• First Reference
  • About us
  • Contact us
  • Blog Signup 📨

First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies
You are here: Home / Finance and Accounting / Deloitte on internal audit and the path forward

By Norman D. Marks, CPA, CRMA | 3 Minutes Read July 5, 2017

Deloitte on internal audit and the path forward

auditIn a new paper, Deloitte takes the results of its latest survey of chief audit executives (CAEs) and makes recommendations for action.
The survey, which has been widely reported, indicated that in the opinion of the responding CAEs only 28% of them “believe their functions have strong impact and influence in their organizations, while 16 percent felt that Internal Audit has little to no impact and influence”.
I think the path to fixing the problem starts with acknowledging it, which Richard Chamber has done in a number of his IIA posts (which you can find here).
Deloitte has suggested 9 areas of focus.
I disagree with them.
Here are my suggestions for CAEs, audit committee members, and executives who want to help improve the quality and value of internal audit services.

  1. Audit what matters. Audit how risks to the achievement of enterprise objectives, what might cause them to fail and what is necessary to succeed, are managed. Richard Chamber and I have both written a book with advice on the path forward. Neither of us do it for the money; it’s our shared desire to see the profession advance. My latest book addresses this topic and more, Auditing that matters.
  2. Focus on helping your stakeholders succeed, rather than on performing audits and writing audit reports. Read Richard’s latest, Trusted advisors: key attributes of outstanding internal auditors. Ask what information your stakeholders need from you which could make them welcome you to their table.
  3. Communicate what matters, when it matters, in a way that is actionable and readily consumed. The advice on this topic from Deloitte is off the mark. I cover the point in far more detail in my book, including pointing out that IIA Standards do not require an audit report; that the best communication is face-to-face where questions can be asked and answered; and that we need to deliver our assurance, recommendations, and insights at speed. The business is being run faster and faster, yet our reporting process remains slow and old-fashioned.
  4. Understand why the CAE is not getting the respect he or she should. Is it a failure of the CAE to explain effectively or of the audit committee and management to understand the potential for internal audit to help them succeed? Is it because the CAE is complacent, delivering what he is told he should and being satisfied with good performance reviews and bonuses instead of pushing the envelope to deliver the services and value he or she could and should?
  5. Deliver. Last but hardly least, the CAE must deliver assurance and insights that the executive team and the audit committee truly value. Again, this is what my book is all about, but if the executives and audit committee see our end product as ‘ho-hum’ and not something that might affect their decisions or strategies, then is it worth the money being spent on internal audit? Why should they give respect and, more importantly, their time to an activity that is peripheral at best to running the business?
  6. Be willing to change. Some CAEs, such as Chris Keller at Apple, have thrown out the traditional internal audit model because they can see a better way to add value to the organization, providing assurance that the right risks are being taken. We don’t accept people in the business doing things the same way for years because that’s the way it is always done, so why should we do that ourselves?

 
I welcome your comments and perspectives.

  • About
  • Latest Posts
Norman D. Marks, CPA, CRMA
Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
  • Twitter and risk - January 18, 2023
  • When the board insists on a list of the top risks - December 9, 2022
  • The greatest risk and the greatest asset - November 25, 2022

Article by Norman D. Marks, CPA, CRMA / Finance and Accounting / audit committee, business risks, internal audit, stakeholders

Share with a friend or colleague

Get the Latest Posts in your Inbox for Free!

Electronic monitoring

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Footer

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

First Reference Talks

  • Home
  • About
  • Archives
  • Resources
  • Buy Policies

Main Menu

  • About First Reference
  • Resources
  • Contact us
  • 1 800 750 8175

Stay Connected

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube

We welcome your comments on our blog articles. However, we do not respond to specific legal questions in this space.
We do not provide any form of legal advice or legal opinion. Please consult a lawyer in your jurisdiction or try one of our products.


Copyright © 2009 - 2023 · First Reference Inc. · All Rights Reserved
Legal and Copyright Notices · Publisher's Disclaimer · Privacy Policy · Accessibility Policy