The State of Internal Audit Capabilities in 2015
Overall, I am pleased to see the progress the internal audit practice has made over the last few years. While there are still serious problems regarding independence and resources in some parts of the world (where internal audit is established only to “check-the-box, not with any intent to be a serious activity), more and more organizations are moving to what I call “enterprise risk-based” auditing; perhaps half are providing assurance through formal audits and assessments of the management of risk; and, many are focusing on identifying problems before rather than after the occur has become a recurring mantra.
Yet, the picture is not entirely rosy.
This year, I have been privileged to work with the National Association of Corporate Directors. I was a panelist at three separate events where they discussed cyber risk.
In one group session, a director said that the board could not ask internal audit to assess and help with cyber risk because they lacked that capability. The others voiced their agreement, one and all.
This is a huge problem!
Internal audit may not always have the talent on staff to address every risk or concern, but if the board would only give it the resources, internal audit can either hire that staff or outsource the task.
As a chief audit executive, I have hired specialists to address specific risks in IT (including highly technical personnel), environmental compliance, engineering, fraud investigations, and more. Where possible, I have provided staff (including myself) training in specialized areas, such as derivatives trading, Six Sigma, and Lean Manufacturing.
I also used outside resources from consulting and personnel agencies:
- A derivatives trading and management specialist
- A “white hat” penetration testing team
- A former global procurement executive
- An expert in sales contracting and management
- A corporate tax specialist
- and more
Some talk about internal audit being the “consultant of choice”. I wouldn’t go that far. Where I would go is that internal audit should have the capability, whether through its own personnel, co-sourcing, or other contract staffing, to address and provide assurance on the key risks facing the enterprise.
Internal audit should:
- Inform the audit committee when it has insufficient resources to address a specialized area of risk, and endeavor to persuade them to provide such additional resources (headcount or dollars) to address the need
- Inform the audit committee that it has the capability to obtain the necessary resources to address specialized areas such as cyber security, ethics compliance, corporate culture, corporate governance and more. This means that the CAE needs to build a network that he/she can tap to locate and hire the necessary expertise
- Challenge management and even the audit committee when either goes outside to obtain assurance on an area of risk
I welcome your comments.