Why Internal Audit Fails at Many Organizations
When recent studies by KPMG and PwC indicate that about half of internal audit’s key stakeholders (board members and top executives) do not believe that internal audit is neither delivering the value it should nor addressing the risks that matter, we have to recognize that internal auditing is failing at many organizations.
With that in mind, a recent PwC publication in its Audit Committee Excellence series, Achieving Excellence: Overseeing internal audit, merits our attention.
My opinion is that while the audit committee members may be assessing internal audit performance as ‘needs improvement’, they should be looking in the mirror. Internal audit reports to them; if it is not performing to their satisfaction, they are either failing to communicate expectations clearly, not demanding the necessary improvements, not providing the critical support they need when management is pulling them in a different direction, not taking actions (such as replacing the CAE) to effect change, or all of the above.
Audit committee members need guidance and while the IIA does provide some excellent insights from time to time, the audit firms’ publications are often one of the first that are read.
The PwC publication makes some very good points but unfortunately demonstrates a limited understanding of internal audit best practices. This could be because it was written by their governance team rather than by their internal audit services leaders. (PwC’s internal audit services arm has produced not only good guidance from time to time (including their State of the Internal Audit Profession series), but some excellent thoughts leaders (including the IIA CEO, Richard Chambers).)
Let’s look at what they did well:
“A priority for the audit committee should be empowering the internal audit organization by providing visible support.”
This is an excellent point and PwC describes it well. The audit committee should actively engage internal audit and by showing its respect for the CAE and his team promote respect by management.
“Sometimes internal audit crafts an annual plan that leverages its group’s capabilities rather than addressing the company’s key risks. Audit committees will want to be on the lookout for this.”
Another fine point. The audit committee should take responsibility for ensuring that internal audit addresses the risks that matter to the organization.
“Understand whether resource constraints (e.g., restrictions on travel budgets or the ability to source technical skills) have an impact on the scope of what internal audit plans to do. If the impact of any restrictions concerns the audit committee, take steps to help internal audit get the resources it needs.”
The audit committee should ensure that internal audit has an appropriate level of resources, sufficient to provide quality insight and foresight on the risks that matter now and will matter in the near future.
“Audit committees should determine if they are accepting a sub-excellent level of performance and competence in a CAE (and internal audit function) that it wouldn’t be willing to accept for a CFO (or other key role).”
If the CAE is not considered as critical to the success of the audit committee, something is wrong and the audit committee should take action – even if, perhaps especially if, management holds the CAE in high regard while he delivers little of value to the audit committee.
Periodically discuss whether the amount and type of information internal audit reports to the committee is appropriate.
While this is an essential activity, PwC doesn’t get the issue right. The audit committee should ensure it receives the information it needs to perform its responsibilities for governance and oversight of management. That is not a simple matter, as PwC implies, of being succinct in how the CAE presents audit findings.
What did they miss?
- The audit committee should ensure that all the risks that matter now and will matter in the near future are getting the appropriate level of attention from internal audit.
- The audit committee should challenge any audit activity that is not designed to address a risk that matters.
- The audit committee should take a very strong stance that internal audit reports to them and serves their needs first, not those of management. The PwC paper identifies two reporting lines but is wish-washy on the subject, only saying that “Directors and management should reach consensus on which areas should be internal audit priorities.”
- The audit committee should challenge internal audit on how they work with the risk management activity. Where it exists, are they assessing its effectiveness? Are they working effectively with risk management? Do they leverage management’s assessment of risk appropriately?
- The audit committee should be concerned about the CAE’s objectivity and independence from undue management influence. Does he have one eye on internal audit and the other eye on his next position within the company?
- The audit committee should also ensure that it has an appropriate role in the hiring, performance assessment, compensation, and (where necessary) firing of the CAE.
- Finally, but in many ways most importantly, the audit committee should require that the CAE provide them with a formal assessment of the company’s management of risks and the effectiveness of related internal controls.
