Skip to main content

What to Ask During Your Internal Audit Program Review

Internal Audit
Internal Controls
what to ask during an internal audit program review
3 min read
Published: October 26, 2018
Last Updated: November 18, 2020

Risk managers should keep in mind four Ps and one C when reviewing their internal audit programs, said Larry Hattix at the sold-out 2018 Financial Services Exchange, held by The Institute of Internal Auditors.

Larry is Senior Deputy Comptroller for Enterprise Governance and Ombudsman at the Office of the Comptroller of the Currency, which regulates national banks, federal savings associations, and federal branches and agencies of foreign banks. At the IIA conference, he gave a regulatory perspective on governance and risk.

He presented a framework internal audit leaders can use to ask key questions as they build their internal audit programs to add value and make sure their organizations are "doing the right thing."

First, the four Ps:

  • Purpose or mission: Is the purpose of your program clear?

  • Process: Is the process simple? Is it well-defined? Does it make sense? Can you describe it in a 60-second elevator ride?

  • Proactive: If you are 20 percent proactive and 80 percent reactive, what steps would allow you to become 40 percent proactive, so you can add value to your organization? In addition to an assurance role, internal auditors can offer strategic insights to help guide their organizations. Auditors may think they need to separate themselves from their businesses to give independent opinions, but Larry noted the valuable talent and skills of internal auditors. Do not take yourself and your talent out of the business simply due to the independent role, he said.

  • Perspective: Is your program focused on the short or long term? Internal auditors need to incorporate a long-term perspective.


And the C:

  • Complacency: Are you using the same program you were using years ago? Governance has to be dynamic because industries and regulatory environments are changing too.


Larry shared a personal anecdote of being one of ten children, who all needed clean clothes. His working parents proactively developed a process for each child to collect their own dirty laundry, and the family would spend a few hours together each weekend at a laundromat washing and drying clothes. In between cycles, the kids would do their homework. The purpose: find a way to more efficiently do a time-consuming task. From a long-term perspective, making sure every child had clean clothes for school every Monday meant they could be educated and add value.

In short, we have all heard the phrase, "See something, say something" when we spot areas of concern. For internal auditors, Larry updated the phrase to, "See something, say something, do something" to make sure the organization does the right thing.

To learn how one bank's internal audit team proactively leveraged technology to streamline its processes and add value, check out this video.

You May Also Like

Online registration is currently unavailable.

Please email events@workiva to register for this event.

Our forms are currently down.

Please contact us at

Our forms are currently down.

Please contact us at