One of today’s pressing management concerns is: What is internal audit’s role in risk management?
There is broad agreement that internal audit has an important part to play in risk management, but just where to draw the line is always a controversial topic. Some make the argument that internal audit should play a lead role in risk management, setting the risk management agenda and advising management on risk issues. Others take a more traditionalist position, arguing that internal audit should only audit the risk management function.
It’s not surprising. These widely divergent views stem from major philosophical differences on the role of internal audit. As an internal auditor, I often ask clients and stakeholders what they believe to be my role. The answers tend to vary widely depending on the maturity level of the client’s internal controls environment. Government and Public-Sector clients might see internal audit as a function responsible for Internal Controls over Financial Reporting (ICOFR) and Internal Controls over Financial Systems (ICOFS). Others from this sector believe internal auditors perform assessments related to the Office of Management and Budgets (OMB) Circular No. A-123, management’s responsibility for Enterprise Risk Management (ERM) and internal control as “control experts.” Some in the private sector point to internal audit’s responsibilities for Sarbanes-Oxley Act (SOX) compliance, while others say the internal auditor’s primary role is to uncover fraud, waste and abuse.
The one common reply, however, that internal auditors are the “controls experts,” rarely changes which raises the question: Where did the Internal Audit profession fail in educating clients and stakeholders about internal audit’s roles and objectives?
If stakeholders have a narrow, limited view of the problems we solve as internal auditors, what are we doing collectively to change that perception? The noted psychologist Abraham Maslow observed: “If the only tool you have is a hammer, then every problem looks like a nail.” If stakeholders view internal auditors as only “control experts,” then Maslow’s quote can be rephrased: “If our only tools as internal auditors are controls, then every problem looks like a potential risk.”
If, as a profession, we want to think more broadly and completely about the role of internal audit in risk management, we need to think beyond controls. What tools are required and when for the internal audit function to navigate the volatile and complex risk environment to create value?
The internal audit risk management toolbox should include the following:
- The identification of risks;
- The prioritization of risks;
- The evaluation of the underlying process, systems and management’s capabilities to manage risks;
- The design and implementation of internal controls to mitigate risks; and
- Continuous monitoring and evaluations of controls to determine effectiveness in mitigating risks.
This is how clients and stakeholders should define our roles as “control experts” and in turn this is critical for internal auditors to create value for our clients.
In an earlier publication titled “Many Internal Audit Failures Stem from Misalignment with the Company Strategy” I defined the Internal Audit Value Chain (IAVC) and its key components. The IAVC is “Enterprise-wide initiatives impacting functional areas across every organization involving a combination of people, processes, technology, and tone-at-the-top to drive accomplishment of goals and profitability.” Internal audit’s role in the value chain requires understanding the organization’s: (1) strategic direction, (2) risk management and monitoring, (3) operational efficiencies, (4) quality and compliance, (5) financial reporting, and (6) responsiveness to customer and regulatory needs to create value. It’s important to keep in mind that these priorities are not static and vary as enterprise-wide objectives and needs evolve. In this article, part two, we are looking, as you have already guessed, at risk management and monitoring.
In the Institute of Internal Auditors’ Internal Auditor publication, “Optimizing Internal Audit,” I defined risk assessments as they relate to ongoing organizational activities to include: an understanding of internal audit priorities that drive annual audit plans and information obtained and evaluated by internal auditors from continuously interacting with stakeholders. Internal auditors simply must have a strong understanding of the macro and micro risks impacting their respective organizations.
Eight Steps to Navigate Volatile Risk Environments
There are eight primary steps internal audit teams can take in collaboration with stakeholders to identify and mitigate evolving risks that could have significant impact on their organizations if ignored. They include:
- Ensure collaboration among the Three Lines-of Defense: There are many adaptations of the three-lines-of-defense approach to involve business lines, risk management, and compliance and audit team collaboration in identifying and managing risks. KPMG provided a good example in a white-paper by Doron Telem titled “The Three Lines of Defense: Making the Transition to a Mature Risk Management Model.” In this paper, Telem asserts that such collaboration, “could entail workshops with management, as well as some external expertise and interviews (including with non-management individuals) to ensure as many issues as possible have been considered.” The IIA position paper: “Three Lines of Defense in Effective Risks Management and Control” provides an excellent base-line example. The IIA paper acknowledges the unique factors impacting every organization that must be considered in coordinating the three-lines-of-defense duties and the underlying role of each group in the risk management process.
To recap the three lines of defense approach:
- The first line-of-defense consists of Line-of-Business (LOB)/Department Managers who are the risk owners.
- The second-line-of-defense consists of risk management, control management and compliance professionals with limited independence identifying and mitigating risks.
- The third-line-of-defense consists of risk assurance professionals with greater independence such as internal audit reporting to a committee or governing body.
Prior to assigning any LOB lead as a “risk owner,” steps must be taken to validate that risk owners have the technical skills to understand the dynamic nature of the risks assigned to them. If a manager began as a bank teller 30 years ago, for example, and advanced through seniority into a leadership position, assigning key risks to such a manager, without evaluating his or her skills in the context of the current operating environment would be significantly risky. The threats to banking have evolved a great deal during the past 30 years.
The IIA paper concludes that all three-lines of defense should exist in some form at every organization, regardless of size or complexity. A modified version of this framework is needed for any organization, including government agencies, to effectively identify and mitigate risks.
- Adopt a risk management methodology/framework: According to the IIA’s 2018 North American Pulse of Internal Audit report, Chief Audit Executives (CAEs) need to position internal audit to be an internal disruptor, relentlessly challenging the status quo and identifying and focusing on emerging risks.
