This is a question that should cause every practitioner to step back and think about his or her own practice. There are probably companies where internal auditing should have, but did not, detect weaknesses in board and management governance and risk management processes — resulting in corporate crisis. But, I suspect these situations were few.
But, how many internal audit functions had near misses — one or more omissions or defects in their performance that could have led to the failure to detect and correct governance or risk management process failures?
I have developed a list of questions that practitioners can use in a self-assessment; a "no" answer to any of these, I believe, is a potential defect. Not everybody will agree with all of these, but I suggest careful reconsideration before dismissing any item. I welcome your comments on the list, both items that should be removed and those that should be added.
- Did internal auditing assess the adequacy of the risk management process and provide a formal report to the board and executive management?
- Did internal auditing assess the adequacy of the governance processes, especially board oversight of risk management?
- Were risks relating to the control environment (as defined in the COSO Internal Control–Integrated Framework) addressed as part of the audit plan, including those related to executive compensation and to ensuring that bonus programs (at levels) are aligned with the longer-term interests of the organization?
- Did internal auditing provide management and the board with a report on the adequacy of internal controls to address all significant risks?
- Did internal auditing address all of the organization's major risks, for example not leaving key areas to others (such as financial reporting controls or environmental, health, and safety (EH&S) compliance) without sufficient oversight or review to be able to provide assurance that the risks are managed within organizational tolerances?
- Were risks related to the extended enterprise (such as outsourced manufacturing, payroll, IT, or other services) addressed in the audit plan?
- Was internal auditing's risk assessment and audit plan updated on at least a quarterly basis (with both additions to and deletions from the plan)?
- Do the metrics for measuring the performance of internal auditing exclude from consideration the percentage completion of the annual audit plan — recognizing the need to change the plan to ensure that current and not yesterday's risks are addressed? Instead, is a metric used where the sufficiency of coverage of major risks is assessed?
- Did internal auditing give priority to providing assurance over governance, risk, and related internal control processes over generating cost-savings (e.g., through vendor audits)?
- If internal audit resources are insufficient to provide assurance on the more significant risks, does the audit committee have sufficient information on the assurance gaps to make an informed decision on internal audit resources? Do they understand and accept the risks involved?
I understand that I have not included compliance with The IIA's International Standards for the Professional Practice of Internal Auditing (Standards), nor have I mentioned a quality assurance review (QAR). This is because I believe compliance with the Standards and passing a QAR are not necessarily conclusive when it comes to providing effective assurance services.