Earlier this year, PwC reported (in their 2013 State of the Internal Audit Profession) a significant gap between the expectations of the board and the performance of the internal auditing activity.

Now, the software firm of Thomson Reuters Accelus has released their own State of Internal Audit 2013 that may explain why.

Internal Audit Has to STOP Focusing On Internal ControlsAccording to Thomson Reuters, the #1 area to which internal auditors are devoting their attention – and expect to continue to focus in the future – is “assurance on internal control processes”. Assurance on the effectiveness of either risk or governance processes barely merits a blip on the radar, according to their report.

Now unless Thomson Reuters has a major flaw in their survey, this seems to say there is a major flaw in the priorities of internal audit departments across the globe. While IIA Standards and modern practices dictate that internal audit should “evaluate and improve the effectiveness of risk management, control and governance processes”, CAEs are satisfied with only providing assurance on internal control and boards are failing to demand that their CAEs step up.

It is not enough to answer surveys and show dissatisfaction. Boards need to act and demand more. When CAEs fail but don’t change, that is a failure of the board.

Let’s take the challenge to the next level….

  • Risk is the effect of uncertainty on objectives (per both COSO and ISO).
  • So, let’s not just report that the level of risk is or is not higher than desirable.
  • Let’s let the board and management know which objectives are at greater risk. Sometimes, they need to change their objectives!

I welcome your comments:

  • Do you agree it is well past time to stop providing assurance on internal controls and start providing assurance on the effectiveness of the organization’s processes for managing the risks to objectives?
  • Do you agree that internal audit should start being specific about which objectives are affected instead of making the board and top management guess by only reporting on risk?