Posts Tagged ‘internal auditing


Akio Morita and his message for internal audit

In his book “Made in Japan: Akio Morita and Sony”, Akio Morita, Co-founder of Sony describes vividly about the efforts to establish Sony in USA during its initial years.

He writes —

“I began to feel that to establish our company more firmly in the USA I had to get to know the country better and ….. I felt I needed to know more about how Americans lived and how they thought; …… understand Americans would be more difficult.”

 “If I were really to understand what life was like in America ………, I would have to move my family to the US and experience the life of an American.”

 I commuted to the office by bus every day, mingling with New Yorkers, listening to them talk, observing their habits almost like a sociologist.”

In his quest to establish his company in a foreign soil, Morita provides some excellent and awesome practical tips to internal audit function striving to get hold of the business which the organization is into.

As internal auditor, one thing which I hear often from our audit clients is –“Internal auditors do not understand the business!!!” The question of adding value loses focus at that point. Drawing from the analogy of Morita’s advice, internal audit functions can try the following in its quest to become the trusted advisers of the organization:

  1. Internal audit function can never restrict itself to cocoon of accounting and auditing parlance alone. It must be deliberate in getting to know the organization better through whatever (ethical) means it has in its hand.
  2. It is equally important to understand the motives and logic behind strategic business decisions and the ethos of decision making by organization’s management. (This becomes a reality when the Chief Audit Executive is able to ‘have a seat at the table’.)
  3.  Without compromising, it is imperative to maintain a fine balance between assurance and consulting assignments by the IA function. Independence does not mean that there should be outright rejection of consulting engagements. (Sometimes, consulting assignments provide immense opportunity to auditors to understand the business.)
  4.   Where appropriate, short term sabbatical to other business functions could be pursued by the IA function.
  5.  In the busyness and seriousness of internal auditing, auditors could become frantic and restless. In order to overcome this slippage, it is crucial for auditors to start being a person who can connect with the people. There can be differences of opinion between management and IA function. It is not necessary that both need to meet eye to eye on each and every issue. But, internal auditor can always ‘walk slowly though the crowd’ to know their pulse.
  6.  When auditors are able to listen more intently to people, many benefits fructify. What’s up with people bubbles to the surface rapidly. This enables auditors to be more aware of what they were dealing with. This will ultimately help auditors provide audit recommendation that makes business sense. 

Though the above suggestions may not be very scientific, I am convinced that the IA function should leave no stone unturned when it comes to understanding the business and adding value through its work.

‘Total immersion technique’ is one of the several techniques used in foreign language pedagogy. Under this approach, the student is ‘immersed’/ ‘submerged’ directly and immediately into the target language from the first opening day or hour of class.  It can be painful or unpleasant to the students initially but they learn words faster over a period of time. Similarly, internal audit function should use its earliest possible opportunity to learn and understand about the intricacies of business of the organization.  There will never be a perfect or sacred timing!!!

Question: Can the internal audit’s efforts to understand the business be made easy with any other practices? Please share them by leaving a comment to this post. I welcome your thoughts.



A thing of beauty is a joy forever,” wrote the English poet John Keats. Conversely, managing internal audit function may not be a joy forever (with the little knowledge from my personal experience!!!). At times, it becomes indispensable to develop a thick skin to overcome the resistance to internal audit function. In this professional journey, many auditors put forth the below question in different forms to me:

“Can the internal auditor function work independently?”

As we know, the IIA’s Attribute Standard 1100 “Independence and Objectivity” stipulates that — “The internal audit activity must be independent and internal auditors must be objective in performing their work.”

There can be great debates and discussions over this. But before arriving at a conclusion, let us prod to find out what can be done to uphold the independence of internal audit function in every organization.

