GIAS Standards May Lead Internal Audit Astray, Prioritizing Entity-Level Risks Over Enterprise Objectives
This article argues that the Global Internal Audit Standards (GIAS) may inadvertently steer internal audit functions toward auditing entity-level risks rather than critical enterprise-wide objectives. The author contends that while Standard 9.4 correctly emphasizes aligning audit plans with organizational objectives, Standard 13.2's focus on activity-level risk assessments can lead to audits that miss the most significant threats to the organization's survival and success. Internal audit professionals should consider this perspective to ensure their audit plans are truly enterprise risk-based and provide maximum value to the board and senior management.
The Disconnect Between GIAS Standards and Enterprise Risk
The author, a seasoned internal audit professional, raises a critical concern regarding the Global Internal Audit Standards (GIAS), specifically highlighting a potential disconnect between Standard 9.4 and Standard 13.2. While Standard 9.4 appropriately mandates that internal audit plans support organizational objectives and are based on an assessment of strategies, objectives, and risks, Standard 13.2, concerning engagement risk assessment, shifts the focus to identifying risks relevant to the 'activity under review.' This subtle but significant difference, the author argues, can lead internal audit functions to perform audits that are technically compliant but ultimately fail to address the most pressing enterprise-level risks.
Real-World Consequences of Misaligned Audits
To illustrate this point, the article presents two compelling real-world examples from the author's experience as a Chief Audit Executive (CAE). In both cases, previous audit approaches, which aligned with a traditional entity-based risk assessment, resulted in audits that, while thorough at their level, completely missed existential threats to the companies. For instance, at Maxtor Corporation, a traditional audit of a manufacturing division overlooked the critical enterprise risk of uncompetitive production costs, which ultimately led to the company's sale. Similarly, at Solectron Corporation, audits of individual factories failed to address the overarching issue of underperforming, unsustainable operations across multiple sites, contributing to the company's eventual failure. These examples underscore how a narrow, activity-level focus can divert internal audit's attention from the strategic risks that truly matter to an organization's long-term viability.
Shifting Towards Agile, Enterprise-Focused Audits
The author advocates for an internal audit approach that prioritizes enterprise risks and designs audits to assess the controls managing those risks, rather than conducting broad audits of entire entities. This means starting with enterprise objectives and their associated risks, then identifying where the controls for these risks reside within the organization. By focusing on these specific controls, internal audit can perform more targeted, agile, and relevant audits. This approach not only provides more valuable assurance, advice, and insight to senior leadership and the board on critical strategic issues but also moves internal audit beyond merely reviewing the operations of middle management. The article concludes by urging a re-evaluation of the GIAS to ensure they genuinely promote an enterprise risk-based audit methodology, thereby enhancing internal audit's strategic value.
Read more