Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​The Time Has Come for Marks on Governance

Comments Views

​In The Walrus and the Carpenter, Lewis Carroll wrote:

"The time has come," the Walrus said,

      "To talk of many things:

Of shoes — and ships — and sealing-wax —

      Of cabbages — and kings —

And why the sea is boiling hot —

      And whether pigs have wings."

[I will let my friend and fellow blogger, Mike Jacka, talk about flying pigs.]

Yes, the time has come — to talk about concluding this blog. After all, I have been retired for five years and it is time to start slowing down.

The blog was born in 2008 with "A Broken Relationship." Since then, I have written hundreds of articles on governance, risk management, internal auditing (of course), and technology. Not a single reference, I am afraid, to flying pigs.

While this blog will come to end, the world and its challenges will not. I will continue to write and speak about them. I hope to see you at IIA and other conferences, and I will continue to share my thoughts in Internal Auditor magazine and on my personal site.

Perhaps my last blog post should be about how the future of internal auditing is in auditing and then communicating what matters. I was recently honored to make a keynote presentation on that topic at IIA–Brasil's annual conference in Rio de Janeiro.

I asked the attendees whether they wanted, as internal auditors, to have a seat at the top table alongside senior executives from finance, operations, legal, marketing, and so on. They all said internal audit should have a seat at the top table. As Richard Chambers says in his latest book, they want internal audit to be seen as trusted advisors.

Then I asked who they would invite to sit at their table. I suggested that they would welcome people who had something interesting and valuable to offer. They wouldn't invite people (except family members) simply because of their title or position.

Similarly, internal audit heads (chief internal auditors, CAEs) will be welcomed at the top table when they have something interesting and valuable to offer on the topics typically discussed at that table: the enterprise's objectives and strategies, major projects, performance, and risks to success.

If we do what I suggested in Auditing That Matters, we would be considered trusted advisors that provide assurance, insight, and advice that helps the organization succeed. I said:

For internal audit to "matter," it needs to:

  1. Focus on the risks that matter to the board and top management — risks to the successful delivery of value to stakeholders, the achievement of objectives set by the board.
  2. Provide assurance on those risks that is readily consumable, relevant, actionable, and timely — helping board members and executives make informed decisions that lead the organization to success; where action is necessary, it can be taken promptly and effectively.
  3. Provide a formal opinion by the CAE on whether the systems of internal control and risk management provide reasonable assurance that the more significant risks are managed at desired levels.
  4. Provide, in addition to formal assurance, its objective insight on any area critical to the achievement of success. For example, internal audit cannot be fearful of sharing its opinion on the performance of key personnel, the structure of the organization, and so on.
  5. Communicate what its stakeholders need to know, when they need to know, and in a form that is easily consumed, relevant, and actionable.
  6. Work effectively with management to help upgrade its processes, systems, organizational structure, controls, and people as needed.

These principles are consistent with The IIA's four results-oriented Core Principles for the Effective Practice of Internal Auditing. They state that an effective internal audit function:

  • Communicates effectively.
  • Provides risk-based assurance.
  • Is insightful, proactive, and future-focused.
  • Promotes organizational improvement.

Internal audit should focus on the more significant risks to the enterprise, not just those that may be important to a process, business unit, or middle manager. If you focus on risks to individual processes, business units, and so on you merit a seat at the middle management table — because those are the people interested in what you have to say. But if you have an eye on the future, on the risks that could either derail or represent opportunities to succeed today and in the next year or so, your insights are valuable to senior leadership.

We simply cannot continue to perform audits of history and write reports that stakeholders read out of duty. We need to provide forward-looking assurance and advice on what matters and will matter in the days ahead: communications that matter to our stakeholders because they help them succeed.

We need to discard the outdated concept of an audit universe and focus instead on a risk universe. We audit and provide assurance on the management of risks, not the management of business units.

One of the challenges is going to be to understand what risk and risk management are all about. Frankly, I don't think enough people (and especially internal auditors) understand that it is not about the periodic review of a list of risks.

No, risk management is about ensuring that people are able to make informed and intelligent decisions, taking the desired amount of risk. It's about making sure they think things through, considering all the things that might happen, both good and bad, before making a decision — and every decision creates or modifies risk.

Internal audit should audit the management of risk within and across the enterprise, not simply compliance with risk policies and standards.

Think about this. According to McKinsey, "60% of senior executives say that bad decisions were about as frequent as good ones"! This is an opportunity for internal audit — but we have to know what is possible and desirable, and that is beyond putting together a risk inventory. We need to be brave and talk about the elephants in the room.

Almost always, the root cause of risk and control problems is people. Maybe it's an ineffective manager or an individual who does not have the training or experience to do the job. Maybe a control is not being performed reliably because the function is understaffed.

Our goal is not popularity. Our goal has to be to provide our stakeholders with actionable information that will enable them to correct what needs to be corrected.

Our goal has to be to help the organization succeed! Providing a list of problems is not nearly enough.

As I look back on nine years of blogging here, I can see progress. For example, perhaps half of internal audit functions have moved from a rigid annual audit plan to a flexible one that makes sure you are auditing what matters now, rather than what used to matter. That progress needs to continue.

The path to success lies in our ability to challenge everything we have done because it is what we have always done. We wouldn't accept that from process owners. Why accept it in our own profession?


  • What we are auditing.
  • How we are auditing.
  • How we communicate the results of our work.
  • How we provide stakeholders with what they need — actionable information.
  • How we can help the organization succeed.


We need to be brave (watch the video). Not everybody in our world, from board members to staff members, is going to be happy with change.

But if we move forward and show them the value to them of addressing and then communicating what matters, it is not only possible to get their enthusiastic support but will earn you a seat at the top table.

What do you think?

Are we there yet?


Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • Your-Voices-Recruitment-January-2022-Blog-1
    • IT-General-Controls-Certificate-January-2022-Blog-3