2014

As internal auditors, we are often tempted to stress in our reports the conditions we observe. After all, conditions that result from risk management or control failures can often be described in compelling terms. A failure of a new IT system, a key compliance requirement, or a critical financial control are sure to rivet the attention of management and the board. Internal audit reports also frequently include in-depth discussions of the effects associated with the conditions. After all, the only thing more sensational than describing something that is broken is regaling the reader with all of the consequences of the breakage. …

When there’s a serious breakdown in controls, sooner or later someone will pose the inevitable question of “where were the internal auditors?” It’s not just a blame game. After any audit failure, the CAE must re-evaluate and learn from possible mistakes to prevent similar gaps in the future.

In the past, whenever a calamity occurred in an organization, reviewing the CAE’s role was often cut and dried. Perhaps the internal audit function had insufficient independence and authority to address the risk that eventually blew up. Or its risk assessments didn’t cover all parts of the organization. Maybe internal auditors hadn’t immediately identified and reported on an issue, or they failed to follow up in a timely manner to ensure management had taken action.…

As internal auditors, we understand the importance of a strong tone at the top. It defines an organization’s culture and often the organization itself. A strong and positive tone sets a clear direction – operationally, ethically, and morally – and enables us to do our jobs and serve our stakeholders effectively.

But for some organizations, management and/or the board may seem profoundly tone-deaf and unable to articulate a clear path or purpose. Or worse, the tone they do set is less than desired and perhaps even counter-productive. The impact may go unnoticed, or it may become quite visible: goals and objectives are missed, morale and productivity falter, revenue and profitability plummet.…

When customers are unhappy, most organizations will scramble to fix the situation. As the old adage goes, the squeaky wheel gets the grease, even when a complaint might seem groundless.

So, does this translate to our profession? Are internal audit clients always right, too? And how far should we go to accommodate a client’s point of view, especially when we are convinced they really might be wrong?

Internal auditors serve many stakeholders. We can’t simply back off recommendations to one when we know other stakeholders are depending on our assurance. There are no money-back guarantees in internal auditing, because customer satisfaction cannot always be assured, but our goal is to come to consensus.…

When federal whistleblowers rules were enacted, it was understood that even internal auditors could be eligible under certain conditions. But the first payout ever – $300,000 in this case – to a whistleblower who performs an audit or compliance function at a company still leaves me with mixed emotions.

On one hand, the Securities and Exchange Commission has a completely valid need to ensure that appropriate action is taken whenever fraud or corruption is exposed in a publicly traded company. That goes to the core of the whistleblower program. And, according to the SEC, the individual in this precedent-making case followed all the rules, including giving the company at least 120 days to adequately address the problem before reporting it to outside authorities.…

I was fortunate during my tenure as inspector general of the Tennessee Valley Authority and deputy inspector general of the U.S. Postal Service to have boards that understood the important role IGs must play and the statutory independence envisioned by the U.S. Inspector General Act, which created the current IG model in the United States. The boards conveyed a z​ero-tolerance policy to management within the agencies in terms of interference with our work.​

However, I encountered many instances during more than 25 years as an auditor in the U.S. government, where officials tried to block access to records, provided misleading information, or delayed the release of audit reports containing bad news.…

Ask almost any CAE if he or​ she has the full support of the audit committee, and the answer will usually be “yes.” But, in reality, that may not always be the case.

Audit committees typically have our back on the relatively easy stuff — for example, when we explain the need for more resources, or when we propose a change to the internal audit charter or schedule. But support may soften when a really difficult conversation needs to take place.

If I could ask a single question of every audit committee chair, it would be, “Do you think your organization’s chief audit executive would feel comfortable bringing an issue involving CEO compliance or ethics to your attention?”…

When you compare internal audit functions, you can expect to find quite a few differences. High-performing departments stand apart in their mindset and how they approach their work. They grasp the importance of delivering value, and they are seen by stakeholders as an indispensable resource. They deploy a knowledge-management platform, use automated tools, and train their employees differently. But there’s one trait that distinguishes the best internal audit functions from the pack: A commitment to comprehensive strategic planning.

It’s not that internal audit departments don’t plan out their activities. These days, almost everyone creates a risk-based plan at least annually, and they update it throughout the year based on new information.…

Sooner or later, every internal auditor will ask why something is being done a certain way, only to be met with a look of surprise and an answer that goes something like, “Um, because we have always done it that way.” But it’s in the internal auditor’s DNA to bring a fresh perspective — a fresh set of eyes — to the table and point out what others might miss.

That’s why The IIA has been taking a fresh look at our own International Professional Practices Framework (IPPF), the blueprint for the standards and guidance promulgated by The IIA.

I was fortunate to have chaired the International Internal Auditing Standards Board and know personally from that experience that thousands of hours of hard work went into creating the IPPF, and that some of the most talented internal auditors on the planet were involved.…

“Thank you for meeting with us today. As you know, we have already found quite a few things wrong in your department.”

One of the first client meetings I ever attended was also one of the least successful. The meeting was a failure from the very beginning. The internal auditor’s opening statement about finding “things wrong” put our client immediately on the defensive. As a result, the client pushed back, the auditor stood his ground, and the conversation degenerated into little more than an argument.

“But this is wrong. You need to fix it,” the internal auditor complained. “You just don’t understand my department,” the client shot back.…