The Value of a Vigilant Internal Audit Program
I hate to write a negative column. It is contrary to my nature and perspective. It is easy to complain. It is far more difficult to come up with practical solutions.
We all know colleagues who love to complain but do nothing about the problems they complain about. Eventually, a complainer loses value in an organization and they end up having little influence.
Having said all that, it amazes me when I hear about (or see in action) a dysfunctional internal audit function. To be sure, it is not always the Internal Auditor’s fault. In many cases, it is a failure of corporate leaders to support a vigilant internal audit function.
If a company is unwilling to promote a vigilant internal audit function to identify weaknesses in its internal controls, you can bet that the company has a weak ethics and compliance program and an even weaker speak up culture for encouraging employees to raise concerns.
An ineffective internal audit program carries with it huge risks beyond just Sarbanes-Oxley; the absence of an effective audit function undermines the integrity of the company’s financial reports. A CCO cannot operate in this environment. A weak financial system means that there will be even less commitment and interest in ethics and compliance. One cannot thrive without the other.
There are several telltale signs of an ineffective internal audit function. I will list a few that I have seen:
Lack of Resources: If your company has revenues of $1 billion or more, operates in the global marketplace, and has less than five internal audit staff members, watch out. A lack of resources means an inability to provide minimum coverage of financial risks. One caveat – this assumes that company does not supplement internal audit operations with outside assistance.
Lack of Authority: This is a big indicator. If an internal audit report identifies a number of deficiencies (in the red/yellow category), and the internal auditor has no hammer to enforce remediation of these deficiencies, I hate to say it – “Houston, we have got a problem.” If internal audit findings are “suggestions” and nothing more, the absence of authority, by definition, undermines the independence and integrity of the internal audit function. I have seen weak internal auditors and I have seen very strong internal auditors.
Some companies that believe in an independent and authorized auditor have established protocols for ensuring that deficiencies are fixed. A specific timetable is established for remedying a deficiency and if the manager does not verify the remediation by the deadline, the internal auditor notifies senior management (and sometimes the Audit Committee). An internal auditor with authority is a valuable player in the corporate governance landscape.
Death by a Thousand Cuts: This is a harder factor to identify. An internal auditor may have adequate resources, and even authority from a theoretical standpoint, but is neutralized through a slow and continuing process of delay, obfuscation and suppression. What do I mean? Look for the following: Is the internal auditor part of the CFO’s inner circle? Does the CFO rely on the internal auditor for constant advice and counsel? If not, then look to see how effective the internal auditor is in communicating its findings, who is given copies of the internal audit reports, and how quickly issues are remedied.
Bit-by-bit, a picture of neglect may emerge. Sometimes it can be explained by the quality of the internal auditor himself or herself, as well as the quality of the audit reports. Other times, the internal auditor may be off-target in his or her audit schedules and priorities. Whatever the explanation may be, the internal audit function may be nothing more than a “paper” program.