SlideShare une entreprise Scribd logo

Internal Audit's Role in Preventing Economic Crises

J
jamlex

The document discusses the global economic crisis and whether internal auditors could have helped prevent it. It argues that internal auditors have avoided criticism, but this may reflect low expectations of their role in assessing risk management systems. The IIA standards from 2000 required internal auditors to evaluate risk management effectiveness, but few complied. The crisis revealed deficiencies in risk management, so internal auditors may have missed an opportunity to identify issues earlier. Improving guidance and skills in this area could help internal auditing contribute more.

BusinessÉconomie & finance
1  sur  8
Télécharger pour lire hors ligne
The Global Economic Crisis: could Internal Audit have helped prevent It? Tim Leech thinks that Internal Auditors have avoided the blame for the current global economic conditions. But is Internal Audit blameless or underperforming? Commissions, often better labelled inquests, are underway in countries around the world to try and understand what has caused the unprecedented global economic crisis. To date, fingers of blame are being pointed at a wide range of suspects - deficient risk management systems, greedy executives, corporate compensation systems that would tempt a saint, corrupted credit rating agencies, major oversight lapses at the SEC, bank regulators asleep at the switch, insurance regulators that failed to monitor the ability of insurers to pay, technically flawed accounting standards, deficient board oversight, U.S. government policy that encouraged banks to loan money to people that couldn’t afford to repay it, ineffective external auditors, and others yet to be indicted. What I haven’t seen or heard to date, is a single commission, news item, column, or article that even hinted at the idea that internal auditors, including internal auditors at major banks, insurance companies, the SEC, bank regulators, credit agencies, companies that were defrauded and/or seriously harmed by “toxic” and sometimes fraudulent investment products, are even partially to blame. Not being fingered for even a portion of the blame in a catastrophic situation is a good thing for the internal audit profession, isn’t it? Unfortunately, I don’t think so. I think the absence of even mild criticism of the internal audit profession is an indictment of the profession’s track record assessing and reporting on the effectiveness of their client’s risk management systems to help prevent catastrophic risk and control governance failures before they occur. Legislators, the press, regulators, investor advocates, investors, the courts and the general public seem to have little or no expectation that the internal audit profession could have, or should have, played any significant role preventing the events that have inflicted massive, grievous global harm to companies, employees, shareholders, government and the general public. Generally low expectations of key customers and stakeholders should be viewed by the profession generally, and individual internal audit departments specifically, as a major threat to the profession. History repeats When the demise of Enron in December 2001 was followed by the perfect storm of World Com and HealthSouth in the U.S, Nortel in Canada, Parmalat in Europe, and others, a flurry of corporate inquests and finger pointing occurred, not dissimilar to the wave currently unfolding. An important result in the U.S. was the Sarbanes-Oxley Act of 2002. In the UK the Combined Code was determined to be a suitable position to defend the UK against major problems. Canada enacted National Instrument 52-109. The role of an internal audit function was not specifically referenced in the Sarbanes-Oxley legislation and was similarly ignored in the subsequent enabling SOX regulations. As a general statement, regulators in the U.S., UK,
Canada and Europe have assigned little importance to the role of internal audit in terms of its ability to prevent major risk management failures. Inquiries held to examine the savings and loan collapse that inflicted multi-billion dollar losses on the U.S. government and U.S. taxpayers more than three decades ago similarly ignored the role internal auditors could play preventing major instances of risk management breakdowns. Internal audit – blameless or underperforming? Is internal audit truly blameless in this current global economic crisis, or is the absence of criticism of the profession globally more a reflection of low public expectations? Is low stakeholder expectations linked to widespread non-compliance with the 2000 IIA professional practice standard 2110.A1 that requires internal auditors independently and objectively evaluate and report to their boards of directors on the effectiveness of risk management systems? The blame argument – Internal Auditors should have been assessing and reporting on the effectiveness of risk management systems but weren’t. In December 2000 the Institute of Internal Auditors (IIA) issued new global professional standards intended to govern the conduct of the profession of internal auditing. Section 2110.A1 of the Standards stated: “The internal audit activity should monitor and evaluate the effectiveness of the organization’s risk management systems.” Although it isn’t explicitly stated in the standard, it would seem reasonable that Internal Audit was also expected to report the results of their monitoring and evaluation of risk management systems to senior management and the board of directors. Guidance issued by the IIA on the 2000 standards contained in the 2002 The IIA Handbook Series: Implementing the Professional Practices Framework cautioned readers that this new professional practice standard represented new and uncharted waters. The 2002 guide states: “The new Implementation Standard 2110 A.1 makes it clear that internal auditors should review the risk management system as part of their assurance activities for the board and senior management. This represents new territory for most internal audit shops. Few organizations have established processes for assuring the adequacy and effectiveness of risk management procedures.” The wording contained in section 2120 of the newest IIA International Professional Practices Framework released in January 2009, covering what was previously practice standard 2110A.1, was modified in a number of important ways. The standard now reads as follows: “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.” The word “should” was changed to “must”. The requirement to “monitor” was dropped in the core standard but retained in the interpretation. The requirement to “evaluate” was retained. The term “risk management systems” was changed to “risk management processes”. The introduction to the new Professional Practice Framework provides an official IIA position on the use of the word “should” versus “must”.
“Specifically, the Standards use the word must to specify an unconditional requirement and the word should where conformance is expected unless, when applying professional judgment, circumstances justify deviation.” Based on my reading of the 2000 IIA professional practice standards and the IIA’s interpretation of the words, internal audit departments around the world that wanted to comply with the IIA professional practice standards should have been monitoring, evaluating, and reporting on the effectiveness of risk management systems since 2001. This responsibility has been further amplified by the wording in the newest professional practice standards released in January 2009. I haven’t heard or seen any internal auditor put forward an argument that their specific “circumstances justify deviation”. However it may be that many internal audit customers don’t think that it is an internal audit responsibility to evaluate and report on the effectiveness of risk management systems or, alternatively, that internal auditors are technically capable of reliably evaluating and reporting on the effectiveness of risk management systems. Deficient risk management processes at the root of the current economic crisis Commission after commission studying the events and circumstances that have led up to the current economic crisis are concluding that deficient risk management was one of the primary root causes of what went wrong. A report dated March 6, 2008 from the Senior Supervisors Group representing regulators from the U.S., UK, France, Germany, and Switzerland titled Observations on Risk Management Practices during the Recent Market Turbulence states: “primary supervisors are critically evaluating the efforts of individual firms they supervise to address weaknesses in risk management practices that emerged during the period of market turmoil. Each supervisor is ensuring that its firms are making appropriate changes in risk management practices, including addressing deficiencies in senior management oversight, in the use of risk measurement techniques in stress testing, and in contingency funding planning.” How many Internal Audit departments have, in fact, complied with section 2110.A1, a standard enacted in 2000? During the past eight years since the IIA enacted the new standard requiring internal auditors evaluate the effectiveness of their organisation’s risk management systems I have taken informal polls of thousands of internal auditors representing internal audit departments around the world. The question I posed was generally something like this: “How many of you in the room annually assess and report on the effectiveness of your organisation’s risk management systems to your board of directors?” The answer was always consistent - somewhere between none and a small fraction of the internal audit departments represented in the room were formally evaluating and providing opinions to the company’s board of directors on the effectiveness of their organisation’s risk management systems. Some of the audit departments that reported they were not complying with this section were receiving “Fully complies” or similar ratings from independent quality assurance review teams, perhaps on the basis that it was appropriate, using “professional judgment”, to scope out compliance with this standard. The 2006 Common Body of Knowledge (CBOK) study done by the IIA indicated that full conformity with the much broader “2100 Standard series” was 57%. I suspect that respondents to the CBOK study that replied positively were focusing more on the broad question of whether internal audit was helping to improve risk
management systems, as opposed to the specific requirement to report on the effectiveness of risk management systems specified in section 2110.A1. The fact that so few audit departments have complied with section 2110.A1 is not really surprising. Other than a very limited amount of guidance contained in Chapter 8 of 2002 The IIA handbook series: Implementing the professional practices framework published by the IIA, some general introductory training on risk management available to members, and a very good book on the subject titled “Auditing the Risk Management Process” by K.H. Spencer Pickett published by Wiley in 2005, there hasn’t been much attention focused on how to best equip internal auditors to competently fulfill this requirement and, perhaps most importantly, how to measure progress being made to achieve this goal. If the amount of guidance the PCAOB in the U.S. has produced to guide auditors and management required by law to arrive at a repeatable opinion on the relatively narrow topic of control effectiveness for section 404 of Sarbanes-Oxley is any indication, the task of creating guidance and learning systems capable of producing reliable and repeatable Internal Audit opinions on the effectiveness of risk management systems will be at least as daunting and elusive a task. It is worth noting that, although the Certified Internal Auditor (CIA) exam syllabus under the caption of Internal Audit Activity’s Role in Organizational Governance specifically includes reporting on the effectiveness of an organisation’s control framework, it is silent on the obligation to provide opinions on the effectiveness of risk management systems. Responsibilities like “Discuss areas of significant risk” and “Support board in enterprise-wide risk assessment” are not the same as providing an opinion on the effectiveness of an organisation’s risk management systems. Internal Audit’s role in Organisational Governance per the January 2009 CIA exam syllabus is shown below. C. Understand the Internal Audit Activity's Role in Organizational Governance (10-20%) (P) 1. Obtain board's approval of audit charter 2. Communicate plan of engagements 3. Report significant audit issues 4. Communicate key performance indicators to board on a regular basis 5. Discuss areas of significant risk 6. Support board in enterprise-wide risk assessment 7. Review positioning of the internal audit function within the risk management framework within the organization 8. Monitor compliance with the corporate code of conduct/business practices 9. Report on the effectiveness of the control framework 10. Assist board in assessing the independence of the external auditor 11. Assess ethical climate of the board 12. Assess ethical climate of the organization 13. Assess compliance with policies in specific areas (e.g., derivatives) 14. Assess organization's reporting mechanism to the board 15. Conduct follow-up and report on management response to regulatory body reviews
16. Conduct follow-up and report on management response to external audit 17. Assess the adequacy of the performance measurement system, achievement of corporate objective 18. Support a culture of fraud awareness and encourage the reporting of improprieties Evaluating, what can sometimes be, sophisticated risk management systems/processes requires very different skills than those used to complete traditional point-in-time, control/process centric direct report audits – even audit plans and audits that claim to be “risk-based”. An assessment by internal audit of the risks to the entity, a business unit, business process, or topic is not the same as evaluating management’s risk management systems. In cases where internal audit plays a significant role formally identifying, documenting, assessing and reporting on risk status on management’s behalf, it is not hard to argue that internal audit is precluded by independence standards from evaluating and reporting on the effectiveness of an organisation’s risk management systems. An independent evaluator external to the organisation would need to be retained to comply with section 2120 of the standards. The fact that more than one in every eight Sarbanes-Oxley section 404 control effectiveness opinions from management and external auditors in 2006 were later found, as a result of restatements of the financial statements, to be materially wrong should raise serious questions about the ability of auditors today, both internal and external, to form reliable conclusions on control effectiveness. Although the SOX 404 opinion error rate appears to be declining for large public companies, the frequency of materially wrong opinions on control effectiveness is still shockingly high. The UK elected not to follow the lead of the U.S. to require management or auditors of UK listed companies report on the “effectiveness” of internal control over financial reporting. One of the reasons cited is that management and auditors currently lack the necessary assessment frameworks, training and tools to provide reliable, repeatable conclusions on control effectiveness. How many Internal Audit departments that haven’t complied with IAA professional standard 2110.A1 over the past eight years will comply with the new section? Given that the IIA professional standard specifying auditors should evaluate the effectiveness of risk management systems came in to force in 2000, now more than eight years ago, it would appear that one or more of the following conclusions linked to the current global economic crisis must be true. 1. Internal Audit departments in organisations at the root of the current economic crisis were not formally assessing and reporting to their boards on the effectiveness of risk management systems that have now been identified as deficient and one of the most significant root causes of the current economic crisis – a missed opportunity. 2. Internal auditing departments and/or the companies they work for don’t find the IIA professional standards useful; their key customers don’t care about whether they do, or don’t, comply with IIA Standards; and, quite correctly, they haven’t made any claims, internally or externally, that they comply with IIA professional standards. 3. Internal audit departments in impacted organisations did try to evaluate and report on the effectiveness of risk management systems as required by section 2110.A1 of the IIA
professional practice standards, but were unsuccessful identifying and reporting significant deficiencies in those systems. 4. Internal audit departments were following the IIA professional standards, were competently assessing and reporting significant deficiencies in their organisation’s enterprise, credit, market, and operational risk management systems, but their warnings were ignored by senior management and the board of directors. In the case of banks, regulators, almost certainly, would have reviewed any reports from internal audit on the effectiveness of the organisation’s risk management systems. The informal polls I have taken and training and consulting work I have done with hundreds of internal audit departments around the world over the past eight years supports the view that conclusion number one has most often been true, although I have also found that more than a few companies subscribe to option number two. It is also likely that, in at least a few organisations, elements of option three and four were also true. It is important to note that the polls I have taken were not specific to the banking sector. I personally endorse the IIA’s decision to elevate the words “should evaluate” in section 2110.A1 to “must evaluate” in section 2120 of the new, revised IIA professional practice standards. Evaluating and reporting on the effectiveness of risk management systems represents a tremendous opportunity to make the internal auditing profession and its members more relevant, more valuable, better paid and, most importantly, more respected. However, I also believe that the IIA should take immediate and significant steps to develop practical training curriculum and guidance for internal auditors to equip them to reliably assess and report on the effectiveness of risk management systems. It is essential that any new IIA guidance require that internal auditors report on effectiveness of risk management processes using a suitable assessment framework as a benchmark. The professional practice guidance in this area issued by the IIA in January 2009 is silent on the topic of a “suitable assessment framework”. The four criteria for a suitable framework specified by the SEC to report on effectiveness of control systems for Sarbanes-Oxley are also generally relevant for reporting on effectiveness of risk management processes. If the criteria specified by the SEC for a “suitable” framework were modified to relate to reporting on the effectiveness of risk management processes the suitability criteria might read something like this: “a suitable framework must be free from bias; permit reasonably consistent qualitative and quantitative measurements of a company’s risk management systems; be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of all significant risk management systems relevant to the organization are not omitted; and be relevant to an evaluation of risk management related to all aspects of the company’s operations that could materially impact stakeholders.” Given the relatively immature and error prone state of the risk and control management effectiveness reporting disciplines as evidenced by the currently high SOX 404 control effectiveness error rate in U.S. listed companies, this will not be an easy task, but one that should be shouldered. To better protect investors and other key stakeholders somebody should be preparing independent and objective reports on the effectiveness of risk management
systems for boards of directors. I believe without reservation that reporting on the current effectiveness of risk management systems is significantly more valuable than providing subjective opinions on the effectiveness of control. Security regulators should demand that this be done and that boards of directors take steps to confirm that it is being done. That somebody should be professional Internal Auditors. The recent repackaging by the IIA of a position paper originally authored by the IIA UK in 2004 titled: The role of Internal Auditing in enterprise-wide risk management and the new IIA Practice Advisory 2120-1: Assessing the adequacy of risk management processes, both issued in January 2009, are a good start, but lack the critical component of offering a generally accepted assessment framework that meets the criteria specified above. The 2009 version of the role of Internal Audit in enterprise-wide risk management position paper contains an important caution that acknowledges that many internal auditors are currently ill equipped to evaluate risk management systems. The position paper on page 6 states: “Nor should internal auditors who seek to extend their role in ERM underestimate the risk management specialist areas of knowledge (such as risk transfer and risk quantification and modelling techniques) which are outside of the body of knowledge for most internal auditors. Any internal auditor who cannot demonstrate the appropriate skills and knowledge should not undertake work in the area of risk management. Furthermore, the head of internal audit should not provide consulting services in this area if adequate skills and knowledge are not available within the internal audit activity and cannot be obtained from elsewhere.” (NOTE: It isn’t clear to me how an internal audit department that is not qualified to provide an opinion on the effectiveness of risk management systems can also be in compliance with section 2120 of the new professional practices framework that states internal auditors must evaluate the effectiveness of risk management processes.) Could Internal Audit have helped prevent the global economic crisis? Turning to the question posed in the title of this article - Could internal audit have helped prevent the current economic crisis? my conclusion is this: Had the IIA in its role as standard setter and training provider, and all internal audit departments that claim, or seek to claim, compliance with IIA standards, invested the time and resources necessary to equip internal auditors to competently and reliably assess and report on risk management systems in the early part of this decade, using a suitable assessment framework, there is a possibility, but not a certainty, that this global economic crisis could have been prevented. It is too late to prevent the current crisis, but it’s not too late for the internal audit profession to play an important role preventing the next major corporate governance breakdown. Internal audit is capable of more than it is has contributed to date - if the Institute’s leadership and members are willing to focus significant resources on generating the necessary tools and training necessary to achieve widespread compliance with section 2120 of the new Professional Practice Standards. I encourage all of you reading this article to let the IIA leadership know what you think should be done to make the internal audit profession more relevant, more respected and better paid. Being accused of not fully meeting an expected standard of care is far better than being considered irrelevant.
Note from the editor The views expressed in this article are the views of the author only and do not necessarily represent the views of his employer or the ACCA. This article will shortly appear on ACCA's Global Economy microsite. ACCA is keen to get the views of its members on the issues raised by this article and would encourage members to use the discussion facility on the Global Economy microsite to discuss this further. www.accaglobal.com/economy/ Tim Leech is Director GRC (Governance Risk & Compliance) Services at Navigant Consulting in Toronto, Ontario. He is a member of the Ontario, Alberta and Canadian Institutes of Chartered Accountants in Canada, as well as the Institute of Management Accountants, Institute of Internal Auditors, and the Association of Certified Fraud Examiners in the U.S. He is recognised globally as a thought leader in the areas of enterprise risk and control governance and oversight, control and risk self-assessment, Sarbanes-Oxley, internal and external audit failure, internal audit transformation, and fraud prevention and detection. Tim can be contacted at tim.leech@navigantconsulting.com. References: The IIA Handbook Series: Implementing the Professional Practices Framework, Christy Chapman, Urton Anderson, The Institute of Internal Auditors, 2002 International Standards for the Professional Practice of Internal Auditing, Institute of Internal Auditors, October 2008. IIA Web Site, Understand Internal Audit Activity’s Role in Organizational Governance, www.theiia.org/certification/certified-internal-auditor/cia-exam-content/index.cfm?c=457 IIA Position Paper, The Role of Internal Auditing In Enterprise-Wide Risk Management, Institute of Internal Auditors, January 2009. Practice Advisory 2120-1: Assessing the Adequacy of Risk Management Processes, Institute of Internal Auditors, January 2009.

