So, Who Are Internal Audit’s Stakeholders?

In my last blog entry, I cited some emerging challenges and identified five key priorities that chief audit executives (CAEs) should be pursuing as 2011 gets underway:

• Assess key stakeholder expectations, identify gaps, and implement a comprehensive strategy for improvement.
• Assess internal auditing’s contribution to risk management and “step up to the plate” as needed.
• Deploy a strategy for internal audit business knowledge acquisition.
• Streamline internal audit processes and operations to enhance value.
• Coordinate and align with other risk, control, and compliance functions.​

I have spoken on these themes at several forums in recent weeks, and one question has arisen on multiple occasions: Who are internal auditing’s stakeholders? While there is no universal answer to the question, I thought it might be worth exploring here.

The IIA’s International Professional Practices Framework refers frequently to the relationships that the CAE and internal auditing have with a number of parties. However, the precise term, stakeholders, isn’t used very often. Dictionary.com defines stakeholders as: “a person or group that has an investment, share, or interest in something, as a business or industry.” Where internal auditing is concerned, I have often bifurcated stakeholders into primary, secondary, and tertiary segments. I’ll share my personal views as to each of these segments.

Primary internal audit stakeholders: For me, this one is the most obvious. I believe the primary stakeholders include:

• The audit committee and the board.
• The CEO (or head of the enterprise).
• The chief financial officer or individual to whom the CAE reports administratively.
• Potentially, the other chief officers of the enterprise.

Secondary stakeholders include:

• Business unit executives/leaders not identified as primary stakeholders.
• External auditors and regulators (the first time we think of stakeholders potentially residing outside of the enterprise).
• Investors and creditors.
• Citizens and taxpayers (for government audit functions).

Tertiary stakeholders include:

• Employees (and potentially retirees) of the enterprise.
• Investment analysts and others with an interest in the performance and effectiveness of risk management, and internal controls of the enterprise.
• Potentially, the general public.

Now that I have shared my totally subjective view of who the stakeholders are, what should be done with them? As I often state, internal auditing must recognize that it exists to serve the needs of the various stakeholder groups, and that their expectations are constantly evolving and rarely aligned. Internal auditors and CAEs who lose sight of that fact are at substantial risk of long-term failure.

In the next blog, I will share my thoughts on effective ways to prioritize stakeholders and to identify and respond to their changing expectations. In the meantime, I welcome your views on who our stakeholders are and where my inventory diverges from yours.