The publication makes some technical mistakes because the authors are not internal audit practitioners. Can you spot them?
That’s my challenge to you – in addition to welcoming your comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
As regards management of risks, I believe that in most cases, the AC looks to management and/ or the IA function to educate them of the risks and appraise them of the mitigatory steps taken. Also, point #5 is very valid. Most CAE’s like another senior finance professional will want to progress his/ her career. I would venture to say that AC should also be concerned with career CAEs because of the lack of broader financial /operational experience which enables better understanding of risks.
Another interesting article Norman. Nice read!
Dear Norman, same data / evidence like five or so years ago, I think. Wonder why there is so little progress, if any. What do you think? Why is that? I am truly interested in your perspective as you have been in this space of corporate governance and internal auditing for decades. Kind regards, Rainer
My perspective about the lack of effectiveness of Audit Committees is that its members do not 1) have Internal Audit experience, 2) understand risks and controls, 3) have experience of previously serving on a quality Audit Committee, 4) understand Internal Audit or audit standards, 5) understand the difference between an internal and external audit function, etc. These are some of the reasons that they fail in their role.
Rainer, yes – decades. 🙂 My view, as I said above, is that the audit committees of this world are not setting the right expectations. They seem happy to take what they get. Sad.
Bv. Vu
Michael Corcoran Sent from my iPhone
>
Norman, agree, that is part of the subpar ststus-quo, I think there is more to it, which includes features internal auditors can control. The Managerial Auditing Journal will publish soon a co-authored article. The article provides questions, That may be interesting for you and the internal audit community. Please let me have your view on this. Kind regards, Rainer
Audit companies key trotting out the concept that IA should focus on “key risk” but no one say what these are. Actually I don’t think Audit Committees and management want IA to focus on risks at all. That is management’s job. IA should focus rather on those controls that are vital for the organisation to achieve its objectives – and even then, they should not be the primary form of assurance. As the IIA (and Standards Australia) explain in Guide HB 150:2010, these are not the controls for the risks with at the highest level but rather the controls that are assumed to keep risks with a high potential exposure (worse case consequences if controls fail) at a low current level of risk. These are the risk whose controls require ‘assurance’.
If audit companies and IAs focus on the highest risks (if this is what “key” means) then they are wasting their time.
Audit Committees and management need ‘assurance’ that important controls are effective and that the company itself is effective at managing risk. The first of these requires auditors to focus on the right controls and the second requires them to have a fundamental understanding of how organisation’s manage risk – everyday, as part of decision making – through the operation of a full and comprehensive framework. Many of the organisation I work with are simply not getting that quality of response from IAs, particularly when that function is outsourced.
I agree with your seven (7) points. These are at the core of my service offering at my employer. I issue written assessment of the GRC on a quarterly basis. Every audit that my team performs is informed by risk, stakeholder request or legislative requirements. We continue to research better ways of doing the audits in order to meet evolving shareholder expectations.
Grant will you please explain what you mean when you say “If audit companies and IA’s focus on the highest risks (if that is what “key”means), then they are wasting their time”? I also find it difficult to understand the statement that management and audit committee do not want the IAF to focus on risks. I don’t understand how you can focus the IAF on “key”controls if such controls are not meant to mitigate “key” risks.
Thank you Mr. Marks for sharing your comments on this article. Appreciating the facts and the recommendations addressed on this PWC’s document, I may add some of my views on this issue.
Starting from the predefined objectives of this module, I observe there is missing a key objective: Audit committee role in improving the IA function within the organization. Do the AC’s members have the necessary background and experience to oversee and challenge the internal audit’s value within the company? Referring to the IA standards, It should be clearly defined in the audit committee charter what is the role of the Audit Committee (or the Board, if the AC is missing) regarding the internal audit function. Having that in mind, I was surprised to read in the first section of this module, there are still discussions whether it is “a right thing to do” or “a requirement” for the audit committee to oversee the internal audit function. In my point of view, this comment is not in line with, and does not support at all, the statistics mentioned in the 4th section of this module “About 82% of CAEs report functionally to audit committees.” I think this is the main challenge to be discussed, further to the recommendations fairly addressed on this document. The AC is in charge to approve the internal audit plan, as well as challenging this plan to better address the company’s key risks. How is this AC’s role performed continuously to help the IA function to add value to the company? Looking back in the mirror, do they (AC’s members) find something to improve to achieve excellence?
