First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

Internal audit needs to perform in a way that matters to the board and top management

Internal audit can help leaders with assurance that their people, systems, and processes are able to deliver the desired results – and advice and insight on how to improve them further.

internal audit

This last year, I have been talking to conferences around the world (most recently in Singapore, but also in the US, Brazil, the Czech Republic, and Sweden) about Auditing that Matters. It is based on my book of the same name (which covers much more than I can address in an hour or longer presentation).

I don’t expect to be able to persuade everybody to change from traditional practices, but hope they will at least ask themselves:

  • “Why am I doing what I am doing?”
  • “Am I doing the work that I should, providing the assurance, advice, and insight my customers on the board and in top management need to be successful?”
  • “Do my work and the assurance, advice, and insight I share really MATTER to the board and top management? Is it helping them succeed?”
  • “Is there anything I can STOP doing to free up more time on issues that really matter to my customers?”

Have you asked yourselves those questions?

  • Are you continuing practices just because that is what you have always done?
  • Are you doing things just because policies and IIA standards require you to do them? Or because you think the audit committee or regulators expect you to do them?

If so, is that acceptable? Are those answers you would accept from an ‘auditee’ – someone who is doing things because that is how they have always been done?

Let me ask you another question: What are the (harmful) risks (things that might happen) that might prevent your organization and its leaders from successfully achieving its objectives in 2018 and 2019?

Now: Does your audit plan include projects designed to address how well management will be able to ensure those risks are managed at acceptable levels?

Or, are you continuing to perform audits where, should controls fail, they would never rise to the level that they need to be discussed by the full board (because of the threat to corporate strategies) and require the attention of the CEO?

If you are doing work because you think the audit committee and regulators want you to do it, even though (should controls fail) it probably doesn’t really matter to the overall success of the organization? Have you talked to each pf these groups about what you could be doing and how that would add more value to them?

If the single most common root cause of control failure and of risks going beyond acceptable levels is people, are you addressing?

  • Whether there are sufficient, competent, personnel to optimize performance?
  • People know how to and actually do manage others effectively?
  • Individuals are trained and enabled to perform at their peak?
  • Leadership is respected and trusted?

Internal audit can help leaders with assurance that their people, systems, and processes are able to deliver the desired results – and advice and insight on how to improve them further.

But do we?

Do we take the time to sit down with our customers and have a two-way discussion about the business, our perspectives, and what we see – both through our audits and our ongoing observations of the business and its operations – even though it’s ‘only’ our professional opinion and we don’t have factual ‘evidence’ to support those opinions?

Or do we limit our communications to the audit report?

If so, you are only giving them a tiny bit of the insight and advice they need from you.

So, does your internal audit department really matter?

Would the success of the organization be in peril if internal audit disappeared? Perhaps some small frauds might not be detected and errors might be introduced that could have been prevented? But, would the consolidated P&L be materially changed?

I welcome your comments.

Follow me

Norman D. Marks, CPA, CRMA

Norman D. Marks is an Author, Evangelist and Mentor for Better Run Business, as well as an OCEG Fellow and Honorary Fellow of the Institute of Risk Management. Mr. Marks has been a practitioner and thought leader in internal audit, risk management, and governance for a long time. He has led large and small internal audit departments, been a Chief Risk Officer and Chief Compliance Officer, and managed IT Security and governance functions. Read more
Follow me

Latest posts by Norman D. Marks, CPA, CRMA (see all)

, , ,

Comments are currently closed.