As internal auditors, it's quite natural to assess and advise our organizations on effective risk management. With greater frequency, we provide assurance to management and the board that the enterprise is adequately assessing risks, and that risk mitigation strategies are being developed and implemented.
But what about our own risks? Can we say with any degree of certainty that we are identifying risks to our internal audit departments? And are we taking adequate measures to mitigate those risks?
All too often, the answer is "no." We are frequently missing important topics when crafting our annual plans and we don't always address inadequate resources or expertise on our staff. As a result, we almost certainly are failing to appreciate the risk to internal audit's reputation if the wheels come off. As fragile as a reputation is, such inattention to risk never ceases to amaze me.
An overarching goal for any internal audit function is that it be a bastion of integrity and credibility within its organization. From my experience, one of internal audit's most valuable assets is its reputation. However, one inaccurate internal audit report, a perceived bias by staff, or a perception of shoddy work can severely damage that reputation.
As I contemplate such risks, I believe there are at least five strategies to lessen the risks to an internal audit department's reputation:
- Strive for organizational independence. To effectively assess and address the full portfolio of enterprise risks, internal audit must carry out its work free of interference. When internal audit reports administratively to a member of management below the CEO, however, the likelihood of interference increases. For example, statistics show that, when the CAE reports to the chief financial officer, its work is more likely focused on financial risks. If internal audit is artificially constrained because of its reporting relationship, the chances of missing a key risk increases. Few comments more succinctly indicate that internal audit's reputation has been damaged than, "Where was internal audit?"
- Ensure individual objectivity. A lack of objectivity by an internal auditor is corrosive on the overall quality of internal audit's work and, ultimately, on its reputation. CAEs must be sensitive to staff who may not be impartial. If an internal auditor has a friend or relative in a business unit, for example, he or she should not be assigned to any audits there. If an internal auditor has career aspirations in a business unit or recently worked there, objectivity also may be impaired. Strong policies should be crafted and enforced to identify and manage these and other obstacles to objectivity.
- Design and implement a quality assurance and improvement system. The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) mandate that, "The CAE must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity." The Standards further mandate "ongoing monitoring of the performance of the internal audit activity." The design and implementation of quality controls are essential to effectively mitigating the risk of errors or substandard quality in internal audit processes. The quality/accuracy of internal audit's work is vital to maintaining its credibility. Never underestimate the importance of an effective assurance and improvement program to protect and preserve internal audit's reputation.
- Obsess over the accuracy of communications. Nothing will damage internal audit's reputation faster than an internal audit report with inaccurate information. Ensure that all communications, especially audit reports, are crafted with an emphasis on accuracy, and that controls, such as cross-referencing each section of the report to source documents/workpapers, are solid. Remember, it can take years for internal audit to build a strong reputation for accuracy, but only one report to destroy it.
- Develop and maintain a crisis response plan. No combination of risk mitigation strategies will eliminate all risks to internal audit's reputation. And no remediation strategy is complete unless it includes a plan for responding to a crisis. Anticipate scenarios, such as issuance of an inaccurate report, and formulate a plan for response. Effective crisis response plans should encourage candor, timeliness, and accuracy.
These are my thoughts on ways to mitigate risks to internal audit's reputation. I welcome yours.