There will be no false modesty in today's blog. Let's admit it: At most organizations, internal auditors are the unparalleled experts at internal controls. We work tirelessly to ensure management maintains up-to-date written policies and procedures. We encourage our audit clients to share ideas on best practices between different operating divisions. We promote good governance, advocate transparency, and, of course, extol the benefits of having internal audits. We know we are agents for positive change.
Unfortunately, I am starting to wonder if we are like the cobbler whose children go barefoot. Despite all our advice, despite a robust body of professional guidance, despite advice from just about every internal audit expert you can find … today's internal audit shops are not always models of strong internal controls.
At a conference last week, I heard internal auditors from two separate companies complain that they had no written audit policies or procedures. Less than an hour later, the leader of one of our quality assurance review teams told me that she had visited several audit shops where there were rarely quality reviews of internal audit workpapers. We don't seem to consistently have the types of controls in place that we expect to find when we audit other areas of our organizations.
Worse yet, is it possible that many of us actually avoid being audited? The latest surveys show that a significant number of internal audit departments have never had an independent quality assessment.
I'm not saying we are not making progress. Since 2002, the International Standards for the Professional Practice of Internal Auditing have required that an external quality assessment be performed at least once every five years. Audit shops that complied with the standard five years ago are choosing consistently to have another review this year, and we are seeing a record number of quality assessments being performed. Where reviews were performed in the past, a second review almost always shows tangible improvements.
We don't want to set a bad example, so let's get rid of the excuses. It's time for the auditors to be audited. It shouldn't be a matter of cost, because many organizations participate in peer review programs at little or no cost. It shouldn't be a matter of competing priorities: We wouldn't ignore the audit of any other essential part of our organization's internal control system, so how can we ignore auditing our own operations?
Most of all, let's get rid of the worst "don't audit me" excuse of all: "We're not ready to be audited." We wouldn't accept that excuse year-after-year from anyone else in our organization's management team; it's time we stopped using it ourselves.