Why Internal Audit Fails at Many Organizations
When recent studies by KPMG and PwC indicate that about half of internal audit’s key stakeholders (board members and top executives) do not believe that internal audit is neither delivering the value it should nor addressing the risks that matter, we have to recognize that internal auditing is failing at many organizations.
With that in mind, a recent PwC publication in its Audit Committee Excellence series, Achieving Excellence: Overseeing internal audit, merits our attention.
My opinion is that while the audit committee members may be assessing internal audit performance as ‘needs improvement’, they should be looking in the mirror. Internal audit reports to them; if it is not performing to their satisfaction, they are either failing to communicate expectations clearly, not demanding the necessary improvements, not providing the critical support they need when management is pulling them in a different direction, not taking actions (such as replacing the CAE) to effect change, or all of the above.
Audit committee members need guidance and while the IIA does provide some excellent insights from time to time, the audit firms’ publications are often one of the first that are read.
The PwC publication makes some very good points but unfortunately demonstrates a limited understanding of internal audit best practices. This could be because it was written by their governance team rather than by their internal audit services leaders. (PwC’s internal audit services arm has produced not only good guidance from time to time (including their State of the Internal Audit Profession series), but some excellent thoughts leaders (including the IIA CEO, Richard Chambers).)
Let’s look at what they did well:
“A priority for the audit committee should be empowering the internal audit organization by providing visible support.”
This is an excellent point and PwC describes it well. The audit committee should actively engage internal audit and by showing its respect for the CAE and his team promote respect by management.
“Sometimes internal audit crafts an annual plan that leverages its group’s capabilities rather than addressing the company’s key risks. Audit committees will want to be on the lookout for this.”
Another fine point. The audit committee should take responsibility for ensuring that internal audit addresses the risks that matter to the organization.
“Understand whether resource constraints (e.g., restrictions on travel budgets or the ability to source technical skills) have an impact on the scope of what internal audit plans to do. If the impact of any restrictions concerns the audit committee, take steps to help internal audit get the resources it needs.”
The audit committee should ensure that internal audit has an appropriate level of resources, sufficient to provide quality insight and foresight on the risks that matter now and will matter in the near future.
“Audit committees should determine if they are accepting a sub-excellent level of performance and competence in a CAE (and internal audit function) that it wouldn’t be willing to accept for a CFO (or other key role).”
If the CAE is not considered as critical to the success of the audit committee, something is wrong and the audit committee should take action – even if, perhaps especially if, management holds the CAE in high regard while he delivers little of value to the audit committee.
Periodically discuss whether the amount and type of information internal audit reports to the committee is appropriate.
While this is an essential activity, PwC doesn’t get the issue right. The audit committee should ensure it receives the information it needs to perform its responsibilities for governance and oversight of management. That is not a simple matter, as PwC implies, of being succinct in how the CAE presents audit findings.
What did they miss?
- The audit committee should ensure that all the risks that matter now and will matter in the near future are getting the appropriate level of attention from internal audit.
- The audit committee should challenge any audit activity that is not designed to address a risk that matters.
- The audit committee should take a very strong stance that internal audit reports to them and serves their needs first, not those of management. The PwC paper identifies two reporting lines but is wish-washy on the subject, only saying that “Directors and management should reach consensus on which areas should be internal audit priorities.”
- The audit committee should challenge internal audit on how they work with the risk management activity. Where it exists, are they assessing its effectiveness? Are they working effectively with risk management? Do they leverage management’s assessment of risk appropriately?
- The audit committee should be concerned about the CAE’s objectivity and independence from undue management influence. Does he have one eye on internal audit and the other eye on his next position within the company?
- The audit committee should also ensure that it has an appropriate role in the hiring, performance assessment, compensation, and (where necessary) firing of the CAE.
- Finally, but in many ways most importantly, the audit committee should require that the CAE provide them with a formal assessment of the company’s management of risks and the effectiveness of related internal controls.
The publication makes some technical mistakes because the authors are not internal audit practitioners. Can you spot them?
That’s my challenge to you – in addition to welcoming your comments.