Recommandé

Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Melih ÖZCANLI
 
2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot SpotsRon Steinkamp
 
NEMEA Compliance Automation
NEMEA Compliance AutomationNEMEA Compliance Automation
NEMEA Compliance AutomationNEMEA Security Services
 
Lecture 14 fraud and accountant - james a. hall book chapter 3
Lecture 14 fraud and accountant - james a. hall book chapter 3Lecture 14 fraud and accountant - james a. hall book chapter 3
Lecture 14 fraud and accountant - james a. hall book chapter 3Habib Ullah Qamar
 
Fraud Risks In A Challenging Economy Dbb 072811
Fraud Risks In A Challenging Economy Dbb 072811Fraud Risks In A Challenging Economy Dbb 072811
Fraud Risks In A Challenging Economy Dbb 072811ccasler
 
Audit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementAudit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementpeterObakozuwa
 
Beyond_the_Horizon_White_Paper_Systemic_Risk
Beyond_the_Horizon_White_Paper_Systemic_RiskBeyond_the_Horizon_White_Paper_Systemic_Risk
Beyond_the_Horizon_White_Paper_Systemic_RiskPhilip C Ballard
 
Hebeler auditor's legal liability
Hebeler auditor's legal liabilityHebeler auditor's legal liability
Hebeler auditor's legal liabilityCarl Hebeler
 

Recommandé

Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Melih ÖZCANLI
 
2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot Spots2015 Tackling This Year's Audit Hot Spots
2015 Tackling This Year's Audit Hot SpotsRon Steinkamp
 
NEMEA Compliance Automation
NEMEA Compliance AutomationNEMEA Compliance Automation
NEMEA Compliance AutomationNEMEA Security Services
 
Lecture 14 fraud and accountant - james a. hall book chapter 3
Lecture 14 fraud and accountant - james a. hall book chapter 3Lecture 14 fraud and accountant - james a. hall book chapter 3
Lecture 14 fraud and accountant - james a. hall book chapter 3Habib Ullah Qamar
 
Fraud Risks In A Challenging Economy Dbb 072811
Fraud Risks In A Challenging Economy Dbb 072811Fraud Risks In A Challenging Economy Dbb 072811
Fraud Risks In A Challenging Economy Dbb 072811ccasler
 
Audit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementAudit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementpeterObakozuwa
 
Beyond_the_Horizon_White_Paper_Systemic_Risk
Beyond_the_Horizon_White_Paper_Systemic_RiskBeyond_the_Horizon_White_Paper_Systemic_Risk
Beyond_the_Horizon_White_Paper_Systemic_RiskPhilip C Ballard
 
Hebeler auditor's legal liability
Hebeler auditor's legal liabilityHebeler auditor's legal liability
Hebeler auditor's legal liabilityCarl Hebeler
 
Is Internal Audit the Next Blackberry Part 1 ACCA IA Bulletin Dec 2016
Is Internal Audit the Next Blackberry Part 1 ACCA IA Bulletin Dec 2016Is Internal Audit the Next Blackberry Part 1 ACCA IA Bulletin Dec 2016
Is Internal Audit the Next Blackberry Part 1 ACCA IA Bulletin Dec 2016Tim Leech
 
Internal Audit And Review Reports
Internal Audit And Review ReportsInternal Audit And Review Reports
Internal Audit And Review ReportsLaura Martin
 
Internal Audit Of The California Department Of Public...
Internal Audit Of The California Department Of Public...Internal Audit Of The California Department Of Public...
Internal Audit Of The California Department Of Public...Tina Jordan
 
Fice Of Internal Audit
Fice Of Internal AuditFice Of Internal Audit
Fice Of Internal AuditChristina Berger
 
Audit Fee
Audit FeeAudit Fee
Audit FeeAshley Davis
 
Audit Committee Material Weaknesses in Smaller Reporting Companies
Audit Committee Material Weaknesses in Smaller Reporting CompaniesAudit Committee Material Weaknesses in Smaller Reporting Companies
Audit Committee Material Weaknesses in Smaller Reporting CompaniesHaji Gulahmadov
 
Fraud risk assessment
Fraud risk assessmentFraud risk assessment
Fraud risk assessmentAlexander Decker
 
Effect of Auditor Independence on Audit Quality: A Review of Literature
Effect of Auditor Independence on Audit Quality: A Review of LiteratureEffect of Auditor Independence on Audit Quality: A Review of Literature
Effect of Auditor Independence on Audit Quality: A Review of Literatureinventionjournals
 
Armstrong Accountancy Essay
Armstrong Accountancy EssayArmstrong Accountancy Essay
Armstrong Accountancy EssayAmanda Brady
 
Brennan, Niamh [2003] Accounting in crisis: A story of auditing, accounting, ...
Brennan, Niamh [2003] Accounting in crisis: A story of auditing, accounting, ...Brennan, Niamh [2003] Accounting in crisis: A story of auditing, accounting, ...
Brennan, Niamh [2003] Accounting in crisis: A story of auditing, accounting, ...Prof Niamh M. Brennan
 
Auditor Independence And Financial Statements
Auditor Independence And Financial StatementsAuditor Independence And Financial Statements
Auditor Independence And Financial StatementsNatasha Barnett
 
Incessant financial scandals in the corporate organizations in nigeria audito...
Incessant financial scandals in the corporate organizations in nigeria audito...Incessant financial scandals in the corporate organizations in nigeria audito...
Incessant financial scandals in the corporate organizations in nigeria audito...Alexander Decker
 
AUDITOR’S FEES AND AUDIT QUALITY OF DEPOSIT MONEY BANKS IN NIGERIA.pdf
AUDITOR’S FEES AND AUDIT QUALITY OF DEPOSIT MONEY BANKS IN NIGERIA.pdfAUDITOR’S FEES AND AUDIT QUALITY OF DEPOSIT MONEY BANKS IN NIGERIA.pdf
AUDITOR’S FEES AND AUDIT QUALITY OF DEPOSIT MONEY BANKS IN NIGERIA.pdfOsarenrenAigienohuwa1
 
The changing role of internal audit
The changing role of internal auditThe changing role of internal audit
The changing role of internal auditaakash malhotra
 
Artifact 2 Written Report-Mohr
Artifact 2 Written Report-MohrArtifact 2 Written Report-Mohr
Artifact 2 Written Report-MohrMichael Mohr
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
 
Sas 112 May 14 08 Md Nonprofits
Sas 112 May 14 08 Md NonprofitsSas 112 May 14 08 Md Nonprofits
Sas 112 May 14 08 Md Nonprofitshimetro
 
ACC 4020-01_Auditing Research Project_FionaNguyen
ACC 4020-01_Auditing Research Project_FionaNguyenACC 4020-01_Auditing Research Project_FionaNguyen
ACC 4020-01_Auditing Research Project_FionaNguyenPhuong Nguyen
 
Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Tim Leech
 
Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Tim Leech
 
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...Call girls in Goa, +91 9319373153 Escort Service in North Goa
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 

Contenu connexe

Similaire à Internal Audit's Role in Preventing Economic Crises

Is Internal Audit the Next Blackberry Part 1 ACCA IA Bulletin Dec 2016
Is Internal Audit the Next Blackberry Part 1 ACCA IA Bulletin Dec 2016Is Internal Audit the Next Blackberry Part 1 ACCA IA Bulletin Dec 2016
Is Internal Audit the Next Blackberry Part 1 ACCA IA Bulletin Dec 2016Tim Leech
 
Internal Audit And Review Reports
Internal Audit And Review ReportsInternal Audit And Review Reports
Internal Audit And Review ReportsLaura Martin
 
Internal Audit Of The California Department Of Public...
Internal Audit Of The California Department Of Public...Internal Audit Of The California Department Of Public...
Internal Audit Of The California Department Of Public...Tina Jordan
 