I am in total agreement that the Board bears the brunt of criticism as IA conducts itself at the direction of the Board. However in trying to improve their “value” to the organization, IA has lost focus on it’s function. IA’s function is to assure the Board that all policies and procedures proposed by management and endorsed by the Board are being followed. Their value to the organization is doing that job exceptionally well and not utilizing mission creep to attempt to add to their “value”. Mission creep is present in all public and private organizations. Managing mission creep comes through the CEO or which IA plays a large part. Not actively managing mission creep leads to uncontrollable “turf wars” which ultimately will lead to wasted organizational resources and failure.
IA is the verifier of the history of the organization. Nothing in IA’s charter says they are the adjudicators of risk management (which is a field in which they have no training or qualified personnel). The appropriate group in the organization to deal with risk management is Risk Management with the Chief Risk Executive reporting to either the Chairman of the Risk Committee or to the Board Chairman and the CEO – just as IA’s reporting through the CEO and the Board Audit Committee.
What did they miss?
1. The audit committee should ensure that all the risks that matter now and will matter in the near future are getting the appropriate level of attention from internal audit.
What are risks that matter now and will matter in the future? Surely you meant significant risks! Whatever they are, it is not internal auditing’s job to give them the appropriate level of attention – that is management’s job. If it were, one would be expecting internal auditing to be better at marketing than marketing personnel, better at accounting than accounting personnel, better at operations than operations personnel, better at human resources than human resources personnel, better at IT than IT personnel etc. For each of those units, the internal audit mandate does not change from that stated in Std 2100, and it is not risks per se.
2. The audit committee should challenge any audit activity that is not designed to address a risk that matters.
Having been apprised as required by Std 1010 of the mandatory IPPF guidance, why would the audit committee do this? Std 2100 states what is expected of internal auditing, “The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.” It is management who should address risks!
3. The audit committee should take a very strong stance that internal audit reports to them and serves their needs first, not those of management. The PwC paper identifies two reporting lines but is wish-washy on the subject, only saying that “Directors and management should reach consensus on which areas should be internal audit priorities.”
Internal auditing should be left to do its job, in which case the only difference between reporting to the audit committee and management would be the level of detail and within reason format of the internal audit report (why should the format be widely different?). The internal audit priority areas are for internal auditing to determine, not for management or the audit committee, in which case one would have impairment of independence of internal auditing. I am of course assuming internal auditing is doing its job, which is all that the audit committee should ensure is happening.
4. The audit committee should challenge internal audit on how they work with the risk management activity. Where it exists, are they assessing its effectiveness? Are they working effectively with risk management? Do they leverage management’s assessment of risk appropriately?
In short, no organisational unit, including the internal audit function, should escape internal audit scrutiny, of the adequacy and effectiveness of its governance, risk management, and control processes. Besides that, internal auditing does not prescribe what the objectives of any unit should be, only that its governance, risk management, and control processes are adequate and effective. If they are, the appropriate objectives will be put in place.
5. The audit committee should be concerned about the CAE’s objectivity and independence from undue management influence. Does he have one eye on internal audit and the other eye on his next position within the company?
Undue management influence impairs independence not objectivity. Objectivity is impaired by factors internal to the CAE.
6. The audit committee should also ensure that it has an appropriate role in the hiring, performance assessment, compensation, and (where necessary) firing of the CAE.
While agreeing, I would make this statement stronger by requiring a pivotal role for the audit committee in this regard.
