October 2012

For many years, I taught accounting courses during the evenings at a local university. I would often tell my students, “The only stupid question is the one that is never asked — unless the question is, ‘Would you postpone the next exam?'”

My years as a college instructor coincided with the early years of my internal audit career (which was essentially my day job at the time). Over time, I came to appreciate that in internal auditing, as elsewhere in life, there really are very few stupid questions.

The most successful internal auditors are not necessarily the smartest or the most experienced auditors; they are often the most inquisitive.…

Ensuring strong and effective oversight of internal audit departments has always been challenging. After all, organizational independence is critical for internal audit functions, so simply reporting to senior management may not support the strongest governance. In fact, the vast majority of internal audit functions achieve a higher degree of organizational independence, at least in part, by reporting functionally to an audit committee. This relationship is usually ideal for enhancing independence, but reporting functionally to an audit committee that meets only a few days each year can create challenges not faced by other departments within the organization.​​

Can audit committees really be expected to maintain effective oversight over internal audit?…

Back in 2009, I blogged on the fact that many audit committees expected internal audit to help them avoid surprises. I concluded that whether it was fair or not, it was an expectation we needed to recognize. Since then, risks have become more dynamic and unpredictable. Given the environment in which new risks emerge from seemingly nowhere, it shouldn’t surprise us that “no surprises” is still an expectation.

Internal auditors have become increasingly effective in assessing traditional risks; however, the ability to identify and assess emerging risks presents new challenges and requires even greater proficiency. Emerging risks are the newly developing risks that cannot yet be fully assessed but that could, in the near future, affect the viability of our organizations’ strategies and business models.…