When there's a serious breakdown in controls, sooner or later someone will pose the inevitable question of "where were the internal auditors?" It's not just a blame game. After any audit failure, the CAE must re-evaluate and learn from possible mistakes to prevent similar gaps in the future.
In the past, whenever a calamity occurred in an organization, reviewing the CAE's role was often cut and dried. Perhaps the internal audit function had insufficient independence and authority to address the risk that eventually blew up. Or its risk assessments didn't cover all parts of the organization. Maybe internal auditors hadn't immediately identified and reported on an issue, or they failed to follow up in a timely manner to ensure management had taken action.
I recently compared notes with the CAE of a global company about several control failures that have been in the news this year. She pointed out that, even with the power of 20-20 hindsight, it's not always easy to determine if a CAE had any culpability in the situation. Due to audit rotations, demanding work schedules, and abundant job opportunities, ours has become a very transient profession. The IIA's Global Audit Information Network (GAIN) benchmarking survey, in fact, indicates that the turnover rate for internal auditors currently averages over 30 percent. My guess is that CAE turnover in large companies is almost as high. And, where CAEs are new to organizations, they might not yet have assessed or taken action on all the risks. With that in mind, how can they be held entirely responsible?
Following this logic, what about former CAEs? How long should they be on the hook when significant problems are identified after their departure? In other words, what is the hypothetical "statute of limitations" for CAE culpability?
There was a high-profile disaster at an organization where I previously worked. Although I had left the organization 12 years earlier, my first reaction was whether it was something I could have or should have looked at more closely. After pondering the situation, I concluded that we had undertaken comprehensive risk assessments at the time, and there was no way to retroactively assess the vulnerability to a risk more than a decade before.
Managing an internal audit function involves a never-ending stream of judgment calls, and when things go stunningly wrong, we sometimes beat ourselves up about it. Should we have rated a certain risk a little higher? Should we have pushed harder for enough budget to perform just a few more audits? It's easy to cast blame, and if we look hard enough, we can almost always find fault. Worse yet, after a major control breakdown, others might also find fault with how the internal audit function operates.
In the end, we can speculate as to what the results might otherwise have been, but if we are really doing comprehensive and continuous risk-based auditing in accordance with professional standards, that's the best we can do.
Those are my thoughts on the elusive question of how long should former CAEs beat themselves up on subsequent calamities. I welcome yours.