Audit Committee Material Weaknesses in Smaller Reporting Companies
Audit Committee Material Weaknesses in Smaller Reporting CompaniesAudit Committee Material Weaknesses in Smaller Reporting Companies
Audit Committee Material Weaknesses in Smaller Reporting CompaniesHaji Gulahmadov
 
Effect of Auditor Independence on Audit Quality: A Review of Literature
Effect of Auditor Independence on Audit Quality: A Review of LiteratureEffect of Auditor Independence on Audit Quality: A Review of Literature
Effect of Auditor Independence on Audit Quality: A Review of Literatureinventionjournals
 
Armstrong Accountancy Essay
Armstrong Accountancy EssayArmstrong Accountancy Essay
Armstrong Accountancy EssayAmanda Brady
 
Brennan, Niamh [2003] Accounting in crisis: A story of auditing, accounting, ...
Brennan, Niamh [2003] Accounting in crisis: A story of auditing, accounting, ...Brennan, Niamh [2003] Accounting in crisis: A story of auditing, accounting, ...
Brennan, Niamh [2003] Accounting in crisis: A story of auditing, accounting, ...Prof Niamh M. Brennan
 
Auditor Independence And Financial Statements
Auditor Independence And Financial StatementsAuditor Independence And Financial Statements
Auditor Independence And Financial StatementsNatasha Barnett
 
Incessant financial scandals in the corporate organizations in nigeria audito...
Incessant financial scandals in the corporate organizations in nigeria audito...Incessant financial scandals in the corporate organizations in nigeria audito...
Incessant financial scandals in the corporate organizations in nigeria audito...Alexander Decker
 
AUDITOR’S FEES AND AUDIT QUALITY OF DEPOSIT MONEY BANKS IN NIGERIA.pdf
AUDITOR’S FEES AND AUDIT QUALITY OF DEPOSIT MONEY BANKS IN NIGERIA.pdfAUDITOR’S FEES AND AUDIT QUALITY OF DEPOSIT MONEY BANKS IN NIGERIA.pdf
AUDITOR’S FEES AND AUDIT QUALITY OF DEPOSIT MONEY BANKS IN NIGERIA.pdfOsarenrenAigienohuwa1
 
The changing role of internal audit
The changing role of internal auditThe changing role of internal audit
The changing role of internal auditaakash malhotra
 
Artifact 2 Written Report-Mohr
Artifact 2 Written Report-MohrArtifact 2 Written Report-Mohr
Artifact 2 Written Report-MohrMichael Mohr
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKHaresh Lalwani
 
Sas 112 May 14 08 Md Nonprofits
Sas 112 May 14 08 Md NonprofitsSas 112 May 14 08 Md Nonprofits
Sas 112 May 14 08 Md Nonprofitshimetro
 
ACC 4020-01_Auditing Research Project_FionaNguyen
ACC 4020-01_Auditing Research Project_FionaNguyenACC 4020-01_Auditing Research Project_FionaNguyen
ACC 4020-01_Auditing Research Project_FionaNguyenPhuong Nguyen
 
Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Tim Leech
 
Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Tim Leech
 

Similaire à Internal Audit's Role in Preventing Economic Crises (20)

Is Internal Audit the Next Blackberry Part 1 ACCA IA Bulletin Dec 2016
Is Internal Audit the Next Blackberry Part 1 ACCA IA Bulletin Dec 2016Is Internal Audit the Next Blackberry Part 1 ACCA IA Bulletin Dec 2016
Is Internal Audit the Next Blackberry Part 1 ACCA IA Bulletin Dec 2016
 
Internal Audit And Review Reports
Internal Audit And Review ReportsInternal Audit And Review Reports
Internal Audit And Review Reports
 
Internal Audit Of The California Department Of Public...
Internal Audit Of The California Department Of Public...Internal Audit Of The California Department Of Public...
Internal Audit Of The California Department Of Public...
 
Fice Of Internal Audit
Fice Of Internal AuditFice Of Internal Audit
Fice Of Internal Audit
 
Audit Fee
Audit FeeAudit Fee
Audit Fee
 
Audit Committee Material Weaknesses in Smaller Reporting Companies
Audit Committee Material Weaknesses in Smaller Reporting CompaniesAudit Committee Material Weaknesses in Smaller Reporting Companies
Audit Committee Material Weaknesses in Smaller Reporting Companies
 
Fraud risk assessment
Fraud risk assessmentFraud risk assessment
Fraud risk assessment
 
Effect of Auditor Independence on Audit Quality: A Review of Literature
Effect of Auditor Independence on Audit Quality: A Review of LiteratureEffect of Auditor Independence on Audit Quality: A Review of Literature
Effect of Auditor Independence on Audit Quality: A Review of Literature
 
Armstrong Accountancy Essay
Armstrong Accountancy EssayArmstrong Accountancy Essay
Armstrong Accountancy Essay
 
Brennan, Niamh [2003] Accounting in crisis: A story of auditing, accounting, ...
Brennan, Niamh [2003] Accounting in crisis: A story of auditing, accounting, ...Brennan, Niamh [2003] Accounting in crisis: A story of auditing, accounting, ...
Brennan, Niamh [2003] Accounting in crisis: A story of auditing, accounting, ...
 
Auditor Independence And Financial Statements
Auditor Independence And Financial StatementsAuditor Independence And Financial Statements
Auditor Independence And Financial Statements
 
Incessant financial scandals in the corporate organizations in nigeria audito...
Incessant financial scandals in the corporate organizations in nigeria audito...Incessant financial scandals in the corporate organizations in nigeria audito...
Incessant financial scandals in the corporate organizations in nigeria audito...
 
AUDITOR’S FEES AND AUDIT QUALITY OF DEPOSIT MONEY BANKS IN NIGERIA.pdf
AUDITOR’S FEES AND AUDIT QUALITY OF DEPOSIT MONEY BANKS IN NIGERIA.pdfAUDITOR’S FEES AND AUDIT QUALITY OF DEPOSIT MONEY BANKS IN NIGERIA.pdf
AUDITOR’S FEES AND AUDIT QUALITY OF DEPOSIT MONEY BANKS IN NIGERIA.pdf
 
The changing role of internal audit
The changing role of internal auditThe changing role of internal audit
The changing role of internal audit
 
Artifact 2 Written Report-Mohr
Artifact 2 Written Report-MohrArtifact 2 Written Report-Mohr
Artifact 2 Written Report-Mohr
 
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORKPOSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
POSITION OF INTERNAL AUDIT IN THE CORPORATE FRAMEWORK
 
Sas 112 May 14 08 Md Nonprofits
Sas 112 May 14 08 Md NonprofitsSas 112 May 14 08 Md Nonprofits
Sas 112 May 14 08 Md Nonprofits
 
