While external audit firms have seen a lot of scrutiny, and rightly so, regarding their role in corporate scandals, internal audit which is famously termed as the third line of defense, has not seen such detailed scrutiny. In this article, we analyze some of the potential root causes and the fixes to rebuild confidence in this important function.
The past decade has seen a string of high-profile corporate scandals, including:
Wells Fargo (2016): Account fraud driven by performance pressure.
Volkswagen (2015): "Dieselgate" emissions cheating.
Boeing (Ongoing): Quality control lapses and safety concerns.
Wirecard (2020): Massive accounting fraud.
FTX (2022): Collapse due to fraud and mismanagement.
And there are many others. These scandals highlight systemic failures in risk management, ethical conduct, and internal controls.
A recurring question after each scandal is: What role did internal audit play, and why didn't it detect or prevent the issue? Often, the answer is underwhelming.
While internal audit may have touched upon some related areas, the failures weren't adequately flagged or addressed. The underlying issue isn't necessarily that internal audit never works. It's that its effectiveness is often compromised, and its perceived value within the organization is diminished. This creates a "crisis of confidence."
If the function designed to provide assurance is failing, the entire governance structure is weakened.
Why Internal Audit Often Fails to Deliver
Several factors contribute to the shortcomings of internal audit when scandals occur. These often intertwine:
Lack of Independence & Objectivity: This is arguably the biggest issue. Internal audit reports to the audit committee, but can still be overly influenced by management. A perceived need to "keep the peace" or avoid rocking the boat can lead to a softening of audit findings. Career progression within the company can create an unconscious bias.
Risk Assessment Deficiencies: Internal audit’s effectiveness hinges on a robust risk assessment process. If the risk assessment is superficial, does not account for emerging risks (e.g., cyber, ESG), or is not regularly updated, critical vulnerabilities can be missed.
Limited Scope & Skill Sets: Internal audit teams are often stretched thin and lack the specialized expertise needed to effectively audit complex areas like cybersecurity, data analytics, supply chain risk, or advanced financial instruments. They may be heavily focused on compliance rather than proactive risk identification.
Auditing "the Process," Not the Outcome: Too often, internal audit focuses on whether controls exist rather than whether they are effective in preventing errors or fraud. They check boxes without truly assessing the risk the control mitigates.
Lack of Authority & Follow-Up: Even when internal audit identifies issues, recommendations may be ignored or downplayed by management. The function lacks the authority to enforce change, and there is often a lack of accountability and ownership of remediation.
Poor Communication & Relationship Management: A strained relationship between internal audit and management can lead to a culture of defensiveness and a reluctance to share information.
Over-Reliance on Sampling: Using a sample of transactions can be insufficient when the business has widespread issues. This can be a real problem with fraud where a small number of bad actors affect the entire enterprise.
Lack of Data Analytics & Technology: Internal audit has not fully embraced data analytics and other technologies to proactively identify anomalies and risks. Traditional audit methods are often reactive and inefficient. While this is changing with big data and AI; there is much work to be done to institutionalize new audit approaches.
Recommendations for Improvement
Structural & Governance Reforms
Direct Reporting to the Audit Committee with a Solid Charter: The audit committee must be genuinely independent and have the authority to challenge management. The audit committee must actively monitor the internal audit function’s performance and independence. The charter should explicitly grant the function access to all records and personnel.
Mandatory Rotation of Audit Committee Members: Fresh perspectives help avoid complacency and group think. This can be codified in the Audit Committee Charter or company bye-laws.
Regular External Assessment of Internal Audit: An independent firm should periodically evaluate the function's effectiveness, independence, and adherence to standards (e.g., IIA-The Institute of Internal Auditors Standards). The findings should be shared with the audit committee and corporate leadership.
Blow-back Protection: Implement policies and cultural safeguards to protect internal auditors who raise concerns. Create confidential reporting channels (whistleblower programs) that are truly independent.
Enhanced Authority to Escalate: Grant internal audit the authority to escalate significant concerns directly to the board of directors, bypassing management and even the audit committee, if considered necessary.
Formal Conflict of Interest Policy & Review: Regularly review and enforce policies to prevent potential conflicts of interest within the internal audit team.
Methodology Improvements
Risk-Based Audit Planning: Focus audit resources on the areas of highest risk, as determined by a robust, continuously updated risk assessment. Incorporate emerging risks (ESG, geopolitical, technology disruption).
Continuous Auditing & Monitoring: Move away from periodic audits to a model of continuous monitoring, using data analytics to identify anomalies and potential issues in real-time. Implement fraud detection techniques (data mining, anomaly detection).
Focus on Control Effectiveness: Audit not just the existence of controls, but their effectiveness in mitigating risk. Use techniques like walk-throughs, process mapping, deviation assessment, and control testing to assess control design and operating effectiveness.
Scenario Planning & "What-If" Analysis: Conduct audits that explore potential scenarios and assess the organization's resilience. Focus on black swan events and management's readiness to effectively deal with those events.
Fraud Audits: Dedicate a portion of audit resources to proactively investigate potential fraud risks particularly financial statement fraud and risk of management override.
Engage with External Auditors: Coordinate audit planning and scope with external auditors to avoid duplication of effort and share insights.
Consider COSO Framework in its entirety: Incorporate all aspects of the COSO internal control framework when developing controls and evaluating their effectiveness.
Skills & Technology Enhancement:
Recruit & Retain Specialized Expertise: Hire internal audit professionals with skills in areas like cybersecurity, data analytics, forensic accounting, and regulatory compliance.
Continuous Professional Development: Provide ongoing training for internal audit staff to keep their skills up-to-date.
Embrace Data Analytics and Automation Tools: Implement data analytics software to automate audit testing procedures, identify anomalies, and enhance risk assessment. Explore the use of AI and machine learning to augment and enhance all aspects of audit activity.
Collaboration Tools: Implement collaboration tools to facilitate communication and knowledge sharing within the internal audit team and with stakeholders. Build open channels of communication and regularly interact with all levels of management to build mutual trust.
The effectiveness of internal audit depends on many factors, including the organization’s culture, leadership commitment, and the quality of the internal audit team. Implementing these recommendations can be complex and may require a significant investment of time and resources. While the specific recommendations that are appropriate for a particular organization will depend on its unique circumstances, we feel this article adds to the body of knowledge in improving this important aspect of corporate governance.
Corporate scandals often have underlying cultural and systemic issues, and addressing those is paramount. It is crucial to consult with qualified professionals for tailored advice.
Reach out to us if you wish to discuss any matters mentioned in this article.