Having an Internal Audit Function or having an effective Internal Audit Function?

10 Mar

The NASDAQ is presently considering a rule change that will require its listed companies to establish and maintain an Internal Audit Function (IAF). Similarly, the New York Stock Exchange (NYSE) listing rules mandate the presence of an IAF (NYSE Section 303A.07).

However, the NYSE does not address the effectiveness of the IAF. While some coercive force can be an important factor that may help to bring the best out of Internal Audit, having an IAF is not the same as having a value-adding and effective IAF. The NASDAQ may consider demanding organizations to establish and maintain an effective IAF. Academic research and more practitioner geared publications may provide helpful pointers what an effective IAF looks like.

What do you think?


4 Responses to “Having an Internal Audit Function or having an effective Internal Audit Function?”

  1. Tony Stanco March 10, 2013 at 8:27 pm #

    Yes effectiveness is important otherwise the Internal Audit Function just becomes window dressing. I think next step on horizon is implementing a budget requirement for internal audit. In the Quebec Municipalities and town act it is mandated that all municpalities with a population greater than 100,000 must have an audit size and allocate a percentage of their expense towards an audit function. For the largest cities this is 0.11 percent of expense. See Articel 107.5 of the Quebec Cities and Towns Act IV.1 Chief Auditor. Still does not guarantee effectiveness but at least provides a resource allocation for the audit function


    • drrainerlenz March 11, 2013 at 3:18 pm #

      Thank you Tony. This is interesting. As you point out, the money spent on IA is only about an input factor, and it says nothing about the outcome.


  2. Nadeem Aziz March 11, 2013 at 11:37 am #

    In uncertain times and given the volitile economic climate, IA needs to focus on all risks. Often IA departments are well structured but with career auditor often from practice. Such function are normally effective in managing compliance and policy adherenece but are inexperienced in managing and supporting the business with operational risk. This is an areas that needs vital coverage if organisation are to survive the downturn. Improved process and practice resulting from greater focus on opertional risk could make the difference between survial or collapse. IA teams need to be more willing recruit experienced business managers and use IA as a development avenue to senior management roles since they have the opportunity to view the business cross many dimensions. Only by having a properly diverse team of technical and commerically practioners can IA hope to be effective in providing the assurance, goverance and consultancy support that the business needs in these volatile times.


    • drrainerlenz March 11, 2013 at 3:24 pm #

      Thank you Nadeem. A PwC survey (2009) demonstrated that only 13% of respondents spent 25% or more of their resources on strategic and business risks, while these two risk areas are the prime causes of value destruction (60%), followed by operational problems (20%), and only 15% stem from financial risks and a mere 5% from compliance-related risks.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: