This is Part II – Risk Management and Monitoring of a revised six-part series on the internal audit value chain (IAVC).
“According to the IIA, Internal audit can serve as a disruptor, relentlessly challenging the status quo and identifying and focusing on emerging risks, while factoring the rapid pace of evolving risks.”
Initial publication – June 27, 2018. Updated – May 15, 2020.
Whenever it comes to talking about internal audit’s role in risk management, things always get a little dicey. Everyone agrees that internal audit has a vital part to play in risk management, but just where to draw the line is still a controversial topic. Some think internal audit should play a lead role in risk management, setting the risk management agenda, and advising management on risk issues. Others take a more purist position, stating that internal audit should only be there to audit the risk management function.
It’s not surprising. There are widely divergent views on the job of internal audit in general. As an internal auditor, I often ask clients and stakeholders what they believe to be my role. The answers tend to vary widely depending on the maturity level of the client’s internal controls environment. Some see internal audit mainly as the function in charge of the Sarbanes-Oxley (SOX), and the Office of Management and Budget (OMB) compliance, while others say that it is to uncover fraud or malfeasance. The one standard reply, however, that internal auditors are the “controls experts,” rarely changes. I wonder what responses these clients and stakeholders will provide as answers to the same question post-COVID-19.
That makes me ponder. Where did I fail in educating clients and stakeholders about internal audit’s roles and objectives?
If stakeholders have a narrow and incorrect idea of the problems we solve as internal auditors, what are we doing collectively to change that perception?
This well-known quote by psychologist Abraham Maslow illustrates how easy it can be to incorrectly define a problem: “If the only tool you have is a hammer, then every problem looks like a nail.” If stakeholders view internal auditors as only “control experts,” then I can correctly rephrase Maslow’s quote to say: “If our only tools as internal auditors are controls, then every problem looks like a potential risk.”
If we want to think more broadly and entirely about the role of internal audit in risk management, we need to think beyond controls. The unprecedented impact from COVID-19 emphasizes the need for internal audit to view problems as potential risks (emerging and evolving risks) and think beyond controls. Internal audit must proceed with caution. Identifying, prioritizing, and mitigating risks (including emerging risks and threats, and the pace of rapidly evolving risks) belongs to the risk owner—management. In the process of adding value by helping management solve problems, they recognize as vital; internal audit can provide support without compromising its independence.
- Understanding your organization’s strategic objectives is a starting point.
- Providing support for management to identify and mitigate risks that impact the accomplishment of your organization’s strategic goals and objectives is the next logical step.
- This is the first step towards performing audits and reviews that matter.
So then, what tools are required for the modern internal audit function to navigate the volatile and complex risk environment to create value?
In Part – 1 of the Internal Audit Value Chain (IAVC) – “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” I provided justifications for internal auditors to think in the context of a “value chain” and the steps required to maintain that “value creation” objective as a starting point. Creating value is not enough. Steps must also be taken by internal audit to help their management teams to “capture value” and “sustain value” for the organization. This requires an End-to-End (E2E) internal audit value chain mindset.
The internal audit risk management toolbox should include the following to support management without compromising its independence:
• The identification of risks (include emerging risks and factor the pace of rapidly evolving risks)
• The prioritization of risks (avoid being blindsided from risks exposed by pandemics like COVID-19)
• The evaluation of the underlying processes, systems, and management’s capabilities to manage risks
• The design and implementation of internal controls to mitigate risks (especially strategic risks)
• The continuous monitoring and evaluation of controls to determine their effectiveness in mitigating risks
These are essential ways we can create value as internal auditors and help our management teams to capture the value and sustain value. This is how clients and stakeholders should define our roles as “control experts.”
The Internal Audit Value Chain (IAVC)
It’s been well established that internal audit must seek to add value if it is to prove its worth in the organization. In the first article in this series, “Many Internal Audit Failures Stem from Misalignment with the Company Strategy,” I defined the IAVC and its key components. The IAVC includes “the enterprise-wide initiatives impacting business functions, involving a combination of people, processes, technology, and corporate culture to drive the accomplishment of strategic goals and sustain profitability.” Internal audit’s role in the value chain requires an understanding of the organization’s:
- Strategic direction and alignment
- Risk management and monitoring
- Operational efficiencies to include Continuous Process Improvement (CPI)
- Quality and compliance
- Financial management and governance
- