IIA: Internal auditors can audit anything – but not everything

10 November 2014

IIA President and CEO Richard Chambers shares his personal reflections and insights on the internal audit profession.

Each time a major control breakdown makes headlines, someone inevitably asks, "Where were the internal auditors?" Often, the internal auditors were engaged and, in fact, did raise red flags in advance of the crisis. But the warnings were not addressed satisfactorily. Given the size and complexity of many organizations today, it would require an incredibly large internal audit function to address all of the risks. Sometimes, there simply aren't enough internal audit resources to cover all significant risks and, yes, there also are times when internal audit overlooks a key risk that proves catastrophic.

At best, the internal audit function can only be as effective as the resources, training, and talent that are available. Internal auditors are not infallible, and given the realities of budgets and cost-justifications, we also cannot be omnipresent.

This can lead to expectations gaps and misunderstandings about what internal auditors can do or what is being addressed. A PricewaterhouseCoopers (PwC) study in 2012, for example, found a large gap between the perceptions of internal auditors, audit committee chairs, board members, and senior management regarding how their companies manage fraud and ethical risks. The study, Aligning Internal Audit: Are You on the Right Floor?, showed that 53 percent of audit committee chairs, board members, and senior management thought fraud and ethics risks were well managed, while only 35 percent of CAEs shared that sentiment.

In PwC's Boardroom Direct monthly newsletter, Peter Tickner, a U.K. consultant on corporate governance and fraud issues, cites differences of opinion over who is responsible for fraud deterrence and for setting and assessing ethical culture. Tickner's quote: "Top management was convinced that one of the key roles of the chief audit executive was to deal proactively with the risks around fraud and corruption, whereas generally the CAEs saw it as senior management's problem and responsibility."

Blog


© IIA - The Institute of Internal Auditors