Investors Deserve Disclosure on Internal Audit

During a recent visit with U.S. Congressional leaders, I explored support for making disclosure of whether a company has an internal audit function a requirement for being publicly traded. I was heartened that most legislators I spoke with said they would consider such a step.

While this would seem to be a minor added condition for allowing a company to be listed on an exchange, in practice it would be a significant step in pulling back the curtain to reveal an organization’s commitment to good corporate governance — particularly risk management and internal controls.

Such a disclosure requirement would stop short of compelling companies to have an internal audit function, but it would deliver important information to prospective investors by providing a glimpse into the culture of the organization.

When publicly traded companies fund and support an independent, healthy, and robust internal audit function, they commit to having a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes. Without such a commitment, investors are left to wonder how the board and management receive independent and objective assurance and insight regarding how well risks are being managed.

When any organization, publicly traded or not, operates without an independent and objective assessment of its risk management, its board must rely solely on management for such assurances. On its face, a self-assessment system is vulnerable to manipulation and deceit. Without internal audit, management will often try and convince itself and the board that everything is fine.

While the presence of an internal audit function does not guarantee success for a company, the absence of one suggests the organization’s leadership may not see the value in assuring strong, effective risk management, internal control, and governance. This is a self-imposed risk about which potential investors should be aware.

Today’s dynamic and volatile business environment demands that organizations be prepared to respond to risks that are growing in number, scope, variety, and the speed at which they emerge and threaten. Fed by rapid advances in technology, geopolitical pressures, economic instability, and other factors, these risks can quickly overwhelm organizations that do not have strong and effective risk management and governance structures.

Even venerable companies with long-established governance structures can fall victim to risk-induced events that can mature at lightning speed. United Airlines’ disastrous social media fallout from its overbooking policies, Fox News’ culture problems, and GM’s sudden loss of manufacturing facilities in Venezuela offer recent examples.

Simply put, organizations that lack a systematic review and assessment of risk management are flying blindly into a storm of operational and strategic business perils.

This is precisely why disclosure is needed to help protect investors, increase transparency, and ensure that publicly traded companies are committing to professional and unbiased assessment of their risk management and governance practices.

Nearly two years ago, The IIA called on the U.S. Securities and Exchange Commission to require all publicly traded companies to have an internal audit function. We are not the only organization that sees value in such a requirement. For more than a decade, the New York Stock Exchange has required all listed companies to have an internal audit function in place, upon or within the first year of listing, depending on the circumstances. Additionally, a number of Asian exchanges, including those in Hong Kong and Malaysia, require internal audit functions for listed companies.

But even such a prudent requirement would seem to have little chance for gaining support in the current atmosphere of zealous deregulation. The next-best option may be to adopt a position similar to that taken by the Australian Stock Exchange. It recommends that each listed company disclose whether it has an internal audit function, how the function is structured, and what role it performs. If not, the exchange recommends disclosing that fact and identifying the process the company employs for evaluating and improving the effectiveness of risk management and internal control processes.

Such a disclosure process would move us an important step closer to mandated internal audit for publicly traded companies.

It is important to note that virtually every Fortune 500 company, and the vast majority of large-cap companies, already have internal audit functions. However, I believe many smaller-cap companies (including many in high-risk industries) do not have internal audit functions. These are the very companies for which an internal audit function is most urgently needed.

Some critics and cynics may try to label our efforts as self-serving and simply a ploy to boost demand for internal auditing. But any informed observer of modern business understands the demand is already there and is growing like never before.

As always, I look forward to your comments.