, , , , , , , , , , , , , , , , , , , ,


… The reality is that even the most outstanding internal audit functions in the world cannot provide absolute assurance that all risks are effectively managed and all internal controls are effectively designed and implemented. We cannot assess every risk, and we cannot be everywhere at once.

Those who understand internal audit’s role recognize that the assurance it provides is only as effective as its ability to operate independently and with sufficient resources to do its job. Internal audit cannot identify weaknesses in process and policies or trends of behavior that circumvent controls and imperil the organization without full access to information and clear lines of communication with the audit committee, management, and the board.

But high-profile risk management or control debacles are sometimes a clear consequence of failure by all three lines of defense. In these instances, no honest assessment will absolve internal audit from all blame. Indeed, internal audit’s performance played a role in one of 2015’s high-profile corporate scandals. Outside investigators hired by Toshiba’s board in the wake of the company’s high-profile financial reporting scandal pointed fingers in a number of directions including internal audit. The investigators noted that internal audit was not providing adequate assurance and even suggested that internal audit was aware of several projects with inappropriate accounting but took no actionhttp://flip.it/SVfTR