There are a multitude of pressures on modern internal audit departments. Expectations are high, resources are limited, and risks are emerging at unprecedented speed. Many chief audit executives have their internal audit teams poised to address these challenges. Yet sadly, poor or misguided choices by chief audit executives (CAEs) can lead to internal audit falling short.
Occasionally, well-meaning CAEs and their internal audit departments fail to adequately protect their organizations. Sometimes it’s unavoidable. Even the most diligent internal audit team can potentially overlook a critical issue or fail to recognize its significance. But too often when we fail to protect our organizations, it’s not an oversight; it’s the result of a deliberate decision.
We need to be keenly aware of the consequences our decisions can have on our organizations, so here are five examples of how the wrong choices by internal audit can occur. Each of these situations occurs more often than it should, and each results from a decision by the internal auditors that must have seemed justifiable at the time. But each of these situations also can have disastrous consequences, and if you think about them from the audit committee’s point of view, the decisions might not seem so justifiable after all.
There are times when management asks internal audit not to look at an area specifically because they know there are problems in that area. There are also instances when internal audit does not have the expertise to address a critical risk. But in risk-based internal auditing, we can’t afford to ignore an area or process simply because of interference or lack of expertise. The board may not be aware of the full extent of the problem, and there may be undiscovered issues in the problem area. Auditing a sensitive high-risk area requires fortitude and courage, but it’s better than ignoring a problem and then being asked, “Where was internal audit?”
When things go spectacularly wrong in organizations, the problems often stem from a toxic organizational culture. Some internal auditors would prefer to stick with audit issues that are more easily quantifiable, but risks related to organizational culture should never be ignored. An unhealthy organizational culture can enable a relatively minor issue to grow unchecked into a major disaster. The directors at Enron and WorldCom faced significant liability stemming from their firms’ misdeeds, so when internal audit ignores organizational culture and things go awry, don’t be surprised if the board asks where you were.
Everytime we report issues and observations, we are helping management and the board to become aware of problems. But internal audit’s job does not end there. When we make the board aware of problems, we must be very sure that the issues are addressed satisfactorily or that management and the board have accepted the risk of not taking action. It’s never good when someone says, “The board knew about the problem, but they didn’t do anything about it.”
Sometimes it’s not what you say; it’s how you say it. Fair and balanced audit reports must state issues clearly, without concealing or distorting the facts. Occasionally an internal audit client may ask you to tone down or bury a finding to make a problem look less severe than it is. But if internal audit reports don’t fairly portray the extent and severity of reportable issues, the odds go up that corrective action will be inadequate. Indeed, it is not an overstatement to say internal audit is contributing to the problem when it fails to accurately report the extent of the problem. Don’t be surprised if your board asks, “Why didn’t you tell us how bad the situation was?”
The board has a duty of care that includes active oversight of the internal audit function. For example, audit committee reports to the board for companies listed on the New York Stock Exchange must include issues involving internal audit performance. If your audit committee isn’t receiving periodic reports about internal audit plans, budgets, staffing requirements, training needs, and quality, don’t be surprised if one day the committee asks you, “Why didn’t you give us the information we needed to be able to do our jobs?”
Any of these failures can lead to a significant negative impact. Fortunately we can avoid most internal audit “fails” simply by complying with professional standards. The International Standards for the Professional Practice of Internal Auditing are designed to protect us from mistakes such as the ones described above by ensuring that the internal audit function is adequately resourced, professionally staffed, and operates at the highest level of quality and integrity. But the Standards can only protect us and our organizations if we use them.
As always, I look forward to your comments.