7. Finally, but in many ways most importantly, the audit committee should require that the CAE provide them with a formal assessment of the company’s management of risks and the effectiveness of related internal controls.
While the above statement appears benign, (it for example disregards the consulting mandate of internal auditing), the requirement would be better articulated if confined to the Std 2100 requirement, “The internal audit activity must evaluate and contribute to the improvement of governance, risk management, and control processes using a systematic and disciplined approach.”
“In planning the engagement, internal auditors must consider … the adequacy and effectiveness of the activity’s governance, risk management and control processes compared to a relevant framework or model …” Std 2201. The aspects of the evaluation and contribution to the improvement of, of governance, risk management, and control processes, which are of concern to internal auditing in implementation of Std 2100 are adequacy and effectiveness.
Let’s look at what they did well:
1. “A priority for the audit committee should be empowering the internal audit organization by providing visible support.”
Norman – This is an excellent point and PwC describes it well. The audit committee should actively engage internal audit and by showing its respect for the CAE and his team promote respect by management.
Kaya – Respect should be founded on the performance of the CAE and the internal audit activity, who are empowered if held to their mandatory IPPF guidance responsibilities.
2. “Sometimes internal audit crafts an annual plan that leverages its group’s capabilities rather than addressing the company’s key risks. Audit committees will want to be on the lookout for this.”
Norman – Another fine point. The audit committee should take responsibility for ensuring that internal audit addresses the risks that matter to the organization.
Kaya – It is not internal auditing’s job to address risks, whether they matter or not. That would be accepting management responsibility. This is management’s job! I hope opportunities are included in the applied term “risks”. Were internal audit activities not misguided by the risk basis required by 2010 group of standards, internal audit plan development would be a non-issue.
3. “Understand whether resource constraints (e.g., restrictions on travel budgets or the ability to source technical skills) have an impact on the scope of what internal audit plans to do. If the impact of any restrictions concerns the audit committee, take steps to help internal audit get the resources it needs.”
Norman – The audit committee should ensure that internal audit has an appropriate level of resources, sufficient to provide quality insight and foresight on the risks that matter now and will matter in the near future.
Kaya – Let’s not over-complicate things. Which standard requires internal auditing to “provide quality insight and foresight on the risks that matter now and will matter in the near future”? The internal audit plan should aim to deliver on the Std 2100 requirements as efficiently and effectively as possible given available resources, also bearing in mind that less internal audit resources will be required once a self-maintaining system is in place.
4. “Audit committees should determine if they are accepting a sub-excellent level of performance and competence in a CAE (and internal audit function) that it wouldn’t be willing to accept for a CFO (or other key role).”
Norman – If the CAE is not considered as critical to the success of the audit committee, something is wrong and the audit committee should take action – even if, perhaps especially if, management holds the CAE in high regard while he delivers little of value to the audit committee.
Kaya – The main problem is those with the required authority understand what acceptable performance is, which is why Std 1010 is important for the CAE to conform to.
5. Periodically discuss whether the amount and type of information internal audit reports to the committee is appropriate.
Norman – While this is an essential activity, PwC doesn’t get the issue right. The audit committee should ensure it receives the information it needs to perform its responsibilities for governance and oversight of management. That is not a simple matter, as PwC implies, of being succinct in how the CAE presents audit findings.
Kaya – What the CAE should report on is articulated in the mandatory IPPF guidance and should be sufficient if the CAE understands his/her job well enough, I hope, to resist efforts from the audit committee requiring information from the CAE which should be obtained from management.
Bongani,
At the conclusion of an engagement “informed by risk”, your conclusion is whether or not … what? How does that relate to Std 2100? So far, no one has been able to quote the authority for the decisions they make about who identifies the risks concerned, the selection criterion for the risks (inherent/residual, significant/not classified, assessed/not assessed, control gap etc), and what about the risks they want to find out. I hope you will be brave enough to do so.
At the conclusion of an engagement “informed by stakeholder request”, your conclusion is whether or not … what? How does that relate to Std 2100? How do you make sure the request falls within the scope of internal auditing?
