2011

I often hear chief audit executives (CAEs) of small audit shops lament about the challenges of working with limited resources. In a way, I can sympathize. For most of my career, I worked in or le​d small audit shops. In fact, the first three years that I served as a CAE, I only had three or four full-time internal auditors on my staff. As my career progressed, however, I eventually found myself leading mammoth audit staffs of several hundred auditors. While it was nice to have all those resources to dedicate to the complex high-risk areas of the organization, I never felt quite as proud of our ability to generate “big-impact” audit results as I did with those smaller shops.…

Whether it’s in internal auditing or in life in general, we all aspire to make a difference. We want that feeling of accomplishment that comes with knowing we have changed the world, if even in a sm​all way. But internal auditing is especially rewarding when we can make a big impact — when we bring about major changes that improve operations and cause senior management and the board to sit up and take notice.

So what’s a big impact in internal auditing? Obviously, “big impact” often equates to “big dollars.” Any auditor would be proud of a report showing that a contractor had overcharged his or her organization by tens of millions of dollars — or, better yet, that a full $300 million could be saved merely by delaying a proposed expansion initiative.…

There is no doubt that when it comes to risk, the internal audit profession is maturing. A few years ago, annual risk assessments were considered a leading practice but were not even required under our professional standards. Today, documented risk assessments are mandated at least annually. Many audit executives see a need for more frequent assessments, and a growing number of executives are shifting toward a continuous risk assessment model. We are spending more and more time and resources assessing risk — but unless there is a shared vision on risk appetite within the enterprise, the full benefit of any risk assessment is unlikely to be realized.…

I enjoy working with new auditors, in part because they so often see the world in terms of clear black-and-white issues. “Should we do an audit?” “Should we issue a finding?” “Am I maintaining a healthy degree of professional skepticism?” For many new auditors, each yes-or-no question points unerringly to a single correct answer. 

With experience, our horizons expand and we start to see additional repercussions for our actions. The issue is not merely whether we should perform an audit, but whether budget is available, how extensive an audit is justified, and how soon the audit is needed. The issue is not merely whether or not to report a finding, but how significant the finding is and how strongly to word the description. …

The global financial crisis has played out over the past two years like a “slow motion” train wreck. Following the spectacular implosions of iconic financial services organizations in 2008, dominoes have continued to fall in predictable order. As the world slid deeper into financial crisis, the plight of the world’s governments was frightening. Tax and other revenues plummeted while the demands for social and related services rose. The results have been spiraling deficits and crushing levels of debt.

As elected officials and managers of government agencies around the world struggle to identify solutions, they should not overlook one valuable resource that almost all of them have at their disposal — the legions of professional government auditors.…

Mary Poppins had it right: Impossible things are happening every day. Or at the least, extremely improbable things are happening all around us. In these uncertain times, the unexpected has become the status quo, and we go through our days knowing that the next super-catastrophe might be just around the corner. We’re not just dealing with fires and floods — we’re at risk from terrorism, pandemic disease, mega-earthquakes, tsunamis, super-sized volcanic eruptions, or perhaps the decade’s largest industrial accident, just to name a few.

It’s easy to ignore the threat of a million-to-one event such as a terrorist attack, but with an uncounted number of potential catastrophes in the making every day, the only certainty is that, sooner or later, another catastrophe will strike.…

​​The iconic Larry Sawyer once observed that “few sources of friction within the audit department exceed that caused by the process of report writing.” Sawyer went on to correctly observe, “The most brilliant of analyses and the most productive of audit findings seem to be forgotten during the trauma of report writing.” In my view, these are some of the wisest comments Sa​wyer (or any other practitioner or academic) ever uttered about internal auditing.

After almost 36 years as an internal auditor, I am not sure that as a profession we are any more proficient in publishing timely and well-written audit reports than we were the day I first “donned my internal audit spurs.”…

Over the past two years, I have heard executives complaining ​with increasing frequency that “internal auditors just don’t understand the business.” My sense is that some of these complaints are legitimate while others originate from business unit managers who simply don’t want internal auditors probing around in their areas of operation.

As I have observed before, many internal auditors were brought into their organizations in recent years to help with enhanced internal audit coverage of financial controls. Many who made up this new generation of internal auditors had little background in their company or its industry. They were proficient in Sarbanes-Oxley related audit support, but had little — if any —​ experience in auditing operational risks.…

In my last blog entry, I explored the concept of internal auditing’s stakeholders and who I thought they were. I identified the primary stakeholders of a typical corporate internal audit function as:​

• The audit committee and the board.
• The CEO (or head of the enterprise).
• The chief financial officer or individual to whom the chief audit executive (CAE) reports administratively.
• Potentially, the other chief officers of the enterprise.

Whether the list is the right one or not is subject to debate, and will clearly vary by organization. What is not subject to debate is the need to identify your own stakeholders and to appropriately align with their expectations.…