As a global leader in the internal audit profession, among the questions I dread hearing the most is: "Where was internal audit?"
When the whereabouts of internal audit is pondered by media and others, there has typically been a high-profile corporate failure that has impacted a company's share value and investor confidence. The question also arises when there has been a scandal or highly publicized failure in government that has rattled public trust.
The question itself clearly suggests that an organization's last line of defense failed to do its job. While I acknowledge that sometimes internal audit does drop the ball, I am often troubled by how quickly the question is posed. Jumping to the conclusion that internal audit could have prevented a failure is often akin to blaming a quarterback for being sacked or a goalie for giving up a score without examining the performance of the rest of the team.
The reality is that even the most outstanding internal audit functions in the world cannot provide absolute assurance that all risks are effectively managed and all internal controls are effectively designed and implemented. We cannot assess every risk, and we cannot be everywhere at once.
Those who understand internal audit's role recognize that the assurance it provides is only as effective as its ability to operate independently and with sufficient resources to do its job. Internal audit cannot identify weaknesses in process and policies or trends of behavior that circumvent controls and imperil the organization without full access to information and clear lines of communication with the audit committee, management, and the board.
But high-profile risk management or control debacles are sometimes a clear consequence of failure by all three lines of defense. In these instances, no honest assessment will absolve internal audit from all blame. Indeed, internal audit's performance played a role in one of 2015's high-profile corporate scandals. Outside investigators hired by Toshiba's board in the wake of the company's high-profile financial reporting scandal pointed fingers in a number of directions including internal audit. The investigators noted that internal audit was not providing adequate assurance and even suggested that internal audit was aware of several projects with inappropriate accounting but took no action.
While I believe the Toshiba example is a painful exception and not the norm, CAEs should consider that being blamed for failure is in itself a risk that internal audit should monitor and mitigate.
Here are four steps internal auditors can take to protect against this risk:
- Manage expectations. Internal audit is a critical component in an organization's system of risk management and controls, but it must also be clearly understood what it can and cannot do. We do not provide absolute assurance, and that should always be clear to our key stakeholders. As I have noted before, we can audit anything, but we cannot audit everything.
- Create strong processes for risk assessment. Identifying emerging risks in today's dynamic and fast-paced business environment is increasingly challenging. Effective risk-based audit planning demands expertise in this area and the ability to be nimble, astute, and creative in identifying new risks as quickly as they develop.
- Update audit plans as needed. Create a reliable method for refreshing audit plans on an ongoing basis, not just once a year. When they wonder where we were, hopefully we were auditing "at the speed of risk!"
- Make clear what isn't getting audited. Don't just tell the audit committee what you are going to audit, but what you're not going to audit this year. I often advise CAEs to have a conversation with management and the audit committee about the top five risks that will not be audited during the coming year due to resource or other constraints.
I should acknowledge that often there are areas within the organization where internal audit is not invited or welcomed. For example, not every organization recognizes the value internal audit can bring to building and implementing business strategies.
Similarly, some internal audit functions shy away from areas where they lack expertise. But a lack of expertise should never be a factor in determining what makes it into the audit plan. CAEs have options to fill in knowledge and skills gaps, including co-sourcing, outsourcing, and hiring experts. All audit plans must be built on a simple three-word proposition — follow the risks.
CAEs should strive to establish healthy and mutually supportive working relationships with stakeholders and build teams with the skills necessary to best serve their organization. This helps instill a healthy understanding and respect for good governance throughout the enterprise, significantly mitigating the risk of a catastrophic failure.
In these circumstances, there is no need to ask, "Where was internal audit?" because the answer should be understood — we were following the most critical risks.
As always, I welcome your thoughts.