On the quiet competence of internal audit

Internal audit is the function that gets the least attention from boards relative to the value it produces. This is not a complaint. It is a structural observation. Internal audit's best work is invisible by design. The risk that was identified before it became an incident, the control gap that was closed before it was tested, the policy that was updated before the regulator asked. None of it appears anywhere except in the internal audit committee papers, and even there it is described in the most undramatic language available.

I have come to think of internal audit as one of the two functions that most reliably tell me whether a regulated business is well run. The other is finance. Internal audit is the one I trust more, because finance reports to the chief executive and internal audit, properly structured, reports to the audit committee chair. The reporting line matters. It is the reason internal audit can say things finance cannot.

What good internal audit looks like is a small set of habits that compound over time. The audit plan is risk-based and is updated, not annually, but every time the risk picture changes. The reviews are scoped to test rather than to demonstrate. The findings are written in language that managers can act on, with a clear root cause and a clear recommendation. The follow-up is rigorous. Closed findings stay closed. Open findings have an owner and a date.

What bad internal audit looks like is the inverse. The audit plan is annual and follows the calendar rather than the risk. The reviews are scoped to a list of controls that have been tested before. The findings are written in the language of the rulebook and the manager cannot tell whether they have done anything wrong or merely failed to write something down. The follow-up is performative. Findings reopen. Action plans slip and are renewed without comment.

The interesting question is what makes the first picture happen rather than the second. The honest answer is that it depends on the audit committee chair more than on the head of internal audit. The chair is the customer. A chair who reads the reports, asks questions about the findings, attends the closeout meetings on material items, and pushes back on the action plan dates when they are too generous, will produce a head of internal audit who delivers the first picture. A chair who signs off the report and treats the function as a compliance item will produce, over time, the second.

The other person who matters is the chief executive. A chief executive who treats internal audit as a partner is a chief executive who is going to receive the difficult finding while it is still solvable. A chief executive who treats internal audit as an adversary is going to be told the difficult finding only when the audit committee chair has insisted, by which point the finding is harder to fix and the relationship is harder to repair.

I should also note something practical. The internal audit function in a multi-jurisdiction regulated group does not need to be enormous. It needs to be senior. A head of internal audit with three reports, given the right access and the right reporting line, will produce better work than a head with twelve and the wrong reporting line. The work is in the judgement, not the volume.

The board's working test for whether the internal audit function is doing its job is to ask, once a year, what the head of internal audit thinks the firm is going to get wrong next. The question is not a forecasting exercise. It is a test of whether the function has the standing to give an honest answer. If the answer is candid and surprising, the function is working. If the answer is anodyne, the function has been domesticated.