Exposing Internal Audit’s Work: Too Much of a Good Thing?

The CPA Journal recently published a provocative article, “The Benefits of Internal Audit Disclosures,” which examined research into what investors know about internal audit functions, how they might view disclosure of internal audit work, and how such disclosures might improve corporate governance transparency.

The initial research by Deborah S. Archambeault, F. Todd DeZoort, and Travis P. Holt presents a positive picture of the value of such disclosures. Indeed, according to the article, the researchers identified three benefits of public exposure of internal audit’s workings based on a review of internal audit research and a series of interviews with financial analysts, audit committee members, internal auditors, and policymakers. The benefits:

• Increased investor understanding of the function of internal audit and its governance role.
• The potential for increased internal auditor diligence stemming from greater transparency.
• Increased company investment in internal audit. 

To its credit, the research team also concluded the potential costs of such disclosures:

• The potential for increased legal exposure.
• Concerns related to whether investors would understand how to use the information.
• Additional reporting costs.

Finally, the research team proposed a model for an internal audit report that would make public the composition, responsibilities, reporting structure, activities, and resource allocations related to internal audit. That model mirrors closely The IIA’s efforts to persuade federal legislators and regulators in the United States to broaden reporting requirements about internal audit functions for publicly traded companies.

The article examined additional research by DeZoort, Holt, and others into investor perceptions based on their knowledge of reporting relationships, internal and external auditor assurance, and internal auditor risk judgments. Each additional research effort probed different aspects of internal audit’s relationship and role in governance and pushed the envelope on public disclosure.

This is where I began getting uncomfortable, and the expression, “too much of a good thing,” popped into my mind.

Good governance is a delicate balancing act. The working relationship among the board of directors, executive management, and internal audit is complex, multilayered, and influenced by myriad factors, including the strength of the internal audit function within the organization. I strongly agree that detailing the strength of internal audit functions in publicly traded organizations would be a positive move that could go a long way toward improving investor confidence in the markets.

However, internal audit practitioners must always be cognizant of the first word in our job title — internal. No matter how we or others might find value in boosting the transparency of internal audit’s work, the internal audit function’s first responsibility is to the organization. This allegiance to the organization, the confidentiality of our work, and any related exceptions are addressed in multiple ways in the International Professional Practices Framework.

One might argue that investors are part of the organization. That is true. Nonetheless, there is great peril in throwing open the work of internal audit to public inspection. The list of negative ramifications is significantly longer than what Archambeault, DeZoort, and Holt outlined in their research.

Internal audit reports may expose weaknesses in cybersecurity, competitive disadvantages or expansion strategies, trade secrets, and other internal considerations that could place the organization’s success in jeopardy, if made public. Indeed, such revelations could lead to reputational or financial damage, which could hurt investors.

The relationship between internal audit and management also could be negatively impacted if internal audit’s results are made public. As a former U.S. inspector general, audit results of my federal agency were routinely made public. The negative publicity often had a chilling effect on the willingness of management to be open and transparent with me. A senior agency official once told me: “Richard, there are several areas where I suspect we have problems. But I would never ask you to look at them. Your reports are public.”

Pulling the curtain back to reveal the inner workings of an organization’s financial health is what gave birth to modern internal auditing. But any effort to pull the curtain back further is fraught with danger and must be approached cautiously.

As always, I look forward to your comments.