Those who regularly read my blog posts will know that I have been an outspoken critic against publicly traded companies not having internal audit functions. In 2015, I shared the view that every publicly traded company be required to have an internal audit department; and in 2013, I called out Nasdaq for withdrawing its proposed listing requirement that would have mandated an internal audit function.
While my views on the importance of strong internal audit functions have certainly not changed, I do think it is important to put my views in perspective. Frankly, there are worse things than having no internal audit. This is particularly true if an internal audit function is weak or ineffective because, in such instances, it is easy for management, boards, and third parties to be lulled into a false sense of assurance. The stakeholders for such internal audit functions might easily conclude all is well because internal audit has not raised any red flags. In some instances, nothing could be further from the truth.
Here are five scenarios that I believe are worse than having no internal audit function at all.
An Under-resourced Internal Audit Function Two dangers quickly become evident when an internal audit function is not sufficiently funded: Assurance is not provided on all key risks, and the assurance that is offered may be superficial.
In the first instance, significant risks to the organization may not be addressed by internal audit. Even in the best of circumstances, an internal audit function cannot look at every risk. That is why it is important for chief audit executives to communicate to the board and management not just which risks are on internal audit’s radar, but also those that can’t be because of limited resources. This challenge is made more acute when the function is under-resourced.
The second instance may be worse. If limited resources result in incomplete, rushed, or shallow audits, the findings will likely be inaccurate. Getting to the root cause of breakdowns in risk management and internal controls often requires site visits, deep data analysis, and repeating source interviews. An under-resourced internal audit function won’t be able to dedicate the time and money for such thorough and necessary undertakings.
An Ethically Compromised Internal Audit Function An internal audit function often must act as the eyes and ears for the board and management on corporate culture and ethics. Though not a common occurrence, if internal audit or its leadership is ethically compromised, that is akin to the proverbial fox watching the henhouse.
Ethical lapses on the part of internal audit potentially compromise the integrity of every engagement and audit finding, and once compromised, any finding from the function can be legitimately questioned.
What’s more, boards and management that unknowingly operate with an ethically compromised internal audit function are in grave danger of building business strategies based on false or manipulated assurance.
Inadequate Skills Within the Internal Audit Function Similar to an under-resourced audit function, one that does not have the talent to properly carry out its duties will produce superficial findings and may completely miss or be unprepared to deal with emerging risks.
Inadequate skills also may limit the function’s ability to offer anything beyond basic assurance. In an ever more complex and dynamic business world, where stakeholders are increasingly turning to internal audit for advisory services, having inadequate skills or talent on staff crushes any hope of internal audit becoming a trusted advisor and gaining a seat at the management table.
An ignored Internal Audit Function An ignored internal audit function is one that does not have the respect of management and the board. These are functions that operate in name only and provide no value to the organization. In this instance, internal audit findings and recommendations are routinely dismissed.
An ignored internal audit function also runs the risk of becoming an under-resourced or weakly skilled function that carries the inherent shortcomings associated with those two scenarios.
An Internal Audit Function That Is Not Independent An internal audit function that lacks independence may be the worst of all. Providing true assurance about an organization’s governance, risk, and controls is rooted in an internal audit function’s ability to remain independent, and any challenge to that independence erodes the function’s effectiveness and value to the organization.
Management, boards, and internal audit must guard against any of those five scenarios developing in an organization. Beyond the clear harm described above, the potential for false assurance compounds that harm.
In simple terms, audit functions that are under-resourced, inadequately staffed, ignored, or compromised in their ethics or independence are like a vehicle with faulty brakes. Drivers will take more risks if they believe the brakes will save them, and the damage will be that much greater when those brakes ultimately fail.
Don’t get me wrong. I still strongly believe that an independent, well-resourced, and well-respected internal audit function is a critical element in an organization’s system of risk management and internal controls. However, when the function is intentionally circumvented or undermined, the risks can be greater than having no internal audit function at all.
As always, I look forward to your comments.