At the conclusion of an engagement “informed by legislative requirements”, your conclusion is whether or not … what? How does that relate to Std 2100? How do you make sure the legal requirements, besides DORA, fall within the scope of internal auditing?
On the basis of such engagements, how are you able to “issue written assessment of the GRC on a quarterly basis”? Should your assessment not be of GRC processes, as required by Std 2100 rather than just GRC?
Can we all remember that it is impossible to audit a risk. A risk is just an example, an illustration of what might happen and what it could lead to in terms of the organisation’s objectives. They are just hypothetical scenarios that we use to characterise risk(singular).
We can only apply assurance processes to tangible things – those we can directly measure, see, touch, smell, lick or fondle. This means that we can only audit controls – the things we put in place to modify risk. Of course, if we find they are actually not modifying risk then they are not, by definition, controls. These things that we think are controls but are not are just a waste of effort and resources.
I use the word modifying rather that the misleading term ‘mitigate’. Mitigate implies that:
– risk is a negative concept and that all consequences are detrimental;
– controls only act upon consequences to ‘mitigate’ them, you can alter but not mitigate likelihood.
Both of these are incorrect. Controls are the things we have in place that enable our organisation to achieve its objectives and act to ensure we are exposed to enough of the appropriate types and magnitudes of risk to ensure we are successful. Of course, unless our approach to managing risk is soundly based and effective, then we can have no confidence in what we believe are our controls.
This is why auditors should focus on:
– the effectiveness of controls;
– whether the organisation’s approach to managing risk is effective.
The risk management professional’s role is to guide and advise management and to facilitate the change process that ensures that the approach to managing risk is effective and adapts as the organisation and its environment changes. Risk management professionals should not also carry out assurance of risk management as this is a conflict of interest. The assurance of the effectiveness of the approach to risk management and the framework that supports it must rest with internal auditors – even if they do not feel qualified to do this.
The foregoing is why audit committees and the boards they represent now require assurance from auditors whether the organisation’s approach to managing risk is effective and soundly based. Those committees don’t necessarily need to know the risks the organisation faces. However, management can describe those risks as part of its case to the Board to demonstrate that it is managing risk (singular) effectively and can be trusted. The Board (and audit committee) will then look to internal audit to verify management’s assertions. They can only do this if they present information on the effectiveness of the controls they have sampled and on the soundness and effectiveness of the approach to managing risk – which led to those controls.
It seems to me that PwC’s repot misses these central issues. They deal with form and not substance which I’m afraid is typical.
Grant, IA should also assess whether the design of the controls provides reasonable assurance that the risks will be at acceptable levels.
When I say that internal audit should “address” the risks that matter, I mean that their engagements should look at whether management’s risk management and related internal controls are adequately designed and operating effectively with respect to the more significant controls.
There are several ways to identify which are the risks that matter and where internal audit should focus. I like to consider these factors and more:
– What would the impact be if the controls were to fail? Would that be a significant issue requiring the attention of the board and executive management?
– How likely is it that the controls might fail and take risk outside acceptable levels?
– What confidence do we have in management’s assessment of risk and performance of controls?
– Are there indicators that risks may be outside acceptable levels?
– How valuable to the audit committee and top management would an audit engagement be?
Norman,
There are two issue here:
– are the controls (collectively) capable of modifying risk so that its level is acceptable;
– in practice, do they in fact modify the risk so that the level is acceptable now.
I agree with the rest of what you say – with the proviso that IA should not take upon itself management’s role. It is there to verify that management is doing all the factors you list, not to do them for management or instead of management.
They are only the backstop and are there to provide another level of assurance for the board. I’m not sure what an ‘audit engagement’ is, but it is entirely conceivable that a Board might not require IA if it has sufficient confidence on management’s own assurance processes. If, for example, there was a rigorous program of control self assessment and there was credible evidence that management had great monitoring strategies for key controls and risk sources in the external and internal environment.
