As part of my ongoing engagement in social media, I routinely monitor the media for references to stories involving "internal audit." The past few weeks it seems that the media has been overrun with headlines involving internal audits. Normally, I would be encouraged with such coverage. However, where recent headlines have been concerned, I suspect the "internal audits" weren't actually internal audits at all. I believe this happens more often than many people realize, sometimes showing up in the media when internal reports generated by management or "second line-of-defense" oversight functions are mistakenly depicted as "internal audits."
The distinction is significant: When an investigation is performed by an entity other than by internal auditors, it is important to know whether it was done independently and objectively and in accordance with professional standards. In other words, just how much can we rely on information in the report?
Take, for example, the U.S. Department of Veterans Affairs Access Audit Report that recently became front-page news. Scores of news headlines across the nation touted the results of the VA's "internal audit." When I started reading about this "Access Audit Report," it seemed at first to be a conventional government audit. But when I read further, I found something quite different. The report seemed to flow seamlessly between the voice of the "auditors" and that of management, with little distinction between whose point of view the reader was hearing.
Normally, audits within the VA are done by the VA's Office of Inspector General. But it appears that, for the Access Audit, the organization was reviewed by its own senior management team.
I don't mean to imply that the Access Audit Report was inaccurate or misleading. Indeed, the report made it clear that the work was performed by management. Measures were taken to promote independence, and each site visit was performed only by people who did not work at that location. I also don't mean to imply that the auditors had no relevant experience. The report states, "Staff members selected were senior leaders in the organization familiar with conducting audits and site visits, e.g., administrative investigations where sworn testimonies are collected; consultative site visits based on defined technical criteria."
Despite these assurances, however, the report left me with more unanswered questions. What does it take for a document to bear the title of "audit report"? As far as I'm concerned, there are quite a few things that stakeholders — in this case citizens/taxpayers — should expect from internal audits, especially in organizations whose governing bodies have specified that internal auditing will be practiced in conformance with professional standards.
The VA report does not specify whether the Access Audit team's work was performed in accordance with professional standards, and I don't know whether their experience in "administrative investigations" included training in subjects such as audit standards. That's too bad, because knowing that the engagement was conducted in accordance with professional standards might have relieved several potential concerns about the report.
While it's difficult to tell from the report whether the Access Audit was performed in accordance with professional standards, there is reason for speculation. Both The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) and the U.S. government's Generally Accepted Government Auditing Standards provide frameworks for conducting high-quality, competent audits. The IIA's Standards require, for example, that each internal audit function have a formal written charter, that auditors should be independent and objective, and that a quality assurance and improvement program should be in place. The VA engagement team seems to have been selected on an ad-hoc basis, so I wouldn't assume the group had a charter or a formal quality-assurance program. A few questions about independence and objectivity might also be justified. And while an audit performed in accordance with the Standards would necessarily disclose issues in any of these areas, a management report might not be expected to do the same.
The VA report is not an isolated example of "audits" performed by someone other than auditors. I also recently read about an "internal audit" at a global manufacturing company that raised some of the same questions. Yet, when I looked at the company's 8-K filing, the same issues were said to have been disclosed by "internal testing" in the company — not necessarily by the internal audit department.
It's not that there's anything wrong with management reviews. To the contrary, you can't manage an organization effectively if you never assess operations. But management reviews are fundamentally different from internal audits. Keeping in mind that the International Professional Practices Framework's Definition of Internal Auditing states that internal auditing is an "independent, objective assurance and consulting activity ..."
I believe organizations and the media should refrain from referring to internal management and oversight reports as "internal audits." To be sure, management reviews can be objective in both fact and appearance, but calling these "internal audits" can result in misunderstandings and provide a false sense of assurance to the reader.
It boils down to transparency. We should give credit where credit is due, ensuring that there can be no confusion between internal audit reports, management reviews, and the work of other assurance providers. We should also ensure that all our stakeholders know whether an "audit" was performed according to professional standards or other relevant criteria. If every internal audit report was transparent about these issues, our stakeholders might have fewer questions about the quality of information in our reports.