No internal audit team is perfect, and some perform better than others. But will you realize it when the internal audit team is really steering into rough waters? Will you see the signs that the internal audit team isn’t only performing poorly, but it is floundering?
There will likely be signs that internal audit is in trouble and ignoring them is a surefire way for a chief audit executive to be out of a job, or worse, for the whole internal audit department to be outsourced.
Here, I share my six red flags that your internal audit function is in trouble. I am sure there are more, and I ask you to mention them in your comments.
1 You find out that management is looking to hire somebody for your job. Even worse, this is with the blessing of the audit committee of the board.
This actually happened to me. I was having serious issues with the CFO, and he was having similar issues with me. We didn’t like each other, and that was in addition to disagreeing whether the company had serious issues. I thought it did (and was right: it wasn’t long before the company failed), and he dismissed my concerns. One of the audit committee members let it slip that they had discussed his request to replace me. When I talked to the chair of the committee about my relationship with the CFO, he told me “His business card is bigger than yours, Norman.” I had a great relationship with the committee, but the CFO didn’t appreciate my finding multiple financial reporting frauds.
Other CAEs have told me that they got calls from recruiters alerting them to their upcoming replacement. One said he saw an ad for his job!
2 You are losing good people from your team.
They don’t tell you why they are leaving, but this is a red flag that they have a problem, most likely with you. It’s possible the issue is elsewhere, but if you can’t see it, if you are not unhappy yourself, it is more than likely something you are doing.
There’s a saying that people don’t leave a company. They leave their manager.
For example, one CAE I knew lost people every year in January. She overworked them, without mercy, so she could get the SOX work done. They were good people, but her silly idea of scheduling all the testing in the last quarter put far too much pressure on them. As professionals, they worked extra hours without any appreciation from the CAE. Then they quit, and she was surprised.
There can be other reasons for people leaving, such as your inability to promote your people, help them move into management, or pay them a competitive wage. Without good people, you are unlikely to succeed.
3 You are not receiving any requests from management.
If management sees you and your people as proficient, business-oriented, and able and willing to help, you will normally get more requests to look at this and that than you have time.
But if there are none, that can be a red flag that they do not have that level of respect for you and your team.
If they don’t have respect for you, it may be because (at least in their minds) you don’t deserve their respect. You are not doing work that helps them run the business.
Requests don’t have to be granted. But they should at least be consisered, and a lack of requests is a red flag.
By the way, if the CAE’s policy is to refuse all requests on the grounds of independence, he or she is waving a red flag.
4 Management frequently disagrees with your assessments, ‘findings’, and recommendations.
Some talk about this as a failure of management. More often, it’s a failure of internal auditing. It’s a failure to listen (to them).
They may be right. The risks to the business may not be as severe as you think, and perhaps they should be taken. If you don’t respect their position, you are waving a red flag. It’s frequently a failure to understand the business and its risks.
It’s usually the result of a failure in our internal audit process, where we are not discussing issues and agreeing on both the facts and whether there is a risk that needs action as soon as we find them during the audit.
If that happens, internal auditing is failing. The CAE will soon be talking to recruiters, looking for a job without a reference.
5 Your team is spending 20 percent or more of its total time on a combination of report writing and administrative tasks.
This means that they are not as efficient as they should be, and you are not performing all the audit engagements you could. And note that this time does not include vacations, holidays, and training
It may not mean you are dying, but your staff want to be in the field, not rewriting audit reports for the nth time.
6You are having difficulty getting time with the CEO.
This is probably because he or she does not see you delivering huge value and helping the organization succeed. He or she is not looking forward to hearing from you, likely because they don’t see you as a great source of insight and advice.
For example, you find out that the CEO is not reading your reports, and certainly not acting on them. They leave that to their staff. Or they let them pile up and read them on a plane trip. They do that because the reports are not seen as providing information that needs their attention now. 
Author’s note:
This article is inspired by a post with a similar name by my good friend and occasional debate partner, Richard Chambers: 10 Red Flags Your Internal Audit Function May Be Losing Ground.
Have a look if you haven’t already read it. He makes some very good points.
Here are his ten red flags:
- Static Audit Plans
- Stakeholder-Led Risk Identification
- Comparisons to Peers
- Overdue Quality Assessments
- Unilateral Budget Cuts
- Marginalized in the Boardroom
- Assurance Sourced Elsewhere
- Succession Overlooked
- Controlled Access to the Audit Committee
- Existence Questioned
These are all good, although his #4 would not bother me very much.
I’m not going to debate these ten. Richard explains each of them well.
What do you think of these sixteen red flags? What would you change or add? Please weigh in in the comments section below.
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.