I acknowledge that being an internal auditor is a tough (and unpopular) job when there is no proper support from various stakeholders. Killing the messengers — getting the heads chopped off — do happen everywhere. However, all is not gloomy as we tend to think. There is a ray of hope beyond this doom. If and only if internal auditors are able to ‘stand up and speak truth with knack and candor’. In order to make this a reality, I believe we can try the following:

  • First and foremost, it is important not to go on defensive to avoid the trouble. As auditors, it is comfortable to generate boring and predictable reports which will make the management yawn. (It will neither threaten the survival of internal audit function nor create a sour relationship with management.)
  • Secondly, it is essential for internal audit function to avoid engaging in negative tactics like trying to shield itself under the Audit Committee by treating the senior management as the ‘baddie’ or intimidating to trumpet to external stakeholders (like media, regulator, statutory auditors, etc) even when it is unwarranted.
  • Though I agree that certain dose of legal protection to the profession of internal audit is desirable, it will alone not make the internal audit completely independent. To be really independent, it is crucial to develop an atmosphere of mutual respect. Without sensationalizing or exaggerating the issues, internal auditors must learn to strike the balance by arriving at measured judgements.
  • Internal auditors must focus on things that matter. Materiality counts. Going overboard, auditors fall into trap of diluting their report (like water) with too much information rather making it concentrated (like sulphuric acid). It is imperative to prune lumbering and lengthy reports into concise and crisp ones with ruthless editing.
  • As internal auditors, we can easily lose the big picture when we are not intentional about it. We need to be creative and innovative by donning the ‘six thinking hats’ (as suggested by E.D. Bono) whenever necessary. There is a great synergy when we are able to combine impartiality with empathy.
  • Internal audit function must understand which of the stakeholders really call the shots. It is good to know the culture of the organization and be aware of (without getting involved in) office politics. We need to convey the message to the right people in the right form. Auditors can be nice but it is also important to stand our ground. In other words, we can be gentle but we must also learn to be assertive.
  • As July 2012 research report from EY suggests, internal audit function must be run like a business. It must hold itself accountable for operating excellence, continuous improvement and tracking impact. It must evaluate successes and monitor Key Performance Indicators (KPIs) defined on its value scorecard.

I have given some of my thoughts here. Though it is not comprehensive, I feel that these could be a starting point in helping us achieve the objective of independence. As we began with the poetic words, let me try to conclude in metaphoric words:

“Internal audit function is like chicken. Chicken is either YUMMY or YUCKY depending on how we cook it. Similarly internal audit internal audit function is either INDEPENDENT or DEPENDENT depending on how we build and maintain it.”

Now when someone asks you — “Can the internal auditor function work independently?”, you can confidently give the answer —

“It depends.”



Question: There could several other ways to promote independence of internal audit function. Please share them by leaving a comment to this post. I welcome your thoughts.


Is internal auditor the protagonist or antagonist?

Being part of the internal audit profession, I am always curious to find out what is inside the minds of the management whom I audit.  Whenever I get a chance, I try to figure out their personal expectations from the function of internal audit.

Recently, at the sidelines of a conference, I got an excellent opportunity to interact with one of the CFOs from a leading manufacturing company based in my city. As he was sharing his experiences with internal audit, I penned down the personal views of that CFO about the internal audit profession.

His first encounter with the internal auditors was back in the early 80′s while he was working as a finance manager for an automobile company. The Accounts Payable process was selected for review and most of the areas selected for review happened to belong to his division. He remembered the enormous amount of activity that went into preparing for the audit, how every document was double checked and triple checked to make sure that every deviation is fixed. And in the process of preparation, missing documents were completed, back dated and inserted into the files, left out signatures were obtained and by the time the auditors turned up everything looked perfect.  As expected, the internal auditors seemed happy enough to check off that they were able to receive everything they expected. That first experience has paradoxically shadowed his opinion on the value addition by internal audit for almost a long time.

However, subsequent to that first bizarre incident, he had faced many more internal audits in various capacities throughout his career in several organizations. Some of his key thoughts from his professional journey:

