Membership Number or E-mail Address

  • Michael Page and Laura F Spira

    Executive Summary

    The report of the Cadbury Committee in 1992 provided a framework for corporate governance which has become the basis for the arrangements whereby UK companies govern themselves. However, the Cadbury Report left a significant piece of unfinished business. The Code contained a recommendation that the boards of listed companies should report on the effectiveness of their systems of internal control, and that the auditors should report on this statement. This requirement was controversial, as neither company managements nor auditors were willing to take responsibility for expressing an opinion on internal control effectiveness. It was not until 1999 that the report of the Internal Control Working Party under the chairmanship of Turnbull resolved the problem of reporting on internal control.

    The Turnbull Reports guidance required companies to report whether the board had reviewed the system of internal control and risk management, and encouraged, but did not require, the board to express an opinion on the effectiveness of the system. The close coupling of internal control and risk management in the Turnbull Report echoes similar developments in the US and Canada where other influential reports have emphasised the importance of risk management as well as internal control. Although previous research among leading companies has indicated that formal systems of risk management and risk based approaches to internal audit are in use, other research has suggested that in many companies internal audit is more traditional. In this situation there is considerable potential for a high level of adjustment costs borne by firms in complying with the Turnbull guidance, whether or not the individual firm benefits from embracing risk-based internal audit and control techniques.

    At the same time the Institute of Internal Auditors has been seeking to professionalise the work of internal auditors by issuing standards of work, providing certification of education and training and enhancing the prominence of internal audit in the business community. The Cadbury Committee provided an enhancement for the role of internal audit and a presumption that listed companies would have an internal audit function, or, if not, would review the need for one periodically, the Turnbull guidance reinforced this.

    Against this background, this study explores the range of activities undertaken by internal audit departments, their role within companies and the impact of the Turnbull guidance on internal audit.

    The investigation uses qualitative research methods to gather the perceptions, on a wide range of issues, of senior internal auditors in large businesses, all but one being FTSE 350 companies. Between 1999 and 2001 twenty-two interviews were conducted with heads of internal audit or their deputies. The research takes a grounded theory approach and does not seek to provide statistical generalisations about the frequency of particular practices and arrangements for internal audit and risk management, but to generate understanding of the inter-relationship of different factors that are causing changes in risk management processes in companies and in the role of internal audit.

    Findings from interviews with internal auditors 

    The interviews covered a number of issues explicitly under the following main headings: 

    • Turnbull and internal audit;
    • if Risk identification, assessment and management;
    • Organisation of internal audit;
    • Relationships and engagement with boards and audit committees and other risk functions;
    • Involvement of internal audit in strategy.

    Turnbull and internal audit

    The impact of Turnbull on companies that had already embraced risk-based approaches was not perceived as very significant. The impact on some, usually smaller, companies had been greater in terms of adjustment to processes and some mention was made of increased costs. Internal auditors generally viewed Turnbull as beneficial to their cause and said it had helped to alter the perceptions of internal audit in a positive way, so that operating departments frequently sought the advice of internal audit when implementing new or changed processes.

    Risk identification, assessment and management

    Formalised risk management procedures were at different stages of development. The Turnbull Report had encouraged formalisation of processes in most companies, although many considered their processes Turnbull compliant prior to the publication of the report. Several companies had set up risk committees. The relationship of internal audit with risk management varied from that of outside observer to influential insider. In particular, internal auditors had roles as facilitators and organisers of risk identification and assessment, generally through workshops. Risk assessment tended to be based on expected value of impact principles but the assessment was frequently summarised in the form of a score, a matrix, or traffic lights. The risk identification and assessment process generally included the production of risk registers in various guises, either maintained centrally or at operating units. When adverse events occurred ( crystallisation of risk) internal audit was frequently involved in reporting on events and making recommendations for improved controls.

    Organisation of internal audit

    There was a wide diversity of arrangements. Some companies had dedicated internal audit functions but in most companies the function was combined with risk management, process review or similar activities. Some auditors acknowledged a traditional compliance checking role but there was a widespread view that monitoring of compliance was a function that should, as far as possible, be the responsibility of line management.

