As I reflect upon the last 20 years of my career in Internal Audit, there are two constants: an ever-changing business environment and the continual challenge of incorporating risk into our audit activities. With risk continually at the forefront of the profession, having been incorporated into our authoritative guidance, why is it that I run across so few people who are satisfied with their risk program and the role it plays in the work of internal audit? With effective risk programs remaining elusive I am reminded of King Arthur’s search for the Holy Grail. Will incorporating risk into internal audit remain unfinished as was the grail quest?
Now I am sure that there are those who feel they have implemented effective, value-added Risk Management programs in their departments and their companies. I just haven’t met enough of these people to reach that conclusion. Consider also that those small- to medium-sized companies that would benefit greatly from an effective Risk Management program are those that can least afford the ongoing costs of such a program. So rather than get into a debate about anecdotal risk success stories, let’s look at what Internal Audit can do to successfully incorporate a risk strategy into our auditing activities to help our companies begin to be risk-focused in their daily activities.
First, we must start with the proper perspective. Instead of considering all risks that could impact the organization anywhere, anytime as would be done in a comprehensive Enterprise Risk Management (ERM) based approach, an alternative is for Internal Audit to pursue a more limited approach that focuses upon risks to specific company initiatives and programs. Limit the risk focus and shrink the scope of risk efforts to those projects that are management’s current priorities. Internal Audit can focus on those risks that will directly impact the company’s existing strategies, goals and initiatives; the company’s annual plan, if you will.
Once a function decides to address risk in this fashion, there are some foundational elements and factors to be considered, including the following:
- Establish a forward-looking Internal Audit function. Managing risk is about tomorrow, not yesterday.
- Be realistic about your department’s capabilities and positioning in the organization. If your department is not already viewed as a valued contributor, your initial project should be one where you can ensure yourself of a victory.
- Develop the department annual and mid-term audit plan in consideration of the company’s major goals, initiatives and strategies. Individual audits must be performed where risk – both positive and negative – can have the greatest impact upon the organization.
- Fully embrace a Risk Model as the foundation of the audit approach. Consider a model such as COSO that encompasses Financial, Operational, Compliance and Strategic risks.
- Audit scope must continually assess the company’s ability to manage and mitigate those risks that are the greatest barriers to successfully achieving stated goals and objectives.
- Consider all of the elements that the company is employing to achieve its objectives (Human Resources, Technology, Operations, Commercial, and Financial). For example, if the organization’s key initiatives are dependent upon a technology solution or access to financial capital, are those resources available at a level sufficient to ensure success?
- Align audit activities, recommendations, reports and board reporting with the company’s goals, initiatives and strategies. The language of Internal Audit must be aligned with the language of the C-Suite and the Board.
- Internal Audit must communicate to the C-Suite and the Board this alignment as it is undertaken and then consistently communicate in all correspondence an assessment of the risk environment and the company’s adequacy in addressing existing and emerging risks.
King Arthur never completed his quest for the grail. Internal Audit has been on its own quest for decades, but success in the area of Risk remains elusive. By employing a limited, yet focused, approach to addressing risk, Internal Audit has the opportunity to finally complete its quest and in the process position itself for the profession’s next challenge – increasing enterprise value.