Thought Leadership of the Week

When On-Demand Financials Make Sense
Free White Paper, Courtesy of Intacct

Featured Job Listing

 Vice President, Ethics & Compliance
Apollo Group; Phoenix, Arizona

Upcoming Webcasts

GRC Controls to Run Your Business Better
Jan. 22, Free, Sponsored by Oracle

Madoff Litigation: Recovering Lost Billions
Jan. 14, Free, Sponsored by NERA

The Resource Exchange

Disclosure Controls Process Map
Submitted by Anonymous Company

Internal Control Questionnaire
Submitted by Candela Laser

Featured Databases

Sustainability Reports
Review Corporate Sustainability Reports

Codes of Business Conduct
Database of 1,000+ Mission/Conduct Statements

Compliance Week “Twitters”

Get the Latest Compliance Updates via Twitter
Available Via Cell, Online, E-mail

GRC Illustrated Series

 A Federated Approach to Policy Management
The 19th Installment in This Exclusive Series

The Big Picture

 RSS
“The Big Picture” is written by Matt Kelly, editor-in-chief of Compliance Week. Kelly blogs about the broader context of regulatory developments, legislative actions in Washington, and other events in the area of compliance and corporate governance. Questions, comments and statements from readers are always welcome, and where appropriate Kelly will try to address them in his blog. He can be reached via email at MKelly@complianceweek.com.

 

November 12, 2008

Whither the Internal Audit Department?

All you internal auditors out there, take note: PricewaterhouseCoopers has published a paper clarifying what you ought to do with your life.

Titled “Internal Audit: An opportunity for transformation,” the paper suggests internal audit departments should shift their focus to auditing business risks to protect shareholder value. For too long, the authors say, companies have relied on financial models or credit ratings to gauge risks, and now those methods have turned out to be bogus. Companies should return to old-fashioned due diligence—and thus, enter the internal auditor.

Internal auditing always fascinates me, because when I started writing for Compliance Week, I assumed corporations already knew what internal audit departments were supposed to do and how to put them to work. In the intervening years, I’ve found just the opposite to be the case; nobody knows whether internal auditors should be in charge of Sarbanes-Oxley compliance, financial controls generally, or whatever else comes to mind. To PWC’s thinking, business risks and shareholder value are the new black for internal auditors. Someone else will propose something different next quarter, I’m sure.

On one hand, the idea of internal auditors prowling around for business risks and protecting shareholder value strikes me as sensible. After all, somebody has to do it, and too often that person is not in the corner office. (Anyone doubting this should ask a General Motors shareholder what he thinks of CEO Rick Wagoner these days.) And internal auditors do have a knack for assuming the worst, finding the weakness, or browbeating the masses into compliance. Those are all useful traits when it comes to passing judgment, and that’s what gauging business risk is all about.

Then come my doubts. Investigating business and strategic risks sounds a bit beyond the pay-grade of your average internal auditor. I’m also not entirely clear on how one “audits” a strategic risk, anyway. For example, what sort of documentation do you need to confirm that GM’s insistence on making large vehicles is risky? I’ve always thought those questions could be answered by exercising common sense, but that’s been in short supply around Corporate America for years.

I don’t mean to disparage PWC’s report; its suggestions are worth considering and they highlight a problem that does need to be addressed. But at its essence, the question is whether internal auditing departments are best used to audit changes in operations, as PWC suggests, or to audit adherence to policy, as most departments have historically done. I don’t know what the right answer is. Do you?

Posted by: mkelly @ 3:48 pm

Filed under: Internal Auditing

1 Comment »

  1. I try to keep an open mind about these “thought starters”, but

    - It is the bias expressed in the paper that can limit IA as a valued consultant
    o The high cost of compliance for financial controls is as much the fault of years of management neglect as it is the inefficiency of IA
    o IA needs to provide critical thinking (an alternative) but is perceived as the deal killer
    - The lofty goal for better share holder value is more often perceived to align with short term tactics than long term strategy
    o IA is not in a position to retrain senior management
    o The current financial crisis (PwC intro) has lots to do with greed as well as failed risk management
    - Some of what PwC advocates is in conflict with the profession as objective and independent
    o ERM programs have well defined limits on IA role (IA should not own the policy and process)
    - This PwC advertising piece fails to link all the dots
    o The current financial crisis is likely to change the financial risk from 3rd (15%) to 2nd (25%)

    On the other hand, anything that helps lift our profession is worth consideration

    Comment by Gene McGill — November 18, 2008 @ 6:00 pm

RSS feed for comments on this post.

Leave a comment