Ask successful leaders how they became successful and many will say, “I took the right risks at the right time.” Ask internal auditors how risks should be dealt with in their organization and many will say “by eliminating or avoiding them.”
These differing perspectives on managing risks are at the core of an all too common disconnect between management and internal audit.
Don’t get me wrong. Internal auditors are right in trying to protect the organization and ultimately help management to reach its objectives. That said, consider a typical audit. The auditor comes in and asks a lot of questions about what could go wrong. Then the auditor presents a risk assessment that (typically) states all the bad things that could happen regardless of whether management has strong controls in place. The auditor proceeds to test his or her negative assumptions, culminating in a report that points out management’s failures and provides recommendations on how to eliminate the risks or improve controls to mitigate the risks to acceptable levels.
Now consider management’s perspective. They are running day-to-day operations and must make tough decisions to address problems as they arise, or seize on opportunities before they are missed. They are under pressure to reach certain objectives while sometimes being incentivized to focus elsewhere. Then an auditor shows up and begins asking questions about what could go wrong. Too often, management responds negatively, so the auditor pushes harder.
The audit cycle continues.
It’s important to point out that, at the very foundation of this issue, neither the auditor nor management is wrong. The problem goes back to the disconnect I referenced that exists between management and internal audit. Auditors must shift their perspective from a need to eliminate or mitigate risks to a perspective of ensuring management has the best information available to make informed decisions regarding risks.
When this shift in perspective occurs, the audit becomes less about what is right or wrong and more about ensuring management has the processes in place to best support high-quality decision making. Of course, where auditors suspect fraud or abuse, tactics must change, but an audit focused on supporting management’s ability to address risks and opportunities, rather than on documenting management failures, adds significantly more value to the organization. It also makes management much more likely to support the audit and implement the audit recommendations.
In the end, internal auditors and management have the same organizational objectives in mind — the added value that the auditor offers is to support the attainment of objectives through a healthy and pragmatic approach.
I welcome your thoughts on auditors’ perspectives on risks.