Why is internal audit not seen positively?
One of the findings in a new report by Deloitte, their 2018 Global Chief Audit Executive research survey, is that only 33% of CAEs believe their function is seen positively.
This is awful, especially when you consider that this is the assessment by CAEs. I would assume management and maybe the board would not rate IA as highly as those responsible for the function.
The survey also found that while there has been an increase in the percentage of CAEs who believe they and their team have strong organizational impact, the new level (up from 16%) is still is only 40%.
Again, this is the perception by CAEs.
Note that even some who believe they have strong influence do not think they are perceived positively.
Deloitte sees the solution to the problem as the use of new technologies.
I think that’s nonsense.
This is what I believe is behind the problem:
- Internal audit more often than not fails to address the more significant risks to the business as a whole.
Internal auditors and the work they do don’t matter (except to check the box). They are not contributing to the effective management of the risks that could cause the organization to fail to meet its key objectives, such as those relating to market share, revenue growth, margin improvement, and so on.
They are not auditing the risks and issues that are on the agenda of the executive committee and the full board.
They are not looking at what is being managed by the top of the house. Instead, they are auditing risks to processes and such. Risk-based, yes; but not enterprise risk-based.
Most of their findings, in the words of a former CEO and current chair of audit committees, are “mundane operational matters”.
CAEs should consider moving to an enterprise risk-based audit approach, as discussed in the UK Chartered Institute of Internal Auditors’ 2014 guidance and (in a more detailed fashion) in Auditing that Matters (2016).
One way to ask if any planned audit is mundane or potentially consequential is to ask “who would be concerned if the audit found that the management of the risks addressed and related controls were inadequate?” If findings would never merit the attention of the CEO or the full board, why is the audit on the audit schedule (excepting projects required by regulators)?
Stop asking what the risks to a business unit, department, location, or process are.
Start asking what could cause the organization to succeed or fail?
Stop auditing what used to be a risk and start auditing what will be a risk that needs to be managed this and the next period.
Now what can we do to help?
- Internal audit limits its work product to standard, formal audit reports. It does not provide the timely advice and insight it could, limiting itself to assurance reports after the fact.
In too many cases, IA does not work with management to agree on the risk when it finds issues and what needs to be done for the business as a whole – which could mean agreeing that taking the risk is appropriate. Instead, IA writes a report and flings it over the wall for management to respond.
In too many cases, IA delays communication of its assurance, advice, and insight for weeks or months.
If the results of the audit are consequential, management needs to know yesterday!
Communicate what leaders need to know, when they need to know it, in a way that is easy for them to absorb and act on.
According to Deloitte, about a third of CAEs take more than a month to issue an audit report. I’m not sure what value is created, although I am sure the cost is high.
There really aren’t more than these two points.
Of course, it takes the right CAE and team to audit and then communicate what matters.
Much more in the book.
BTW, if you are auditing the wrong stuff and communicating late and poorly, it really doesn’t help to have used advanced analytics or RPA.
What do you think?
I think is time for the IIA to establish a task force to discuss how to turn this all around.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
No body does anything because they care little or do not know or care.
That is sad and depressing
Who doesn’t care? The business or IA? Either way, that’s a real problem for the organization.
An excellent post Norman, many thanks! I think your two points here sum up the whole organisational value of the internal audit function. There’s not much more to be said! All the best, Dale
Thanks!
Is there a branding issue? After all, the words “Audit” also goes with Tax auditors ( not always a positive experience), and other Audit functions that may not be risk based…so you need to work extra hard to overcome that perception right out of the gate
Thanks Norman for the on pint advice. Auditing what matters is the Key
I believe the “solution” is for auditors and audit functions to reinvent themselves. As long as they focus on, and are perceived to focus on compliance – they are not seen as helpful to business management. Whereas they may find issues to address, and be able to invoke action being taken (i.e. having an impact), this is still not seen as supporting the business.
It is not about audit – it is ALL about the business. Change the focus and look at:
– How do I/we support business performance.
– Can I suggest process improvements that saves time/money/resources and still deliver improved process quality/safety.
– Can I pinpoint (overlooked/emerging) risks and/or opportunities the company could act upon – and which actions can I (in collaboration with relevant specialists) recommend.
And discuss with executives … what would it take for me to add value to you – and then of course pursue these options.
Does one well conducted compliance audit add ten times more value than the pseudo- intellectual ‘risk’ babble and consultant-speak of a myriad of so called ‘risk based’ internal audits? Maybe the low respect figure is because IA sections carry out so called risk based audits and it is this that adds no value? No one ever asks if RBIA itself is a failure and a deluded methodology. Is RBIA the ultimate audit emperor’s new clothes? Are its advocates the Ptolemaic astronomers of the business age and just acknowledging it’s the methodology itself that is wrong?
No
After 20 years of effort, Deloitte has failed at moving the needle via their, outsourcing, cosourcing and advisory efforts. Maybe they also need to ask Why!
This resonates with me strongly. Well written!
The best solution my friends internal auditors found was to use all audit findings in risk modeling that risk team, me, was doing for any significant decision. This meant that internal audit contribution felt in every single important business decision
Internal audit is not seen as positive if indeed the work isn’t relevant for the board or doesn’t meet the standards required to level up to management standards. However in my opinion, an even important reason is the organisation being not mature enough to handel this kind of internal reflection. If this is the case, you’d better change jobs or organisation.
Norman, Thanks for a good insights.
How is it when the internal audit scope is limited and board or those charged with governance do not want to CAE to handle all this, but still keep on expecting to meet their expectations.
The audit charter clearly states the responsibilities of the management and scope of internal audit works, however, an open minded board will always consider CAE to be a partner in risk and does keep open line of communication to discuss about stated areas, but not limited, like market share, revenue growth, margin etc. If above limits audit scope, definitely, things are not going to work.