Home > Risk > Internal audit needs to perform in a way that matters to the board and top management

Internal audit needs to perform in a way that matters to the board and top management

November 24, 2018 Leave a comment Go to comments

This last year, I have been talking to conferences around the world (most recently in Singapore, but also in the US, Brazil, the Czech Republic, and Sweden) about Auditing that Matters. It is based on my book of the same name (which covers much more than I can address in an hour or longer presentation).

I don’t expect to be able to persuade everybody to change from traditional practices, but hope they will at least ask themselves:

  • “Why am I doing what I am doing?”
  • “Am I doing the work that I should, providing the assurance, advice, and insight my customers on the board and in top management need to be successful?”
  • “Do my work and the assurance, advice, and insight I share really MATTER to the board and top management? Is it helping them succeed?”
  • “Is there anything I can STOP doing to free up more time on issues that really matter to my customers?”

Have you asked yourselves those questions?

  • Are you continuing practices just because that is what you have always done?
  • Are you doing things just because policies and IIA standards require you to do them? Or because you think the audit committee or regulators expect you to do them?

If so, is that acceptable? Are those answers you would accept from an ‘auditee’ – someone who is doing things because that is how they have always been done?

Let me ask you another question: What are the (harmful) risks (things that might happen) that might prevent your organization and its leaders from successfully achieving its objectives in 2018 and 2019?

Now: Does your audit plan include projects designed to address how well management will be able to ensure those risks are managed at acceptable levels?

Or, are you continuing to perform audits where, should control s fail, they would never rise to the level that they need to be discussed by the full board (because of the threat to corporate strategies) and require the attention of the CEO?

If you are doing work because you think the audit committee and regulators want you to do it, even though (should controls fail) it probably doesn’t really matter to the overall success of the organization? Have you talked to each pf these groups about what you could be doing and how that would add more value to them?

If the single most common root cause of control failure and of risks going beyond acceptable levels is people, are you addressing?

  • Whether there are sufficient, competent, personnel to optimize performance?
  • People know how to and actually do manage others effectively?
  • Individuals are trained and enabled to perform at their peak?
  • Leadership is respected and trusted?

Internal audit can help leaders with assurance that their people, systems, and processes are able to deliver the desired results – and advice and insight on how to improve them further.

But do we?

Do we take the time to sit down with our customers and have a two-way discussion about the business, our perspectives, and what we see – both through our audits and our ongoing observations of the business and its operations – even though it’s ‘only’ our professional opinion and we don’t have factual ‘evidence’ to support those opinions?

Or do we limit our communications to the audit report?

If so, you are only giving them a tiny bit of the insight and advice they need from you.


So, does your internal audit department really matter?

Would the success of the organization be in peril if internal audit disappeared? Perhaps some small frauds might not be detected and errors might be introduced that could have been prevented? But, would the consolidated P&L be materially changed?


I welcome your comments.

  1. Jay R Taylor
    November 25, 2018 at 5:33 AM

    Norman, this article is full of very practical insights and questions. I suggest all CAEs take their leadership teams offsite for a brief strategy session specifically to discuss your questions! Another one to ask, after the individual project scope and staffing plan is presented, is to ask whether the cost of doinng the audit will be justified in the CAEs mind based on the potential assurance around key risks likely to be obtained.

  2. Douglas Anderson
    November 25, 2018 at 9:53 AM

    Norman is right on point (as usual). Two additional thoughts:

    1 – Norman states “If you are doing work because you think the audit committee and regulators want you to do it …Have you talked to each of these groups about what you could be doing and how that would add more value to them?” Realize, this can be a hard conversation since you are effectively telling your “boss” they are interested in the wrong things. However, no matter how hard this is and how long it takes, it is worth the effort.

    2 – People are the critical element. In addition to the four items Norman lists, I would add are employees (from the top to the bottom) acting consistent with the culture and ethic of the organization (which hopefully are ethical in and of themselves). Look at the recent impact on Nissan/Renault/Mitsubishi where the actions of a few are inconsistent with the stated ethics and are seriously impacting their organizations.

  3. tom wong
    November 25, 2018 at 11:34 AM

    I agree with Douglas, Norman is on point again about auditors should be doing more audits that support an organization’s ability to succeed and that matter to boards. I would like to add that from a government operational perspective, auditors and their reports could be more relevant to board and organizational success if they focused more on operational efficiency and effectiveness, and state explicitly how the audit objectives support organizational goals.

  1. November 27, 2018 at 11:06 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: