October 14, 2015

IIA Calls on SEC to Mandate Internal Audit Function

In conjunction with the SEC’s request for comments on its Audit Committee Disclosure Concept Release, the Institute of Internal Auditors (IIA) has requested that the SEC require all public companies to have an internal audit function or – at a minimum – explain why they don’t.

Assuming the requirement of an internal audit function, the IIA’s comment letter further recommends that, to assist investors’ understanding and evaluation of audit committee performance, audit committees be required to disclose:

– Whether the internal audit function has the stature, independence, and resources to fulfill its mission “to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight,” and
– Whether the internal audit function is performing in accordance with globally recognized standards, such as the IIA’s International Standards for the Professional Practice of Internal Auditing.

In his recent blog, IIA President & CEO Richard Chambers reiterates the value to good governance and – more specifically – control environment oversight – that an effective internal audit function can provide, while (wisely) being careful to not imply that a company’s success or failure rides on the presence of internal audit.

While I understand the likely resistance to the suggested mandate and believe it is more appropriately the province of the exchanges (e.g., the NYSE already requires its listed companies to have an internal audit function) rather than the SEC, as noted previously, I am a firm believer – based on my personal experience – in the benefits attainable by a strong internal audit function.

Access heaps of checklists, surveys, samples and other relevant resources in our “Internal Auditors” Practice Area.

Internal Audit: Opportunities to Increase Use of Technology

According to a recent worldwide survey conducted by the world’s largest ongoing study of the internal audit (IA) profession (the Global Internal Audit Common Body of Knowledge (CBOK)), 50% of North American CAEs report using technology appropriately or extensively for audit processes, while 37% report some use of electronic workpapers or other office information technology tools, and 13% rely primarily on manual techniques. CBOK posits that this may be due to inadequate IT expertise on the IA staff, or the risk-taking and creativity associated with finding new ways to use technology that exceed that required for normal IA activities.

Whereas more than 90% of survey respondents worldwide hold four-year degrees or higher, only 1 out of 10 studied computer science or information technology – revealing little change since 2006. CBOK cites as one possible explanation of this the fact that technology is being incorporated into other areas of study, e.g., an information systems course as part of the IA curriculum, AIS as part of an accounting program.

Other notable stats:

  • 57% identified accounting as a major or significant field of study, followed by auditing at 43%.
  • 17% of North American CAEs reported certifications in information systems auditing (such as CISA, QICA, CRISC)
  • 11% relied on academic studies for obtaining their tech skills
  • 3% reported certifications in security for IT (such as CISM, CISSP, CSP, CDP)

More on “The Mentor Blog”

We continue to post new items daily on our blog – “The Mentor Blog” – for members. Members can sign up to get that blog pushed out to them via email whenever there is a new entry by simply inputting their email address on the left side of that blog. Here are some of the latest entries:

– Directors Debate Approaches to Board Refreshment
– SOX Compliance Costs & Audit Scrutiny on the Rise
– Effective Crisis Management: Impediments & Strategies
– Relationship Guidance for GCs & Internal Audit
– Board Effectiveness: Continuing the Journey

– by Randi Val Morrison