Blog: Internal Auditors Can Audit Anything — but Not Everything

In his blog, IIA President and CEO Richard Chambers, CIA, QIAL, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. Here’s an excerpt from his latest post:

There are times when internal audit clients and others have unrealistic expectations about our profession. It’s not surprising, then, that there may be confusion about our role. After all, internal auditors wear many hats. We are analysts, controls experts, consultants, teachers, business partners, watchdogs, financial advisers, compliance experts, and more. We truly can audit almost anything. While some risks clearly require additional expertise to audit, as I wrote in a 2014 blog post, “you don’t have to be a clown to audit the circus.” However, as I noted then, while we might be able to audit anything, we c​an’t audit everyt​hing.

Each time a major control breakdown makes headlines, someone inevitably asks, “Where were the internal auditors?” As we have sadly seen too often in the past year, the internal auditors were engaged and, in fact, did raise red flags in advance of calamities. But the warnings were not addressed satisfactorily by management. Given the size and complexity of many organizations today, it would require incredibly large internal audit functions to address all of the risks that organizations face. Sometimes, there simply aren’t enough internal audit resources to cover all the significant risks and, yes, there also are times when internal audit overlooks a key risk that proves catastrophic.

At best, the internal audit function can only be as effective as the resources, training, and talent that are available. Internal auditors are not infallible, and given the realities of budgets and cost justifications, we also cannot be omnipresent.

Read the full InternalAuditor.org blog post from IIA President and CEO Richard Chambers.