You can audit anything - but not everything
By Richard Chambers
There are times when internal audit clients and others have unrealistic expectations about our profession. It's not surprising, then, that there may be confusion about our role. After all, internal auditors wear many hats. We are analysts, controls experts, consultants, teachers, business partners, watchdogs, financial advisers, compliance experts, and more. We truly can audit almost anything. While some risks clearly require additional expertise to audit, as I wrote in a 2014 blog post, "you don't have to be a clown to audit the circus." However, as I noted then, while we might be able to audit anything, we can't audit everything.
Each time a major control breakdown makes headlines, someone inevitably asks, "Where were the internal auditors?" As we have sadly seen too often in the past year, the internal auditors were engaged and, in fact, did raise red flags in advance of calamities. But the warnings were not addressed satisfactorily by management. Given the size and complexity of many organizations today, it would require incredibly large internal audit functions to address all of the risks that organizations face. Sometimes, there simply aren't enough internal audit resources to cover all the significant risks and, yes, there also are times when internal audit overlooks a key risk that proves catastrophic.
At best, the internal audit function can only be as effective as the resources, training, and talent that are available. Internal auditors are not infallible, and given the realities of budgets and cost justifications, we also cannot be omnipresent.
This can lead to expectation gaps and misunderstandings about what internal auditors can do or what is being addressed. Several studies in recent years have noted large gaps between the perceptions of internal auditors, audit committee chairs, board members, and senior management regarding how their companies manage fraud and ethical risks. A PwC study several years ago showed that 53 percent of audit committee chairs, board members, and senior management thought fraud and ethics risks were well-managed, while only 35 percent of chief audit executives shared that sentiment.
Peter Tickner, a U.K. consultant on corporate governance and fraud issues, has noted the differences of opinion over who is responsible for fraud deterrence and for setting and assessing ethical culture. Tickner's quote: "Top management was convinced that one of the key roles of the chief audit executive was to deal proactively with the risks around fraud and corruption, whereas generally the CAEs saw it as senior management's problem and responsibility."
If Tickner is right, it is time to take a serious look at roles and responsibilities within the "Three Lines of Defense."
Read more on iaonline.theiia.org: Internal Auditors Can Audit Anything — but Not Everything
