Internal auditors have a deserved reputation for what I would call "risk paranoia." They have yet to see a risk they think management should retain. When they report the results of their audits, they point out all the risks if no action is taken to correct the "deficiencies" they have found.
But, is that good for the business?
Has internal audit become what I refer to as a "department of NO"?
Dilbert captures the concept well. But, if an organization doesn't take risks it will not survive; it will not make a profit.
The key is for the organization to take risks — at the desired level. The risks shouldn't exceed the organization's tolerance levels.
A recent article in Bloomberg Businessweek should be required reading for all internal auditors. Note the section "Leaders must welcome risk" and the quote from Anne Mulcahy: "Taking risks is something that a leader has to do in order to really perform and keep the company moving forward."
If we are to be a force within the organization, and a positive influence rather than the department of NO, internal audit must do the following (IMHO):
- When auditors assess the potential impact of a perceived deficiency, they should compare the risk level to the organization's risk tolerance. Is the risk level too high — in which case consideration should be given to reducing it through improved risk responses (which include controls)? Is the risk level too low — meaning that there may be an opportunity to cut the cost of control? Or is the level of risk just right?
- Auditors should have a discussion with management about the level of risk they are prepared to take. If management doesn't understand the concept, and this might impair their ability to manage risks in their area, the auditor should consider this as a deficiency of its own.
- Internal auditors should be the department of HOW. Rather than just pointing out that management has a problem, internal audit should provide suggestions on the way forward, how management can address the issue. This doesn't mean that internal audit take responsibility for management of risk or operational processes; it means that they should provide value-add assurance and consulting services to improve the effectiveness of governance, risk management, and internal control processes.
How is internal audit perceived at your organization? Are they the department of NO or the department of HOW? Are they seen as a bunch of sadists?