If you can cast your mind back far enough, the list is as long as it is depressing – the list, that is, of organisations that have failed despite their efforts to maintain vigilance against the risks associated with running a business. The list includes the recent spectacular failures of the banks, AIG, Enron, Tyco, Polly Peck, and BCCI; there are many others besides.
Various reports addressing the issues of internal control have been written by stock market grandees, probably most notably the Turnbull report which pulled the findings of a number of earlier reports together.
The board is ultimately responsible for the stewardship of the organisation and managing the associated risks, but assurances on how well the risk management controls are working across the wider business should come from the internal auditors.
Many line managers will have specific audit responsibilities: the quality manager will audit product and process quality; the health and safety manager will audit safety; the IT manager will audit the IT security threat. However, highly skilled and properly trained internal auditors should also be looking at a range of broader issues and evaluating the controls in place for both overt and covert risks (which might include strained relationships at the top of an organisation, investment in new technology or equipment, reputation and customer management, risks arising from the loss of key people, cost controls, supply chain risks (for instance arising from the exploitation of child workers)), as well as an overview of the finance, quality, safety and IT issues.
Internal auditing may be seen as a big company activity, but assessing and measuring exposure to risk is important for the survival of all companies and is a catalyst for best practice. It is of value even if everything is found to be okay as it means of ensuring that you are not missing anything. In the words of one of our clients, “you keep us honest”. Can you afford to fail?