I have recently been speaking again with members of the press seeking my perspectives on internal audit, risk management and governance in the post-COVID era. While I am not the spokesman for the profession any longer, I am always happy to share my views. It is not uncommon for the interviewer to note that internal audit has taken some criticism for missing red flags or even fraudulent activity in a fresh corporate scandal. I have responded to those questions so many times over the years that they rarely come as a surprise.
Over the past decade, there has been no shortage of corporate scandals born from ineffective corporate governance, poor risk management, and toxic cultures. In many cases, I inevitably heard the question, “Where was internal audit?” There is never a simple answer to that question. As with all things as complex as modern business, there is rarely an easy explanation when things go horribly awry.
In each instance, media reports, regulatory filings, or company statements — even the occasional congressional or parliamentary hearing — have given us a glimpse into a piece of what may have led the organization astray. But to suggest a failure by internal audit is a conclusion that should be drawn only when all the facts are known. As American college football commentator Lee Corso is fond of saying, “Not so fast my friend.”
In most instances, there are simply too many unknowns about the actions of the organization’s internal audit function or its responsibilities for the public to reach an informed conclusion about what it should have done, or failed to do, or was kept from doing.
Here are three things that can be safely assumed about high-profile organizations that suffer high-profile scandals or failures:
In a blog several years ago, I made the case that while internal audit is capable of auditing many things, it can’t audit everything. That blog was particularly prescient considering the number of high-profile governance failures since then:
Each time a major control breakdown makes headlines, someone inevitably asks, “Where were the internal auditors?” Often, the internal auditors were engaged and, in fact, did raise red flags in advance of the crisis. But the warnings were not addressed satisfactorily. Given the size and complexity of many organizations today, it would require an incredibly large internal audit function to address all of the risks. Sometimes, there simply aren’t enough internal audit resources to cover all significant risks and, yes, there also are times when internal audit overlooks a key risk that proves catastrophic.
At best, the internal audit function can only be as effective as the resources, training, and talent that are available. Internal auditors are not infallible and given the realities of budgets and cost-justifications, we also cannot be omnipresent.
There are still other factors that influence the audit plan beyond the risk universe and limited resources, training, and talent to address it. One such factor is when the audit plan fixates on where regulators are focused. In most instances, regulations are born from scandal, which inevitably leads to the criticism that regulators are forever fighting the last war. This seems to be particularly true in financial services where regulators often pressure internal audit to focus extensive resources on credit risks while commercial practices and operations receive less scrutiny.
CAEs should be keenly aware of this factor and fight hard for a risk-centric internal audit plan. When resources are not adequate to address key risks, the CAE should not remain silent. Make sure the audit committee understands not only what will be audited, but what will not be audited, as well. Audit committee members often articulate the view that internal audit’s role is to help prevent surprises. Yet too often the ultimate surprise is that a high risk wasn’t even on internal audit’s radar.
I would be the first to acknowledge that in some instances the internal auditors have been asleep at the wheel when well-known companies careened over a cliff. However, it is best to know the full circumstances before concluding just how much culpability belongs at the internal auditors’ feet.
As always, I welcome your comments.