People take having an IA department or outsourcing IA as a given, a necessity. On the other hand, I see it as reflecting a lack of trust by the board and a not fully effective approach to managing risk. In other words, if you manage risk very well and can demonstrate that (which is part of risk management), you don’t need to prove it by using IA.
An audit engagement could be a traditional assurance audit or a consulting activity.
When internal audit is seen as the police, it is probably not creating the value it can and should. But that’s a different topic for another day.
Grant, you say:
– are the controls (collectively) capable of modifying risk so that its level is acceptable;
– in practice, do they in fact modify the risk so that the level is acceptable now.
The first is the design of the controls, the second is their operating effectiveness (in IA technobabble).
I think that the point concerning the information provided to the AC is hugely important and should be more thorougly presented by PwC.
I agree entirely with your comment Norman, that the AC should ensure it receives the information it needs to perform its responsibilities. I’d like to stress the word NEED. In larger organizations, the AC may sometimes receive too much information – much more than it can process. So in my view, the aim of the AC should be to receive an appropriate balance of quantity and quality of information – the right amount and quality of information they need to perform their responsibilities. Too little information may impair the AC view of significant issues and too much information may lead to significant issues getting burried beneath a pile of non-significant ones. The AC should carefully address the above issues and take corrective actions where necessary.
All of the comments are valid, especially when you can consider the “human” aspects of every organization. Profits generally drives decisions, not risks and related exposures. More often, risk, audits, and compliance are after thoughts that are expected to identify and fix all the problems without (nearly) costing the organization money. Therefore, politics and budgets (sometimes out side factors like regulators and the media) dictate the level of response.
Also, who in an organization really knows or understands the risks. Certainly not the audit committee. And, if management does have a good handle on the real risks, how often are they willing to “bare the emperor’s cloths?”
Sorry for being a cynic. As the saying goes, “we can lead the horse to water, but will he drink.”
Good Article & agree with most of the points
I really wish this article got right to the meat of the issue and did not take an indirect route to the problems. I really believe both internal and external audits have major issues. I have seen where major audit powerhouses come on sight to audit and work so closely with the customer on what they should audit that the audit becomes a good old boy relationship and does not add any zero defect planning and compliance rigor
Your blog on internal audit is very informative and I know many things about audit services after reading this. I have gained knowledge on Audit Methodology and Data Analytics. Thanks
Hi Marks,
Great article. Especially on the bit about the background of the PWC authors influencing / limiting their contribution.
Another angle to it could be the composition of BARC (say having low or undefined expectations). Another point to consider could be shifting organisation strategic goals.
Whats your take?
Regards
Hiram Mbatia
Very good suggestions Norman but you take it for granted that the members of the audit committee understand risk and risk management processes and they do not have conflicts of interests.
From my experience, all the Chairmen of the audit committees I served either did not have the knowledge to challenge me or they had close relations with the CEOs.
Why do you think we had so many failings in banks?
A very nice write up, I just wrote a blog on independence of the internal audit questions and raise some questions on these issues there also (http://riskcontroll.blogspot.in/2015/01/who-really-wants-independent-internal.html). I think some of the solutions here could be used to address internal audit independence and that would improve the effectiveness of the audit function. I guess the real reason no one wants a fully independent IA function is because they don’t know how to keep a check on it.
You state: “stakeholders do not believe that internal audit is neither…” so they DO believe it then?
OK, you got me
iS THE PHRASE -‘ MISSION ORIENTED AUDITS’- USEFUL- WHEN DESCRIBEING THE TYPE OF AUDIT REQUIRED?
That’s an interesting idea. If that means assessing whether there are controls to address both updside and downside risks and opportunities so that there is a reasonable assurance of achieving the mission, then I think that should be good.
I am new to this blog and find it very informative. These comments are interesting and thought-provoking. I am hoping to incorporate some of these ideas into my profession and how I can improve on our Internal Audit function as well. Thank you.