The Four C’s in Overseeing Internal Audit

Brian Christensen, Managing Director Global Leader, Internal Audit and Financial Advisory
This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

In 2016, The Institute of Internal Auditors and Protiviti conducted the world’s largest ongoing study of the internal audit profession — the Global Internal Audit Common Body of Knowledge (CBOK) study — to ascertain expectations from key stakeholders, including board members, regarding internal audit performance. Several imperatives for internal audit emerged from the responses of the participants in the study. Among them: focus more on strategic risks, think beyond the scope of the audit plan, and add more value through consulting.

As for directors, there are four features to consider when evaluating the sufficiency of any risk-based audit plan: culture, competitiveness, compliance and cybersecurity – let’s call them the Four C’s, for short. We explored these four C’s in a recent issue of our Board Perspectives: Risk Oversight series. And I had the opportunity to discuss them yesterday at The IIA’s 2017 General Audit Management (GAM) conference in Orlando, as well. I want to share some of that discussion.


Executives and directors understand that a breakdown in risk management, internal control or compliance is almost always due to a dysfunctional culture. They also know that cultural dysfunction doesn’t develop overnight. Risks stemming from a culture breakdown typically incubate for a long time before noticeable symptoms appear — often in the form of some potentially reputation-damaging event. Examples of dysfunctional culture include an environment that isolates senior leaders from business realities, allows cost and schedule concerns to override public safety, empowers fraud, or encourages unacceptable risk-taking. Internal audit can assist in assessing whether the tone in the middle and at the bottom match the leaders’ perceptions of the tone at the top.


Most organizations use some form of balanced scorecard when monitoring whether they are successfully establishing and sustaining competitive advantage in the marketplace. The board should expect internal audit to look beyond traditional compliance and financial reporting to help the organization continuously improve operations. Internal audit can help improve operating efficiency and effectiveness by identifying business processes that are not performing at a competitive level because of practices that are inferior to competitors’ and industry best practices. In addition, internal audit can benchmark selected metrics to identify performance gaps.


Traditionally, the internal audit plan deals with ensuring that areas related to the organization’s compliance with laws, regulations and internal policies are under control. As the third line of defense, internal audit should ascertain whether:

  • frontline operators and functional leaders whose activities have significant compliance implications (first line of defense) own their responsibility and have effective controls to reduce compliance risk; and
  • the scope of the independent compliance function (second line of defense) is appropriate for the company’s level of compliance issues and results in timely and reliable insights to management and risk owners.

In the absence of a second line, internal audit can determine whether a cost-effective monitoring process is in place to address top compliance risks. It can also assess implementation of compliance programs to ensure that the company is current with changes to applicable laws and regulations.


This area is a significant and growing concern to boards and is not likely to go away any time soon. Cybersecurity was cited as the third most critical uncertainty for executives in the Executive Perspectives on Top Risks Survey for 2017 by Protiviti and the North Carolina State University’s ERM initiative, and deemed the number one technology challenge by respondents to Protiviti’s IT Audit Benchmarking Survey. Internal audit can assist in several ways: First, by assessing whether the company’s processes give adequate attention to high-value “crown jewels” information and information systems, rather than an all-systems-are-equal approach; second, by helping the board and senior management with understanding the threat landscape; and finally, by assessing the organization’s cyber incident response readiness.

Focusing on the Four C’s enables internal audit functions to consider more broadly the implications of their audit findings and to think beyond the expressed or implied boundaries set by the audit plan. This, in turn, positions internal audit to deliver stronger, more practical and harder-hitting recommendations aligned with what directors are seeking.

Add comment