Where Was Internal Audit? Beware Rushing to Judge

There has been no shortage recently of corporate scandals born from ineffective corporate governance, poor risk management, and toxic cultures. In each case, I inevitably hear the question, “Where was internal audit?” There is never a simple answer to that question. As with all things as complex as modern business, there is rarely an easy explanation when things go horribly awry.

In each instance, media reports, regulatory filings, or company statements — even the occasional congressional hearing — give us a glimpse into a piece of what may have led the organization astray. But to suggest a failure by i​nternal audit is a conclusion that should be drawn only when the facts are known. As college football commentator Lee Corso is fond of saying, “Not so fast my friend.”

In most instances, there are simply too many unknowns about the actions of the organization’s internal audit function or its responsibilities for the public to reach an informed conclusion about what it should have done, or failed to do, or was kept from doing.

Here are three things that can be safely assumed about high-profile organizations that suffer high-profile scandals or failures:

• Big organizations face a myriad of risks.
• Even when internal audit functions are well-resourced, it is highly unlikely they have the resources to address every one of those risks.
• A failure of risk management doesn’t necessarily equate to a failure by internal audit.

In a previous blog, I made the case that while internal audit is capable of auditing many things, it can’t audit everything. That 2014 blog was particularly prescient considering the number of high-profile governance failures of late:

Each time a major control breakdown makes headlines, someone inevitably asks, “Where were the internal auditors?” Often, the internal auditors were engaged and, in fact, did raise red flags in advance of the crisis. But the warnings were not addressed satisfactorily. Given the size and complexity of many organizations today, it would require an incredibly large inter​​nal audit function to address all of the risks. Sometimes, there simply aren’t enough internal audit resources to cover all significant risks and, yes, there also are times when internal audit overlooks a key risk that proves catastrophic.

At best, the internal audit function can only be as effective as the resources, training, and talent that are available. Internal auditors are not infallible, and given the realities of budgets and cost-justifications, we also cannot be omnipresent.

There are still other factors that influence the audit plan beyond the risk universe and limited resources, training, and talent to address it. One such factor is when the audit plan fixates on where regulators are focused. In most instances, regulations are born from scandal, which inevitably leads to the criticism that regulators are forever fighting the last war. This seems to be particularly true in financial services where regulators have been pressuring internal audit to focus extensive resources on credit risks while commercial practices and operations have received less scrutiny.

CAEs should be keenly aware of this factor and fight hard for a risk-based internal audit plan. When resources are not adequate to address key risks, the CAE should not remain silent. Make sure the audit committee understands not only what will be audited, but what will not be audited, as well. Audit committee members often articulate the view that internal audit’s role is to help prevent surprises. Yet, too often the ultimate surprise is that a high risk wasn’t even on internal audit’s radar.

I would be the first to acknowledge that in some instances the internal auditors have been asleep at the wheel when well-known companies careened over a cliff. However, it is best to know the full circumstances before concluding just how much culpability belongs at the internal auditors’ feet.

As always, I welcome your comments.