ACC 4020-01_Auditing Research Project_FionaNguyen
ACC 4020-01_Auditing Research Project_FionaNguyenACC 4020-01_Auditing Research Project_FionaNguyen
ACC 4020-01_Auditing Research Project_FionaNguyen
 
Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015
 
Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015Reinventing Internal Audit Final April 2015
Reinventing Internal Audit Final April 2015
 

Dernier

Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Peter Ward
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFChandresh Chudasama
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfKhaled Al Awadi
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMVoces Mineras
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCRashishs7044
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Doge Mining Website
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environmentelijahj01012
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Riya Pathan
 

Dernier (20)

No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
 
Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...Fordham -How effective decision-making is within the IT department - Analysis...
Fordham -How effective decision-making is within the IT department - Analysis...
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDF
 
Call Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North GoaCall Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North Goa
 
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdfNewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
NewBase 19 April 2024 Energy News issue - 1717 by Khaled Al Awadi.pdf
 
Memorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQMMemorándum de Entendimiento (MoU) entre Codelco y SQM
Memorándum de Entendimiento (MoU) entre Codelco y SQM
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
8447779800, Low rate Call girls in Shivaji Enclave Delhi NCR
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
Unlocking the Future: Explore Web 3.0 Workshop to Start Earning Today!
 
Corporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information TechnologyCorporate Profile 47Billion Information Technology
Corporate Profile 47Billion Information Technology
 
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCREnjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
 
Cyber Security Training in Office Environment
Cyber Security Training in Office EnvironmentCyber Security Training in Office Environment
Cyber Security Training in Office Environment
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737
 

