Larry E. Rittenberg, PHD, CIA, CPA: there is no shortcut to good controls; COSO's new chairman says every corporation needs muscular internal controls and audit executives with the authority to enforce them

Internal Auditor, August, 2005 by Russell A. Jackson

At the end of my term, I would like to feel that we have helped organizations become more efficient and effective through a better understanding and implementation of risk and control. The implementation of both the COSO ERM and internal control frameworks will allow organizations to become more efficient and effective. And that applies to all organizations--commercial businesses, large or small businesses, governmental entities, and other organizations. I would be pleased if COSO were viewed as an effective conduit to improved governance, risk, and control, and therefore to better organizational performance that benefits stakeholders.

What's the greatest challenge internal auditors will face in the next year?

I am worried that the current pressures on Sarbanes-Oxley work will lead to pressures to narrow the scope of internal auditing and thus have internal auditors abandoning many areas that have added value to organizations in the past. The IIA has to remind internal auditors that the definition of internal auditing is broad and is focused on improving operations through better governance, risk management, and control. That mandate goes far beyond narrow accounting and financial reporting controls. I am happy to remind internal auditors that the COSO frameworks are broad and cover all aspects of the organization. Indeed, there are significant risks outside of financial reporting that internal auditors can address. For example, a forthcoming research project from The IIA Research Foundation, Southern Methodist University, and the University of Texas will address risk and control issues associated with interorganizational relationships that have developed during the past few years. Many organizations are entering into various kinds of agreements--some with suppliers, some even with competitors--that carry great risks. Internal auditors and managers need to understand those risks and determine whether they are controlled.

Do management and boards contribute to internal auditors focusing on broader risks and controls? Or are they a roadblock?

Boards and managers are like other human beings. They react to pressure points, and they feel a great deal of pressure right now related to the integrity of financial control and reporting. That's where they want internal auditors to spend their time--to take the pressure off of them. My sense is there's a risk that, as internal auditors comply with that request to limit their focus to the specific issues that management is most concerned about right now, management may come to see them in a different role that will be defined by what they've been doing the last couple of years. That generally means management wants internal auditing to maintain a narrow focus on control over financial reporting. In some ways, it's easier to focus just on financial reporting rather than on the broader operational risks and controls of the company. Auditors need to overcome those tendencies to make sure they add the most value they can to their organizations.