In a blog earlier this year, I sounded an alarm about the dangers of investing in companies with no internal audit function. Ultimately, the goal was to raise awareness of the risks that accompany the absence of internal audit in publicly traded companies.
That effort took an important step forward last week when The IIA formally recommended to the U.S. Securities and Exchange Commission that all publicly traded companies be required to have an internal audit function.
There have been a number of high-profile financial and corporate governance scandals of late that should hammer home the absolutely necessity of good corporate governance, and it should go without saying that internal audit adds value to that process by providing effective oversight of the control environment.
Yet, there are many enterprises — large and small — that continue to operate without internal audit. The IIA's letter to the SEC outlines the case for internal audit to serve as a foundation for — if not a catalyst to — restoring investor confidence. Indeed, the presence of an effective internal audit function signals unequivocally management's and the board's support of strong and effective risk management, internal control, and governance.
When a publicly traded company has no internal audit function, one must ask: Who is providing the independent and objective assurance and insight the board needs to determine how well risk and the mitigating controls are being managed?
This may sound self-serving, but if it is only management that provides that assurance, the board may be operating at a disadvantage. We have seen too many recent examples of management's influence contributing to a toxic corporate culture that can destroy shareholder value. Neither boards nor the shareholders they serve can afford to rely on a single lens when assessing how well risks are being managed or controls are being designed and implemented in companies in which they have a vested interest.
I should acknowledge here that the lack of internal audit does not doom an organization to failure or suggest bad intentions from its leadership. Similarly, the presence of the function doesn't guarantee success.
However, I strongly believe an organizational commitment to good governance falls short without the independent and qualified oversight function that internal audit offers. Organizations operate in a global marketplace that is dynamic, fast-moving, technology-driven, and as competitive as ever. In this atmosphere, the odds are stacked against those with a less-than-ideal risk management and control environment.
This drives home the value of requirements outlined in The IIA's letter to the SEC. First, the mandate should include internal audit conduct in accordance with globally recognized standards, such as those promulgated by The IIA. What's more, there should be a required annual audit committee disclosure regarding the internal audit function's stature, independence, and resources; and an audit committee disclosure on the internal audit function's performance.
I suspect there will be strong resistance to an internal audit mandate from some who either do not understand its value or fear its added scrutiny. But we must overcome that resistance. The IIA will continue to advocate strongly for an internal audit mandate for all publicly traded companies, and I encourage board members, management, and all internal auditors to embrace and promote this effort.