    Outsourcing of the entire internal audit function was rare in the companies examined although co-sourcing arrangements, where external providers (generally audit firms) supplied expertise in specific areas such as IT, were fairly common. Outsourcing of internal audit meant forgoing most of the important educational and development benefits of internal audit and the view was generally expressed that providers of outsourced services neither understood the businesses that they were auditing nor were they committed to it in the same way as in-house staff.

    The work programme of internal audit was, to a greater or lesser extent, an outcome of companies risk identification and assessment processes in many of the companies. However, other factors, such as rotation of coverage and the priorities of the board or audit committee, also affected the design of the programme.

    Relationships and engagement with boards and audit committees and other risk functions

    Some boards and audit committees were more proactive than others. All the internal audit reports were made available to audit committees and all heads of internal audit attended audit committee meetings. Most companies had other risk functions apart from internal audit, such as health and safety and insurance. Where separate processes existed, the integration of risk management could only occur at the level where the lines of reporting intersected, usually at board level.

    Involvement in strategy

    In view of the role that external auditors seemed to be seeking as business advisers, interviewees were asked about the level of involvement of internal audit in the formation and implementation of business strategy. Internal auditors did not have, nor did they seek, a prominent role in strategic decision making, although those who were more involved with process improvement thought that they had a role in implementation.

    A number of facets of internal audit emerged strongly from the interviews which were not originally included in the interview questions:

    • Communication;
    • Education and development;
    • Independence;
    • Change. 


    Much of the activity that internal auditors undertook could be classified as communication, especially talking with divisional and business managers, running workshops and making presentations to senior management. The workshop, in particular, seemed to be an important way in which auditors facilitated the identification and assessment of risks or dealt with other issues.

    Education and development

    Internal auditors saw three important educational roles: they trained their own staff, they educated line managers in control and risk management, and they provided a function where new entrants to the organisation, or existing staff, could spend a short period as a means of understanding the business. Although this feature of internal audit is well-known, the interviewees placed considerable emphasis on it.


    Although a few of the interviewees fiercely guarded the independence of internal audit, refusing to accept ownership of any processes or undertake work which they felt would compromise their independence, most departments were involved in risk-management and process improvement in ways which meant that they would at some point be auditing processes that they had helped to design or implement. This qualified independence was viewed as beneficial, although auditors were conscious of the need to maintain a balance. The direct line of reporting to the audit committee was seen as reinforcing independence, and some auditors believed that they were more independent than the external auditors, whose position could be compromised by their business advisory role and their vested interest in selling additional services.


    During the interviews it was apparent that the work of internal audit was influenced both by frequent specific changes, such as acquisitions and divestments, and by a pervasive climate of change. In many organisations, risk-based approaches could be seen as one response to change since businesses were rarely stable long enough for processes to be designed, implemented and standardised so that a classical, systems-based approach to audit could be established. Moreover, the occurrence of specific changes provided internal audit with a role in recommending and developing processes to adapt to those changes, as well as a prioritisation, based on risk assessment, of where to expend control and risk management effort.


    The diversity of the findings suggests that, although the Turnbull Report has significantly raised the profile of internal audit in organisations by highlighting its role in internal control and risk management, the organisational role of internal audit varies widely. The role as the stern enforcer of compliance with company systems has largely been abandoned, wherever it existed, but has not been replaced by a uniform model.

    Internal audit provides some useful organisational tools for management in a dynamic environment:

    • internal audit can identify and spread best practice, where the development of central policies would be too slow and costly;
    • internal audit can gather intelligence on risks;
    • internal audit can assess risks and the robustness of systems; and
    • internal audit can help to maintain an organisational culture.

    Risk management has become a central focus of corporate governance. Its processes provide an organisational defence in a changing environment. The interviewees told their stories against a background of continual change, including changes in organisational structure and changes in assurance requirements. In the context of new organisational paradigms, such as the concept of the learning organisation, where knowledge assets and information flows assume great significance, internal audit can potentially raise its profile greatly by emphasising its education, facilitation and communication roles.

    ISBN 1 904574 05-X

Hello! Before you leave. Did you know...

Join your community