Blogs & Comment

Bribery, cyber-security and derivatives: is internal audit up to the task?

Do internal auditors have the resources, skills and authority necessary to do their jobs? I wonder.

Do internal auditors have the resources, skills and authority necessary to do their jobs? I wonder. Recently, I was asked to be an expert witness in an alleged bribery case. Internal audit is one of the first places I look to when assessing governance failure because they are the eyes and ears of the board.

But are they always up to the task? At two auditing conferences I spoke at not long ago, I asked this question: how many auditors use Twitter? In both cases, only one hand went up. Yet we know cybercrime is widespread and under-reported, and management may not even know it’s happening. It’s a top concern of boards. How can internal auditors assure internal controls—not only over cyber-security but social media—when they themselves may be technically illiterate? IT literacy and data mining were two of the top skills required by internal auditors in a recent survey.

What about derivatives used by traders? How many auditors understand the use of derivative products such that they can attest to the internal controls over their use? The responses I received from my audiences were not encouraging.

What about corruption risk? How do auditors treat working notes, delegation to foreign auditors and language barriers, and do they even understand foreign practices? Do they visit the jurisdiction or audit from an office in Canada? The Ontario Securities Commission recently released a scathing report about emerging market risks, chastising not just boards but the audit and underwriting professions.

What about fraud? Evidence from the conference board is that many whistle-blowing programs don’t work and aren’t used. Now whistle-blowers can go directly to the U.S. Securities and Exchange Commission in Washington, completely bypassing possible retaliation, flawed investigations and toxic workplaces.

Auditors cannot choose which internal controls they validate. Regulatory authorities are clear: every activity of every entity should fall within the scope of the internal audit function.

Management may have a vested interest in starving internal audit or compromising their objectivity with management responsibilities. Regulators have been clear here also: auditors, both internal and external, must maintain their independence from audited activities. They cannot assess their own work.

If the internal audit function is weak, or the chief audit executive does not have the experience or stature, or management disregards internal audit findings, this is the fault of the audit committee and the board. And if auditing isn’t up to snuff, it’s the company that will suffer.