Risk and the Future of Internal Audit

 

When internal auditors talk about the future of internal audit, when they talk about how we can add the greatest value, when they talk about the state of the profession and where the new horizons and opportunities lie (or is it lay – that one always throws me – where's a good editor when you need one), the conversation seems to invariably turn to risk.
 
So it is not surprising that risk has become part of the discussion related to the blogs I recently posted regarding creativity, innovation, and internal audit's ability to maintain its relevance into the future.
 
In Tim Leech's responses he referenced various articles which speak to how organizations will need to take fresh and active looks at the ever changing risk landscapes. As Tim notes "Boards desperately need reliable information on management's risk appetite and tolerance to discharge their new responsibilities. Internal audit has an opportunity to be a primary support for boards."
 
David Griffiths led his responses with "IA's objective is to provide an independent and objective opinion to an organization's management as to whether its risks are being managed to acceptable levels." This is exactly the approach that is being used by some of the best audit shops, and the approach that, while not always well articulated, is at the foundation of risk-based auditing.
 
These responses are representative of the broader discussion that is happening throughout the internal audit profession as it determines if it wants to have a more active role in risk identification, assessment, and management.
 
As an example, the recent update to COSO's integrated framework for internal control provides a perfect opportunity for audit shops to obtain a better understanding of how risks can impact an organization's achievement of its objectives. In his book Management's Guide to Sarbanes-Oxley Section 404, my fellow blogger Norman Marks spells out how the various regulations and guidelines state that a top-down, risk-based approach should be used. And Norman has also spoken about how internal audit should use COSO's IC-IF to get a better perspective on how organization's view risk, as well as using it as a tool to perform more effective audit work. You can see his views on the subject on Audit Channel TV – "Considering COSO 2013 from a Risk Perspective."
 
Richard Chambers, President and CEO of the IIA, has spoken and written many times on internal audit's challenge related to risk assessment. My most recent experience with his thoughts on the subject was at the Governance, Risk, and Control Conference. He reinforced that our role is to evaluate and improve the effectiveness of risk management, control, and governance processes. He then went on to say that (and I am paraphrasing here) we do an excellent job at controls and we are moving forward nicely in the arena of governance. However, the one place we are weakest – the one place that probably gets red on a stoplight chart - is risk management.
 
(And Norman and Richard, if I have misquoted you, please jump in and correct me.)
 
It is crucial that in today's environment internal auditors have a firm understanding of risks and their impact. Without that we are just scratching quill marks on papyrus that will desiccate and blow away in the desert wind. 
 
So, if risk is so important and instrumental in assuring our current relevance to the organization, it must be the answer, right?
 
Well, that all depends on the question.
 
If the question is "What do we need right now?", then the answer is "Yes".   Right now, there may be no one thing more important for internal audit than fully understanding and analyzing risk assessment.  If we do not understand the risks (and as David mentioned in his comments – understanding those risks means understanding how the business operates now and into the future, the need to be creative and innovative, the need to be active) then we cannot do our job. Controls exist to ensure risks are brought to an acceptable level. If we do not understand the current state of risks as well as future potential risks, then our audits are misaligned and we are providing nothing but a disservice to the organization.
 
However, if the question is "How do we maintain relevance into the future", then the answer is "Not really...no". Because risk is today's issue. (And I will do us all the favor of not talking about the number of audit shops that haven't really gotten there yet; I won't talk about the embarrassing percentage of audit shops that still do nothing but SOX and compliance work.) Just because you got a passing grade today doesn't mean you don't have to study for tomorrow's exams.
 
Which brings us back, once again, to the real point about creativity and innovation. Creativity and innovation are about allowing ourselves to explore new and different ideas without hampering ourselves with today's constraints. (And one of the most insidious constraints is success.) Creativity and innovation are about the constant search for the new new thing.
 
Last week, Facebook turned 10 years old. And yet we all (not just internal auditors, but all business people) are still trying to come to grips with what it means, how it impacts our work, and what should be done.
 
And somewhere out there someone has invented the next social media application that will scare the spreadsheets out of us. In fact, some people might already be using it. Is it Vine, Tumblr, Google+? Or is it Medium, Kleek, Ghost, or Atmospheir? No, I don't know what those last ones are, either. But I found them by googling "hot social media apps". That's the point, we probably wouldn't even recognize the next big thing because it hasn't hit yet.
 
And somewhere out there something is happening that will be the most important thing internal audit should be aware of in the future. And, unless we watch for it, we will miss out and, like some shops are being forced to do in regards to risk, spend all our time trying to keep up.
 
Getting a handle on risk will never be a bad thing. Just as our ability to be experts on controls, governance, process, etc. is still valuable, all the things we talk about with risk will be key to our success now and into the future. 
 
We can just never be complacent that we have found the solution to maintaining our relevance.

Posted on Feb 10, 2014 by Mike Jacka

Share This Article:    

  1. I'm not sure I understand you when you say, 'Because risk is today's issue.' I think risk has always been the issue and will always be the issue. The problem is where are the risks coming from in the future? That's where we have to be creative. For example, are we considering the risks of Google and Apple knowing our (and our senior executives) every move (through location on our smartphones) and our future moves (through calendars)? Let's hope their risk assessment and controls are good.

  1. Mike; Great post. I agree that "risk is today's issue" because there is an urgent need for internal auditors to better support boards of directors who are now explicitly on the hook for overseeing management's risk appetite and tolerance. However, in my opinion, the real frontier for IA is helping management and boards better define, communicate,continuously update and refine, and risk assess business objectives necessary for sustained success. To do that internal audit needs to transition from today's audit methods and tools to ones that start with an end result business objective and work towards identifying the current "composite uncertainty" of achieving the objective being assessed. I am doubtful that the majority of IA shops are well positioned today to transition to my vision of utopia - helping their organizations increase the certainty of achieving what they want and avoiding and mitigating what they don't want. It will require quantum change in customer expectations, regulatory expectations, professional qualifications, training and more. The IIA has the ability to significantly accelerate that evolution to internal audit utopia. I hope to see it in my lifetime.

Leave a Reply