An objective methodology should be used to evaluate and prioritize risks in the context of the organization’s strategic direction. The process should be ongoing and provide flexibility to make timely changes as new information becomes available. A comprehensive risk assessment methodology should include mitigation strategies in the context of the organization’s resources, such as: culture, processes, technology, and risk tolerance.
- Establish Operational Risk Management (ORM) and Chief Risk Officer (CRO) roles and authority: How much authority does the ORM function and CRO have in influencing key decisions? ORM is a highly specialized function requiring complex data analysis and modeling skills with responsibility to identify and monitor risk exposures against management’s appetite for risk.
Executives, committees, and business unit managers making key decisions might not view risks through the same lens as ORM experts. Could there be instances when ORM predicted an incident, but lacked the authority to mitigate the risks? It happens all the time. Any disconnects between ORM conclusions and management decisions should be taken seriously by an independent function such as internal audit and be targeted for further review.
- Conduct continuous monitoring and assessments: The concept of continuous auditing and monitoring is frequently discussed by internal audit practitioners but not often implemented. Plenty of literature exists on this topic. A Deloitte white-paper, “Continuous Monitoring and Continuous Auditing: From Idea to Implantation,” for example, covers this topic in detail. The paper provides two key explanations as to why few organizations implement continuous monitoring and auditing. First, management has not seen a clear, strong business case for establishing either continuous monitoring or continuous auditing in their organizations. Second, management lacks a clear picture of how continuous monitoring and auditing would be implemented.
Given the increasing threats and dynamic nature of risks confronting many organizations, an inflexible or static “annual audit plan” approach might not provide the responsiveness needed for internal audit to quickly change course and address evolving risks. The use of Risk and Control Self-Assessments (RCSA’s) in theory seems a practical approach. Analyzing the output from an RCSA and the skills of the risks’ owners might highlight inefficiencies in identifying and mitigating evolving risks.
- Prioritize and perform Test-of-Design (TOD) and Test-of-Operating Effectiveness (TOE) for high risk controls, processes and functions: Assuming the cost of implementing a control does not exceed the benefits of the controls, then some element of prioritization is needed to determine which controls to test and when. Internal controls that mitigate key risks to the organization across various LOB functions are the logical places to start. Management and internal audit can use other subjective factors to include operational or compliance needs and determine other areas to perform TOD and TOE.
Using limited organizational resources to perform extensive TOD and TOE without a focused approach on risks or other factors is not ideal. With adequate planning and emphasis, performing TOD and TOE remain critical tools for management and internal audit to use in navigating volatile risk environments to create value. Findings from controls testing can create value if recommendations are properly documented to allow LOBs to understand disconnects and see the value of remediating issues to prevent re-occurrence.
- Achieve Line-of Business (LOB) collaboration and consensus on findings and recommendations: In order to gain collaboration from LOB leadership, internal audit should have obtained their blessing on which areas to review as part of annual or periodic audit planning. For the three-lines-of defense to function correctly, stakeholders—including ORM and CRO—must collaborate extensively during the audit planning, execution, reporting, and remediation phases. Without this level of participation, internal audit will run into several roadblocks along the way in navigating volatile risk environments. The interpersonal, problem solving, communication, and technical skills of the internal audit team are the foundations of any successful effort to obtain consensus on findings and recommendations. The desired output is LOB processes and controls to mitigate risks and prevent re-occurrence.
- Help foster a positive corporate culture (Corporate culture vs LOB sub-cultures, management skills and incentives, staff turn-over and risk tolerance): Quantifying and qualifying the impact of failures of culture and tone-at-the-top, if not properly addressed, are near impossible to correct in the long term. For example, the problems at Wells Fargo covered in Part One, “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” that began in September 2016, could not be quantified as of May 2018 although the damage to corporate reputation is clear.
Consistent failures stemming from poor tone-at-the-top, sub-culture clashes across different LOB’s within an organization, lack of skills to identify and mitigate key risks, and inability to implement continuous monitoring and oversight of key functions are a few examples that could expose an organization (Starbucks and Facebook as high-profile examples) to significant risks. Internal audit may see these dynamics at varying levels while executing our mission. Failure to accept the reality and risks associated with these problems can be directly linked to the inability of the internal audit function to navigate volatile risk environments and thereby create value for the corporation.
- Consider external factors that could encourage excessive risk taking: Regulators frequently have a limited ability to effectively enforce regulations across industries to protect consumers and create desired outcomes. Regulators are often behind the times or unconsciously allow loopholes—often temporary—in the enforcement of regulations. Management will often use these loopholes or the “everyone is doing it” rationale to justify excessive risk-taking. Internal audit must understand external factors and loopholes used by management to obscure the true risk landscape and implement adequate processes to identify and mitigate risks.
While these eight steps do not define the totality of internal audit’s role in helping the organization identify and manage risk, they provide a solid roadmap for internal audit to navigate the volatile and complex risk environment and create value for the organization along the way. Executives and managers should empower risk management and internal audit teams to help quickly identify and prioritize risks, evaluate the underlying processes and systems related to risk management, and assess the design and implementation of internal controls to mitigate risks. Significant risks must be identified, and mitigation strategies and controls implemented in a timely manner to avoid long-term financial loss and reputational damage.
Jonathan Ngah, CISA, CIA, CFE, CGFM, is a Principal at Synergy Integration Advisors, a consulting firm providing Audit, Governance Risk and Compliance (GRC) solutions to Federal Government Agencies, private-sector and not-for-profit organizations.