The world is evolving faster than ever, especially when we consider the impact of technological advancement. The pace of change poses a unique challenge for internal auditors. To meet the challenge, auditors must be agile and always poised to address emerging risks. We also need to lead the charge when working with the other assurance teams such internal control, compliance, risk management, and many others.
Emerging risks are those area that seem to spring up and catch many off guard. These could be risks that are new or it could be known risks that suddenly reach a higher level. We can illustrate this idea with three examples:
Geopolitical disruption is certainly not new. The history of humanity is often told as a history of conflicts. However, the current geopolitical scene is experiencing new disruptions that many did not think would happen. With refugees fleeing countries for safer regions across the world, British voters choosing to leave the EU, the divisive nature of political discourse in the US, and violent protesting in Hong Kong, it seems the world is in a constant state of agitation. Your organization is currently impacted by this disruption, but have you addressed this risk with senior management?
Similarly, with technology we have seen disruption all throughout history. In this case, the emerging risk factor is the speed and pervasiveness that technological disruption is entering the world. Every industry and every corner of the world is being impacted by technology. As auditors, we need to be aware of how our organizations are being impacted by technology and how we are using technology. Both sides of this equation are extremely important with equal levels of risk involved.
What make cryptocurrency such an interesting topic is that it changes the way we think of money. Early on, money was made of the element that gave it value, like gold. Later we have the fiat system with money that only represents the element like a one-dollar bill representing one dollar’s worth of gold. Cryptocurrency leaves the entire system behind, and money is valued based on the value people ascribe to the currency through demand. There are many risks associated with cryptocurrencies, including exposure to fluctuations, human error, and hacking. Again, the challenge to us as auditors is to see the impact to our organizations. Even if your organization is not directly engaged in using these currencies, do you have major suppliers who are? What about your senior executives?
An agile combined assurance approach
We are poised to take on these emerging risks. How? GRC 20/20 has recently recommended taking an agile combined assurance approach. GRC 20/20 recently wrote about agile audit capabilities stating that “Organizations need an agile internal audit capability that brings together a coordinated strategy and processes. This is supported by a strong information and technology architecture that provides an integrated view of objectives, risks, compliance, controls, events in the context of audits.”
We should think of the audit plan in terms of no longer than one quarter at a time. During audit plan development, auditors should understand the scope and objectives of the work being performed by the other teams. The assessments and work planned by other assurance teams such as internal control and risk management, should be relied upon for coordinated audit coverage. Again, GRC 20/20 explains that, “the internal audit department should have a complete view of what is happening in the context of change.”
When CAEs approach the concept of coordination with other teams, the way to introduce the idea is generally sharing information with other departments that focus on risks and controls in a similar fashion to internal audit. Typically, this involves internal control teams, compliance teams, and risk management functions. Once the work is completed, coordination comes back into the conversation related to reporting. Issues can be aggregated and categorized using the same terminologies. This creates comprehensive reporting to give to the audit committee.
While this sounds simple on paper, we fully recognize the level of effort it takes to do this well. Through research and interviews, we have found that most groups will go through various stages of maturity for coordination. The underlying theme to this growth curve is the use of technology to standardize elements like terminologies, risk libraries, and reporting capabilities.
A common area of concern for all the groups involved is emerging risks. These risks cut across all the assurance functions and are top of mind for the board and audit committee. We recommend using emerging risks to start the agile combined assurance conversation. We all need to work together, and none of us are masters related to these specific risks. As a resource for everyone, we have compiled a Top 20 list of emerging risks that cross industries.