduced presenting the new methodology “Risk Based” at the time. Having said that, all internal audit functions should have reformatted their methodology/approach to cater for the new perception.

    The so called “new methodology” required certain aspects:
    – risk assessment exercise for the strategic and annual plan,
    – risk identification process during the planning phase of the audits, and
    – risk rating observation and overall opinion.

    Based on the above, it is obvious that the focus has been shifted to risk. However, whenever risks are identified, controls have to be looked for as mitigating factors ( to bring the inherent risks to residual risks).

    Further, the well known process of “self assessment” has also been changed from Control Self Assessment to Risk Control Self Assessment, whereby the different risks are identified and then available controls are mapped against them.

    Few years ago, a new exercise ( Fraud Risk Assessment) was required by the IIA standards to enhance the risk based methodology.

    In short, the main focus is on risks, but the internal controls remain the mechanism by which the management ensures risk is mitigated or maintained at the desired (acceptable) level.

    One last comment to add, consulting services of the internal audit also deals with potential risks..

  33. Nikhil
    July 31, 2013 at 5:41 AM

    There is no way the internal controls review can be eliminated from Internal Audit. But limiting it to internal controls only is very sly. I agree that the risk element whatever it may be has to be reviewed.

  34. Jude opolot
    November 28, 2013 at 7:08 AM

    Yes, internal audit should not only be specific on the risk but also further sugest posible recommendations to the board on how to mitigate the risk

  1. July 8, 2013 at 8:02 PM
  2. August 9, 2013 at 12:03 PM
  3. November 4, 2017 at 9:51 AM
  4. November 28, 2017 at 1:16 AM
  5. November 29, 2017 at 11:47 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: