Refocusing the Internal Audit Agenda; Board and Auditor Risk Management

I am seeing a lot of network discussion about internal audit, its value and deficiencies, and how it can provide benefit, justify its cost, and improve.  From the board and audit committee’s perspective, I have viewed internal audit as a potentially significant resource that is available to help directors and committee members obtain information that is necessary for them to satisfy their diligence and oversight responsibilities.  On the other hand, I have also heard from some people who believe that my expectations of internal audit, at least for some internal audit departments, are too high.  For additional insight, Click Here for a recent Protiviti Bulletin on the subject, Click Here for a blog post on the topic by Norman Marks, and Click Here for an IIA discussion paper.  Assuming that an internal audit department has the necessary expertise, I believe that there is a place for internal audit to assist with the evaluation of risk management and controls, and to recommend areas of improvement.  For that matter, there is also opportunity for outside/independent auditors to become involved in those areas (evaluation of risk management and controls, and to recommend areas of improvement) and also the evaluation of corporate governance.  For the most part, however, although papers are written, the influential accounting/auditing, risk management and board/director groups or professions that have the ability to really bring these issues to the front, and to start to create basic oversight or diligence expectations, if not actual standards themselves, have not yet gotten the job done or their messages are being lost in the forest.  Significant improvement is needed–we appear to be moving in that direction–but way to slowly.