There is a joke which sums up some peoples’ attitudes to internal audit; it goes as follows:
“There is a pint glass, it contains half a pint of milk.
The optimistic manager says that the glass is half full.
The pessimistic manager says that the glass is half empty.
The internal auditor says that the milk is sour.”
Well I suppose, having run international internal audit departments in Philips and De Beers, I could be accused of being prejudiced. However, I firmly believe that a well run, independent and pro active internal audit department can add significant value to an organisation and its connected parties (such as shareholders).
I would point out that had the internal audit departments in both Enron and WorldCom operated in a professional and independent manner; then the gross mismanagement and corruption in these two companies would, in my opinion, not have occurred.
So how can an internal audit department add value? I will start with the basic, textbook, definition of the role of internal audit.
Internal audit provides independent objective assurance to the Board as to the adequacy of the business controls, and the effectiveness of the risk management and risk identification process.
In other words, the internal audit department should tell the Board when the company is being poorly managed, where risks are not being identified or mitigated and when the business objectives are not likely to be met.
In addition to this very wide ranging remit, a well run internal audit department adds value in the following ways:
It acts as a training ground for future line managers, by exposing fast track members of the department to a variety of situations, activities and functions within the organisation.
It provides a “one stop shop” for best practice advice.
It provides an independent, objective opinion as to the quality of the business controls.
It stimulates risk awareness throughout the organisation.
It is a source of qualified, experienced talent that can aid management in business improvement programmes.
It provides specialist professional independent opinions on a variety of situations; such as due diligence exercises.
It reports on fraudulent activity within the organisation, with a view to understanding how it happened and how to prevent it occurring again.
It ensures that the company wide initiatives, such as a code of conduct, are being adhered to.
I will expand on the subjects of business controls, risks (click here for risk article) and what constitutes a well run audit department (click here for the latter) in forthcoming articles.