No Surprises: Is It a Realistic Expectation?

Richard Chambers, CIA, CGAP, CCSA, shares his personal reflections and insights on the internal audit profession.

During my travels over the past five years, I have had the opportunity to speak with many audit committee chairmen of leading corporations in the United States and Europe. One of the questions I invariably posed during my conversations was: “what is your foremost expectation out of internal auditing?” With amazing regularity, the response came back: “no surprises.” By “no surprises,” the chairmen (in reflecting the views of themselves and their fellow audit committee members) were suggesting that internal auditing should identify issues before they became a major problem for the company — and by extension — the audit committee.

At first glance, an expectation of no surprises might seem like a reasonable expectation. However, when you think about it, you realize what an extraordinary expectation that is. It suggests that internal auditors should be omnipresent — anticipating risks of every type and providing assurance that management has taken appropriate actions and/or implemented appropriate controls to mitigate the risks before they result in major consequences. If every internal audit department lived up to this utopian expectation, there would literally never be any bad news that wasn’t already known because the “caped crusaders of internal auditing” had already identified it and led to its eradication. 

Is the total eradication of surprises what audit committees really expect from our profession? I seriously doubt it. Instead, I believe they are suggesting that internal auditing should be striving to identify risks that could present problems in the future, and not simply dwell on what went wrong in the past. When taken to its natural extension, this expectation would fundamentally alter the mind-set of many internal audit functions. Instead of conducting an annual risk assessment, designing a corresponding audit plan, and auditing against it for a full year, internal auditors would take a more continuous approach to assessing risks. Audit plans and coverage would be constantly evolving as “potential surprises” surfaced. Such an approach would add significant value for internal audit stakeholders — particularly in the dynamically changing environment that the current economic crisis presents.

For those internal audit functions that want to embark on a “surprise averse” strategy, I would offer three key tactics:

1.       Update your risk assessments and audit plans as often as possible. Continuous risk assessment doesn’t have to occur daily. It also does not have to address every risk facing the company. Identify key risks as part of your annual audit plan that you will monitor on at least a monthly or quarterly basis.
2.       Keep close tabs on the business. Some of the most effective continuous risk assessment strategies I have seen are relationship-based. The CAE should interact with executive management on a continuous basis to identify emerging risks that might not be apparent from his or her corner office. At the same time, the CAE’s direct reports should be maintaining relationships with key business unit executives/managers throughout the company. Identification of emerging risks is much more likely to happen through informal frequent interaction than a formal structured risk assessment.
3.       Benchmark with your peers — particularly in your industry. A risk may not have emerged in your company. However, if it is making its way through your industry, it definitely bears watching.
I am confident that many of you have your own approaches to continuously assessing and identifying emerging risks. I encourage you to share them in responding to this blog.


Posted on Jun 12, 2009 by Richard Chambers

Share This Article:    

  1. Richard, I have advocated internal audit providing the audit committee and executive management with 'peace of mind', the 'ability to sleep during the storm' and 'no surprises' for almost two decades. I firmly believe it should be the aim of our work, although both our stakeholders and the CAE himself should have a clear understanding of the limitations we operate within – resources and the experience/insight available only to the management working the issues every day.

    Peace of mind starts with assessing and providing an opinion on the organization's governance practices, and then focuses on the risk management program. The key is to help management avoid or mitigate surprises. We are not the risk management function ourselves.
    Only then do we assess and test the key controls relied upon to manage the more critical risks. As you know, I am a strong supporter of continuous risk and control assurance, which is a combination of continuous risk monitoring and continuous control and data auditing.
    Yes, there are limits on how much assurance we can provide – and they must be shared with and understood by the audit committee. But this approach goes a long way to helping management avoid surprising the board with an overlooked or under-assessed risk, or an ineffective control that results in a major incident.
  1. UFZfR3Just to clarify, if we provide assurance on the organization's governance, risk management, and related internal controls (as directed by the Standards but so rarely done in practice), we are filling an assurance 'vacuum gap' at the board level and helping to avoid or mitigate surprises.

  1. Valuable lessons I have learned from direct board of director reporting over the years:

    1.   IA must know the company from the bottom up as well as from the top down.  Employees in the trenches far too often realize the errors in management directions.  IA functions that are well connected with all levels of the company can and will see the smoke way before the fire.

    2.  IA adds value when it has that just in time ability to inform management of issues, good or bad, that management should already be aware of but was not.

    3.  Risk assessment processes should be broad enough to understand that just like "too big to fail" is a myth, so is "nothing is for ever".  Just like gravity, what goes up will eventually fall down.  Every day is a good day for IA to re-think the unimaginable.

    4.  "Trust, but verify".  Trust management will do the right thing the right way everytime, but if you never "verify", how do you know?  And more importantly, how will your stakeholders know that IA (you) did the job in the first place?

  1. PS:  Nothing is more painful that for IA to be questioned by a CEO or worse yet, the chairman of the audit committee "how do you know, did you look"?

  1. Richard

    Coming from an Internal Audit background originally I very much agree with the sentiments you expressed.
    Managing the expectation of the Audit Committee, the Board, the CEO and executive management is a critical challenge to the CAE and can have a fundamental impact on the perceived success or failure of the Internal Audit function.
    I fully agree that the provision of "peace of mind" (Norman's term) is certainly an expectation of these stakeholders and this expectation therefore needs to be clarified. Peace of mind means addressing the causes of stress, tension and anxiety which make it difficult to sleep at night, for fear that unpleasant "surprises" may be awaiting in the office the following morning. In order to address this one must first identify the causes of these concerns and the areas where sufficient
    comfort is not currently being obtained.
    It is probably not a realistic expectation that these stakeholders soley rely on Internal Audit (given the limitations referred to by Norman) to fully address this issue, but Internal Audit certainly has an important role to play and can help provide a degree of comfort in this area. There is therefore an opportunity to increase the level of comfort currently being provided by Internal Audit and the perceived value being added by the Internal Audit function.

    (Continued in next message)

  1. (continued from previous comment)

    I agree that Internal Audit needs to become more progressive in its approach and needs to adopt a more fluid and adaptable approach. A more continuous approach to monitoring risk and auditing controls is a good starting point however Internal Audit can also provide additional value by providing a more balanced end product. This means ensuring that the audit plan sufficiently addresses strategic, tactical and operational issues. It means addressing what I refer to as the critical components of an organisation's program for self-defence. It means providing opinions not only on governance, risk management and control programs and practices but also on related compliance, intelligence, security, resilience and assurance programs and practices. All of these components are critically interconnected, interlinked and interdependent and therefore need to be managed in co-ordinated in coherent manner. When all of these areas are strategically, tactically and operationally aligned the possibility of surprises is drastically reduced and where unexpected issues do arise there is the comfort that practices are in place to mitigate these issues or that the required remedial action has already been identified. An organisation which has aligned these activities at strategic, tactical and operational levels will have a higher degree of confidence that where pre-emptive measures are not sufficient that the structures in place should be sufficient to respond to anomalies in a timely manner so that the organisation can not only reduce the initial impact but also mitigate any subsequent collateral damage.

    (Continued next message)

  1. (continued from previous comment)

    Internal Audit needs to be able to provide opinions on the strategic alignment and integration of all of these programs and practices so that high level issues can first be identified and the tactical and operational requirements can later be addressed. The provision of high level opinions will alert these stakeholders to potential issues and therefore any resulting tactical and operational issues become issues which need to be addressed rather than a surprise like bolt from the blue.

    The peace of mind referred to above can only realistically be achieved once these stakeholders have a sufficient level of comfort or degree of confidence that sufficient measures are in place to safeguard both themselves in their professional capacities and their organisation. Ultimately this means that the organisation must have a comprehensive corporate defence program in place which adequately defends the organisation and the interests of its stakeholders.
    Internal Audit is not responsible for ensuring that this is the case but in its assurance role has an import role to play, not only within the corporate defence program itself, but on advising the relevant stakeholders on the level of maturity of this program and making recommendations to continuously improve and address this ongoing challenge.

Leave a Reply