Internal Audit's Role in Preventing Economic Crises

  • 1. The Global Economic Crisis: could Internal Audit have helped prevent It? Tim Leech thinks that Internal Auditors have avoided the blame for the current global economic conditions. But is Internal Audit blameless or underperforming? Commissions, often better labelled inquests, are underway in countries around the world to try and understand what has caused the unprecedented global economic crisis. To date, fingers of blame are being pointed at a wide range of suspects - deficient risk management systems, greedy executives, corporate compensation systems that would tempt a saint, corrupted credit rating agencies, major oversight lapses at the SEC, bank regulators asleep at the switch, insurance regulators that failed to monitor the ability of insurers to pay, technically flawed accounting standards, deficient board oversight, U.S. government policy that encouraged banks to loan money to people that couldn’t afford to repay it, ineffective external auditors, and others yet to be indicted. What I haven’t seen or heard to date, is a single commission, news item, column, or article that even hinted at the idea that internal auditors, including internal auditors at major banks, insurance companies, the SEC, bank regulators, credit agencies, companies that were defrauded and/or seriously harmed by “toxic” and sometimes fraudulent investment products, are even partially to blame. Not being fingered for even a portion of the blame in a catastrophic situation is a good thing for the internal audit profession, isn’t it? Unfortunately, I don’t think so. I think the absence of even mild criticism of the internal audit profession is an indictment of the profession’s track record assessing and reporting on the effectiveness of their client’s risk management systems to help prevent catastrophic risk and control governance failures before they occur. Legislators, the press, regulators, investor advocates, investors, the courts and the general public seem to have little or no expectation that the internal audit profession could have, or should have, played any significant role preventing the events that have inflicted massive, grievous global harm to companies, employees, shareholders, government and the general public. Generally low expectations of key customers and stakeholders should be viewed by the profession generally, and individual internal audit departments specifically, as a major threat to the profession. History repeats When the demise of Enron in December 2001 was followed by the perfect storm of World Com and HealthSouth in the U.S, Nortel in Canada, Parmalat in Europe, and others, a flurry of corporate inquests and finger pointing occurred, not dissimilar to the wave currently unfolding. An important result in the U.S. was the Sarbanes-Oxley Act of 2002. In the UK the Combined Code was determined to be a suitable position to defend the UK against major problems. Canada enacted National Instrument 52-109. The role of an internal audit function was not specifically referenced in the Sarbanes-Oxley legislation and was similarly ignored in the subsequent enabling SOX regulations. As a general statement, regulators in the U.S., UK,
  • 2. Canada and Europe have assigned little importance to the role of internal audit in terms of its ability to prevent major risk management failures. Inquiries held to examine the savings and loan collapse that inflicted multi-billion dollar losses on the U.S. government and U.S. taxpayers more than three decades ago similarly ignored the role internal auditors could play preventing major instances of risk management breakdowns. Internal audit – blameless or underperforming? Is internal audit truly blameless in this current global economic crisis, or is the absence of criticism of the profession globally more a reflection of low public expectations? Is low stakeholder expectations linked to widespread non-compliance with the 2000 IIA professional practice standard 2110.A1 that requires internal auditors independently and objectively evaluate and report to their boards of directors on the effectiveness of risk management systems? The blame argument – Internal Auditors should have been assessing and reporting on the effectiveness of risk management systems but weren’t. In December 2000 the Institute of Internal Auditors (IIA) issued new global professional standards intended to govern the conduct of the profession of internal auditing. Section 2110.A1 of the Standards stated: “The internal audit activity should monitor and evaluate the effectiveness of the organization’s risk management systems.” Although it isn’t explicitly stated in the standard, it would seem reasonable that Internal Audit was also expected to report the results of their monitoring and evaluation of risk management systems to senior management and the board of directors. Guidance issued by the IIA on the 2000 standards contained in the 2002 The IIA Handbook Series: Implementing the Professional Practices Framework cautioned readers that this new professional practice standard represented new and uncharted waters. The 2002 guide states: “The new Implementation Standard 2110 A.1 makes it clear that internal auditors should review the risk management system as part of their assurance activities for the board and senior management. This represents new territory for most internal audit shops. Few organizations have established processes for assuring the adequacy and effectiveness of risk management procedures.” The wording contained in section 2120 of the newest IIA International Professional Practices Framework released in January 2009, covering what was previously practice standard 2110A.1, was modified in a number of important ways. The standard now reads as follows: “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.” The word “should” was changed to “must”. The requirement to “monitor” was dropped in the core standard but retained in the interpretation. The requirement to “evaluate” was retained. The term “risk management systems” was changed to “risk management processes”. The introduction to the new Professional Practice Framework provides an official IIA position on the use of the word “should” versus “must”.
  • 3. “Specifically, the Standards use the word must to specify an unconditional requirement and the word should where conformance is expected unless, when applying professional judgment, circumstances justify deviation.” Based on my reading of the 2000 IIA professional practice standards and the IIA’s interpretation of the words, internal audit departments around the world that wanted to comply with the IIA professional practice standards should have been monitoring, evaluating, and reporting on the effectiveness of risk management systems since 2001. This responsibility has been further amplified by the wording in the newest professional practice standards released in January 2009. I haven’t heard or seen any internal auditor put forward an argument that their specific “circumstances justify deviation”. However it may be that many internal audit customers don’t think that it is an internal audit responsibility to evaluate and report on the effectiveness of risk management systems or, alternatively, that internal auditors are technically capable of reliably evaluating and reporting on the effectiveness of risk management systems. Deficient risk management processes at the root of the current economic crisis Commission after commission studying the events and circumstances that have led up to the current economic crisis are concluding that deficient risk management was one of the primary root causes of what went wrong. A report dated March 6, 2008 from the Senior Supervisors Group representing regulators from the U.S., UK, France, Germany, and Switzerland titled Observations on Risk Management Practices during the Recent Market Turbulence states: “primary supervisors are critically evaluating the efforts of individual firms they supervise to address weaknesses in risk management practices that emerged during the period of market turmoil. Each supervisor is ensuring that its firms are making appropriate changes in risk management practices, including addressing deficiencies in senior management oversight, in the use of risk measurement techniques in stress testing, and in contingency funding planning.” How many Internal Audit departments have, in fact, complied with section 2110.A1, a standard enacted in 2000? During the past eight years since the IIA enacted the new standard requiring internal auditors evaluate the effectiveness of their organisation’s risk management systems I have taken informal polls of thousands of internal auditors representing internal audit departments around the world. The question I posed was generally something like this: “How many of you in the room annually assess and report on the effectiveness of your organisation’s risk management systems to your board of directors?” The answer was always consistent - somewhere between none and a small fraction of the internal audit departments represented in the room were formally evaluating and providing opinions to the company’s board of directors on the effectiveness of their organisation’s risk management systems. Some of the audit departments that reported they were not complying with this section were receiving “Fully complies” or similar ratings from independent quality assurance review teams, perhaps on the basis that it was appropriate, using “professional judgment”, to scope out compliance with this standard. The 2006 Common Body of Knowledge (CBOK) study done by the IIA indicated that full conformity with the much broader “2100 Standard series” was 57%. I suspect that respondents to the CBOK study that replied positively were focusing more on the broad question of whether internal audit was helping to improve risk
  • 4. management systems, as opposed to the specific requirement to report on the effectiveness of risk management systems specified in section 2110.A1. The fact that so few audit departments have complied with section 2110.A1 is not really surprising. Other than a very limited amount of guidance contained in Chapter 8 of 2002 The IIA handbook series: Implementing the professional practices framework published by the IIA, some general introductory training on risk management available to members, and a very good book on the subject titled “Auditing the Risk Management Process” by K.H. Spencer Pickett published by Wiley in 2005, there hasn’t been much attention focused on how to best equip internal auditors to competently fulfill this requirement and, perhaps most importantly, how to measure progress being made to achieve this goal. If the amount of guidance the PCAOB in the U.S. has produced to guide auditors and management required by law to arrive at a repeatable opinion on the relatively narrow topic of control effectiveness for section 404 of Sarbanes-Oxley is any indication, the task of creating guidance and learning systems capable of producing reliable and repeatable Internal Audit opinions on the effectiveness of risk management systems will be at least as daunting and elusive a task. It is worth noting that, although the Certified Internal Auditor (CIA) exam syllabus under the caption of Internal Audit Activity’s Role in Organizational Governance specifically includes reporting on the effectiveness of an organisation’s control framework, it is silent on the obligation to provide opinions on the effectiveness of risk management systems. Responsibilities like “Discuss areas of significant risk” and “Support board in enterprise-wide risk assessment” are not the same as providing an opinion on the effectiveness of an organisation’s risk management systems. Internal Audit’s role in Organisational Governance per the January 2009 CIA exam syllabus is shown below. C. Understand the Internal Audit Activity's Role in Organizational Governance (10-20%) (P) 1. Obtain board's approval of audit charter 2. Communicate plan of engagements 3. Report significant audit issues 4. Communicate key performance indicators to board on a regular basis 5. Discuss areas of significant risk 6. Support board in enterprise-wide risk assessment 7. Review positioning of the internal audit function within the risk management framework within the organization 8. Monitor compliance with the corporate code of conduct/business practices 9. Report on the effectiveness of the control framework 10. Assist board in assessing the independence of the external auditor 11. Assess ethical climate of the board 12. Assess ethical climate of the organization 13. Assess compliance with policies in specific areas (e.g., derivatives) 14. Assess organization's reporting mechanism to the board 15. Conduct follow-up and report on management response to regulatory body reviews