  1. Meeting some brilliant and extremely efficient internal auditors along the way, he has also come across some incompetent internal auditors in his assignments. In his experience, not all the internal auditors were competent enough. (As I heard this, I had the immediate impulse to refute his statement but continued listening to him silently to elucidate more views!!!)
  2. In several organizations, there is an unhealthy fear of auditors. There is often a fear (even though a misconception) that if any major issues are unearthed someone’s head will be cut off. Internal audit is viewed as a brute police force and no one ever want auditors to poke the nose into their work.
  3. In his experience, he had faced internal auditors who stay at one organization for years but fail to keep their skills updated or relevant. Such auditors did not develop the perspective of understanding how organizations run their businesses and how the competitors/ counterparts in their industry are managing emerging risks. As a result, they failed to provide innovative/ creative solutions through their audit. Internal audit was not seen as adding value, but creating needless interruptions to work.
  4. So, is internal audit viewed as part of the problem? or part of the solution?  Until internal audit is accepted as part of the solution by all the stakeholders, he believes that it will remain to be a problem.  Until business process owners develop an understanding that inculcating a healthy attitude and vibrant conversations with their auditors will only assist and not hurt them, it will continue to be a problem.

After the end of conversation with CFO, I was in a quandary.

  • Where do internal auditors fail to bridge the gap with management?
  • What makes internal auditors always ‘a thorn in the plant of roses’?
  • Why are the internal auditors perceived as ‘human beings with two horns and one tail’?

Though the nature of internal audit profession is prone to resistance across the organizations globally, I am still wondering how trust can be built so that unwarranted apprehensions over internal audit are removed from the minds of various stakeholders.


Risk Management and Internal Auditing

Of late, ‘risk management’ has become a glamorous buzzword. Organizations across the world have started to focus on risk management. ‘Chief Risk Officers’ have become norm of the day in several corporations. ERM, Risk Dashboard, Risk Appetite, Risk Tolerance, Risk Matrix, Risk Strategy, Risk Model, Risk Framework, Risk Governance, Risk Maturity – whatever you name it — these have become part and parcel of C-Suite Executives’ vocabulary.

Despite the intense amount of research that has taken place over this concept of risk management, organizations never seem to be on the top of the game; they keep lagging behind; and we still keep seeing some mighty catastrophes happening around us. Few examples:

  • BP’s Deepwater Oil rig explosion in Gulf of Mexico in 2010
  • Failures of risk management (particularly) in the financial services sector in the 2000s which became a major contributor to the global economic crisis of 2007-2008
  • Massive accounting scandals and scams of early 2000s

In spite of all the well intentioned efforts, resources, and time spent by the organizations to manage risk effectively and efficiently, we continue hearing the news of frauds, corruptions, bankruptcies, losses, man-made disasters, etc on a daily basis. So in this game of risk management, as internal auditors, where do we fit in? After all, is it necessary for us to chime in? Do we have any role to play? These are questions that keep pondering my mind.

True, risk universe for any organization may be far bigger than the audit universe; and it may be a mammoth task for internal auditors to provide assurance on risk management. But, before we move on, I wish to present some of the interesting quips on risk management:

  • “Extensive behavioral and organizational research has shown that individuals have strong cognitive biases that discourage them from thinking about and discussing risk until it’s too late.” ~ Harvard Business Review, June 2012
  • “Risk mitigation is painful, not a natural act for humans to perform.” ~ Gentry Lee, Chief Systems  Engineer at Jet Propulsion Lab, division of US National Aeronautics and Space Administration
  • “Risk management is non-intuitive. It runs counter to many individual and organizational biases. Risk management focuses on the negative – threats and failures rather than opportunities and successes.” ~ Robert S. Kaplan, Baker Foundation Professor at HBS and Anette Mikes, Assistant Professor at HBS

Thus, it is not difficult to understand that providing assurance on risk management by internal audit function is easier said than done. It’s not going to be a cakewalk either. It essentially requires moving out of our comfort zones and delving into enlarged and unexplored territories. Who knows? In the years to come, assurance over risk management could become a key imperative for internal audit profession as such.

Realizing the need and importance of the hour, the Institute of Internal Auditors (regulator of the internal audit profession worldwide) with much conviction has launched the Certification in Risk Management Assurance (CRMA) currently. This certification is aimed at developing internal auditors with proficiency in providing assurance on risk management effectiveness.

Okay, I believe it’s time to get ‘brisk’ on ‘risk’!!!

Question: Do you agree with me? Do you think providing assurance on risk management effectiveness is internal auditors’ cup of tea? Please share them by leaving a comment to this post. I welcome your thoughts.


July 2018
« May    



Online Accounting Degree blog feature