Another week, another study lamenting the angst-filled uncertainty of the internal audit department.

The latest dispatch comes from the Institute of Internal Auditors, which has published a survey of more than 500 auditing executives at large U.S. companies. The 15-page report contains the usual useful tips, on how to run your department more efficiently (read: with less money) or how to engage all a company’s stakeholders (read: people who might sue, picket, or otherwise put your CEO in the news) to help shape internal auditing’s priorities. For that practical advice alone, the report is worth reading.

Most intriguing, however, are respondents’ thoughts about enterprise risk management—which send just the sort of contradictory signals that editors like us love. Ponder this:

A majority of respondents say better risk management wouldn’t have helped prevent damage from the financial crisis;

A majority of respondents say internal auditing could have helped identify key risks to mitigate damage from the crisis.

At first glance, those two statements shouldn’t exist at the same time in the same universe. But there they are: Auditing executives say risk management wouldn’t have helped, but more internal auditing to find risks (which would then be managed) would have. What?

I suspect two forces are at work here. First, internal auditors are merely saying that their departments have the potential to do more—if they have proper resources. That is simple self-interest. It’s to be expected, especially when another factoid from the IIA report says 51 percent of respondents are facing budget cuts.

But more troubling is whether internal audit departments and the rest of Corporate America still have different definitions of what “risk” is. Too often we talk about enterprise risk management as some wholly contained thing: a program to execute, a department to staff, a number to appear on some dashboard application the audit committee sees quarterly. I routinely hear from internal auditors who aren’t even sure whether they’re supposed to play a role in risk management or leave that to some other executive. So they view ERM as a distant, theoretical goal that top management wants—and we all know how often distant goals from top management become reality.

Instead (my theory goes), internal auditors view enterprise risk management as the sum of all individual risks properly assessed and managed. Pondering all the possible risks from expansion overseas, or credit default swaps, or whatever, is a tall order, especially when department budgets are already so strained. Hence auditors don’t have much faith in the fabled ERM. But finding specific possible threats and quashing those—well, that’s what internal auditing has always been about.

Either way, it’s an interesting puzzle. Any thoughts out there?

Topics