But, does internal audit ever consider risks to the achievement of its own objectives?

They should. Whether independently or with the assistance of a corporate risk management function, internal audit should practice what they preach.

For example, the internal audit team should assess these sources of risk:

- Failing to understand, in a timely fashion, a significant business risk and as a result leaving it off the audit plan
- Failing to fully appreciate business needs and recommending change that does not address the real business issue
- Recommending change that addresses only the symptoms of a problem instead of its root cause
- Failing to obtain full value from the audit staff, whether from a lack of training or motivation
- Failing to be heard by management. Again, the causes of this may be many, including an inability to communicate, not demonstrating value that is appreciated by management, acting in a way that disrupts the business, and more
- Performing work that doesn’t really matter
- Inefficiency
- Reporting that is untimely
- An inability to effect change, with recommendations not being implemented. Reasons could include not being persuasive or failing to make the right recommendation
- An inability to recruit the talent needed to be successful
- Insufficient resources
- Poor relationships with the audit committee and/or executive management

It is time to walk the talk. Do you agree?

Norman Marks, CPA, is vice president, governance, risk, and compliance for SAP's BusinessObjects division, and has been a chief audit executive of major global corporations for more than 15 years. He is the contributing editor to Internal Auditor’s “Governance Perspectives” column.
normanmarks.wordpress.com/