It Shouldn't Surprise Us That "No Surprises" Is Still an Expectation

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession.


Back in 2009, I blogged on the fact that many audit committees expected internal audit to help them avoid surprises. I concluded that whether it was fair or not, it was an expectation we needed to recognize. Since then, risks have become more dynamic and unpredictable. Given the environment in which new risks emerge from seemingly nowhere, it shouldn’t surprise us that “no surprises” is still an expectation.

Internal auditors have become increasingly effective in assessing traditional risks; however, the ability to identify and assess emerging risks presents new challenges and requires even greater proficiency. Emerging risks are the newly developing risks that cannot yet be fully assessed but that could, in the near future, affect the viability of our organizations’ strategies and business models. These risks have no track record, so despite the fact that our risk assessment techniques are becoming more sophisticated each year, new and emerging risks are still the most difficult risks for us to identify and quantify.

Too often, traditional risk assessment techniques can miss these risks completely. Even the biggest game-changing risks can be hard to spot until after they have resulted in disastrous consequences. A decade or two ago, regulations such as the U.S. Foreign Corrupt Practices Act or the more recently enacted U.K. Bribery Act were largely ignored by most audit groups. Risks involving cloud computing were not yet even being contemplated. There was no global liquidity crisis, and relatively few city governments were in severe financial distress. Organizations that were not positioned to respond rapidly to these changing conditions often were destined to pay a high price for the oversight.

It might seem that because emerging risks can have such a devastating impact, management of these risks would receive significant attention and resources from management. In reality, the opposite often is true: Emerging risks are the ones not yet on management’s radar, and there can be a natural tendency to avoid dealing with risks that have not yet materialized. When we are fully involved in addressing today’s problems, it is tempting to ignore the problems of the future: As the old saying has it, “Do not worry about tomorrow, for tomorrow never comes.” In reality, however, tomorrow really will come, and it is the ability to predict problems before they happen that audit committees most value in chief audit executives. We not only need to worry about tomorrow, but we also need to develop a keen understanding of what might happen tomorrow even in relatively unlikely scenarios.

Emerging risks can arise from any direction — internal or external to the enterprise — so “no surprises” means that internal audit must have broad peripheral vision to anticipate risks from new or unexpected sources. Identifying and assessing these risks requires us to think creatively. Merely updating last year’s risk assessment simply won’t do: We must truly look at the organization’s goals, objectives, and operations with a fresh eye, constantly asking, “What could keep us from accomplishing this as intended?”

Often internal auditors try to assess emerging risks using “risk assessment by walking around” techniques, in which we ask management what it sees as its new risks. But while the technique can be highly effective in identifying ongoing internal risks, management is all too likely to be blind-sided about risks arising outside the organization. Is a potential new competitor planning to enter our markets? Might a geo-political development or environmental disaster strike a key supplier or customer? Understanding and predicting such potentially game-changing events necessitates heightened awareness of changing conditions. We need to be able to assess the potential impacts and the interconnectedness with other risks even before the risk has fully materialized.

The job is not an easy one. We must become students of the global economic and geo-political environment and stay informed about industry trends and the regulatory landscape. We must know what drives corporate performance and understand the factors that might hinder accomplishment of goals. We must develop better risk analytics, and we must evaluate how emerging risks are incorporated into strategic plans. We must be able to look into the crystal ball of “what if” scenarios and spot potential opportunities before they have passed us by, because the only way to assure our audit committees receive no surprises is to keep them informed of potential events even before they take place.

Posted on Oct 2, 2012 by Richard Chambers

Share This Article:    

  1. Richard: Thanks for elevating the issue of emerging risks and your efforts to elevate why internal auditors should be complying with IPPF standard 2120 that states IA "must" assess the effectiveness of the company's risk management processes.  A key element of "effective" risk management processes is the one you focus on above - the ability of the processes to continually scan the horizon for emerging risks and appropriately assess the potential impact of those risks on the company's objectives.  

    Unfortunately I believe that few IA departments currently are well equipped to competently assess risks and identify the full range of risk treatments and the current residual risk status. This brings in to question their current capability to competently complete stanard 2120 assessments of their organization's risk management processes.  

    The new IIA CRMA designation/certification is a major step in the right direction but the majority of IA shops continue to complete direct report audits and form subjective opinions on whether they believe controls are "effective".  Until the profession recognizes that traditional direct report auditing is, itself, a major risk to an organization's efforts to improve risk management capability progress will be seriously negatively impacted.  The IIA needs to carefully study whether traditional direct report audit methods need to be replaced with ISO 31000 compliant assesssment methods and take a position whether IA should transition from subjective views on control effectiveness to approaches focused on ensuring senior management and the board are aware of the organization's residual risk status.

  1.  I completely agree to the fact that it is not very easy to be aware of all risks that an organization can face. Senior management has a such expectation from Internal Audit Department to find and disclose each and every risk that is significant. But the problem is that Internal Auditors are not fortune tellers. They can analyze and investigate risks but over-expectation is not meaningful rather it is overwhelming.

Leave a Reply