  • 5. 16. Conduct follow-up and report on management response to external audit 17. Assess the adequacy of the performance measurement system, achievement of corporate objective 18. Support a culture of fraud awareness and encourage the reporting of improprieties Evaluating, what can sometimes be, sophisticated risk management systems/processes requires very different skills than those used to complete traditional point-in-time, control/process centric direct report audits – even audit plans and audits that claim to be “risk-based”. An assessment by internal audit of the risks to the entity, a business unit, business process, or topic is not the same as evaluating management’s risk management systems. In cases where internal audit plays a significant role formally identifying, documenting, assessing and reporting on risk status on management’s behalf, it is not hard to argue that internal audit is precluded by independence standards from evaluating and reporting on the effectiveness of an organisation’s risk management systems. An independent evaluator external to the organisation would need to be retained to comply with section 2120 of the standards. The fact that more than one in every eight Sarbanes-Oxley section 404 control effectiveness opinions from management and external auditors in 2006 were later found, as a result of restatements of the financial statements, to be materially wrong should raise serious questions about the ability of auditors today, both internal and external, to form reliable conclusions on control effectiveness. Although the SOX 404 opinion error rate appears to be declining for large public companies, the frequency of materially wrong opinions on control effectiveness is still shockingly high. The UK elected not to follow the lead of the U.S. to require management or auditors of UK listed companies report on the “effectiveness” of internal control over financial reporting. One of the reasons cited is that management and auditors currently lack the necessary assessment frameworks, training and tools to provide reliable, repeatable conclusions on control effectiveness. How many Internal Audit departments that haven’t complied with IAA professional standard 2110.A1 over the past eight years will comply with the new section? Given that the IIA professional standard specifying auditors should evaluate the effectiveness of risk management systems came in to force in 2000, now more than eight years ago, it would appear that one or more of the following conclusions linked to the current global economic crisis must be true. 1. Internal Audit departments in organisations at the root of the current economic crisis were not formally assessing and reporting to their boards on the effectiveness of risk management systems that have now been identified as deficient and one of the most significant root causes of the current economic crisis – a missed opportunity. 2. Internal auditing departments and/or the companies they work for don’t find the IIA professional standards useful; their key customers don’t care about whether they do, or don’t, comply with IIA Standards; and, quite correctly, they haven’t made any claims, internally or externally, that they comply with IIA professional standards. 3. Internal audit departments in impacted organisations did try to evaluate and report on the effectiveness of risk management systems as required by section 2110.A1 of the IIA
  • 6. professional practice standards, but were unsuccessful identifying and reporting significant deficiencies in those systems. 4. Internal audit departments were following the IIA professional standards, were competently assessing and reporting significant deficiencies in their organisation’s enterprise, credit, market, and operational risk management systems, but their warnings were ignored by senior management and the board of directors. In the case of banks, regulators, almost certainly, would have reviewed any reports from internal audit on the effectiveness of the organisation’s risk management systems. The informal polls I have taken and training and consulting work I have done with hundreds of internal audit departments around the world over the past eight years supports the view that conclusion number one has most often been true, although I have also found that more than a few companies subscribe to option number two. It is also likely that, in at least a few organisations, elements of option three and four were also true. It is important to note that the polls I have taken were not specific to the banking sector. I personally endorse the IIA’s decision to elevate the words “should evaluate” in section 2110.A1 to “must evaluate” in section 2120 of the new, revised IIA professional practice standards. Evaluating and reporting on the effectiveness of risk management systems represents a tremendous opportunity to make the internal auditing profession and its members more relevant, more valuable, better paid and, most importantly, more respected. However, I also believe that the IIA should take immediate and significant steps to develop practical training curriculum and guidance for internal auditors to equip them to reliably assess and report on the effectiveness of risk management systems. It is essential that any new IIA guidance require that internal auditors report on effectiveness of risk management processes using a suitable assessment framework as a benchmark. The professional practice guidance in this area issued by the IIA in January 2009 is silent on the topic of a “suitable assessment framework”. The four criteria for a suitable framework specified by the SEC to report on effectiveness of control systems for Sarbanes-Oxley are also generally relevant for reporting on effectiveness of risk management processes. If the criteria specified by the SEC for a “suitable” framework were modified to relate to reporting on the effectiveness of risk management processes the suitability criteria might read something like this: “a suitable framework must be free from bias; permit reasonably consistent qualitative and quantitative measurements of a company’s risk management systems; be sufficiently complete so that those relevant factors that would alter a conclusion about the effectiveness of all significant risk management systems relevant to the organization are not omitted; and be relevant to an evaluation of risk management related to all aspects of the company’s operations that could materially impact stakeholders.” Given the relatively immature and error prone state of the risk and control management effectiveness reporting disciplines as evidenced by the currently high SOX 404 control effectiveness error rate in U.S. listed companies, this will not be an easy task, but one that should be shouldered. To better protect investors and other key stakeholders somebody should be preparing independent and objective reports on the effectiveness of risk management
  • 7. systems for boards of directors. I believe without reservation that reporting on the current effectiveness of risk management systems is significantly more valuable than providing subjective opinions on the effectiveness of control. Security regulators should demand that this be done and that boards of directors take steps to confirm that it is being done. That somebody should be professional Internal Auditors. The recent repackaging by the IIA of a position paper originally authored by the IIA UK in 2004 titled: The role of Internal Auditing in enterprise-wide risk management and the new IIA Practice Advisory 2120-1: Assessing the adequacy of risk management processes, both issued in January 2009, are a good start, but lack the critical component of offering a generally accepted assessment framework that meets the criteria specified above. The 2009 version of the role of Internal Audit in enterprise-wide risk management position paper contains an important caution that acknowledges that many internal auditors are currently ill equipped to evaluate risk management systems. The position paper on page 6 states: “Nor should internal auditors who seek to extend their role in ERM underestimate the risk management specialist areas of knowledge (such as risk transfer and risk quantification and modelling techniques) which are outside of the body of knowledge for most internal auditors. Any internal auditor who cannot demonstrate the appropriate skills and knowledge should not undertake work in the area of risk management. Furthermore, the head of internal audit should not provide consulting services in this area if adequate skills and knowledge are not available within the internal audit activity and cannot be obtained from elsewhere.” (NOTE: It isn’t clear to me how an internal audit department that is not qualified to provide an opinion on the effectiveness of risk management systems can also be in compliance with section 2120 of the new professional practices framework that states internal auditors must evaluate the effectiveness of risk management processes.) Could Internal Audit have helped prevent the global economic crisis? Turning to the question posed in the title of this article - Could internal audit have helped prevent the current economic crisis? my conclusion is this: Had the IIA in its role as standard setter and training provider, and all internal audit departments that claim, or seek to claim, compliance with IIA standards, invested the time and resources necessary to equip internal auditors to competently and reliably assess and report on risk management systems in the early part of this decade, using a suitable assessment framework, there is a possibility, but not a certainty, that this global economic crisis could have been prevented. It is too late to prevent the current crisis, but it’s not too late for the internal audit profession to play an important role preventing the next major corporate governance breakdown. Internal audit is capable of more than it is has contributed to date - if the Institute’s leadership and members are willing to focus significant resources on generating the necessary tools and training necessary to achieve widespread compliance with section 2120 of the new Professional Practice Standards. I encourage all of you reading this article to let the IIA leadership know what you think should be done to make the internal audit profession more relevant, more respected and better paid. Being accused of not fully meeting an expected standard of care is far better than being considered irrelevant.
  • 8. Note from the editor The views expressed in this article are the views of the author only and do not necessarily represent the views of his employer or the ACCA. This article will shortly appear on ACCA's Global Economy microsite. ACCA is keen to get the views of its members on the issues raised by this article and would encourage members to use the discussion facility on the Global Economy microsite to discuss this further. www.accaglobal.com/economy/ Tim Leech is Director GRC (Governance Risk & Compliance) Services at Navigant Consulting in Toronto, Ontario. He is a member of the Ontario, Alberta and Canadian Institutes of Chartered Accountants in Canada, as well as the Institute of Management Accountants, Institute of Internal Auditors, and the Association of Certified Fraud Examiners in the U.S. He is recognised globally as a thought leader in the areas of enterprise risk and control governance and oversight, control and risk self-assessment, Sarbanes-Oxley, internal and external audit failure, internal audit transformation, and fraud prevention and detection. Tim can be contacted at tim.leech@navigantconsulting.com. References: The IIA Handbook Series: Implementing the Professional Practices Framework, Christy Chapman, Urton Anderson, The Institute of Internal Auditors, 2002 International Standards for the Professional Practice of Internal Auditing, Institute of Internal Auditors, October 2008. IIA Web Site, Understand Internal Audit Activity’s Role in Organizational Governance, www.theiia.org/certification/certified-internal-auditor/cia-exam-content/index.cfm?c=457 IIA Position Paper, The Role of Internal Auditing In Enterprise-Wide Risk Management, Institute of Internal Auditors, January 2009. Practice Advisory 2120-1: Assessing the Adequacy of Risk Management Processes, Institute of Internal Auditors, January 2009.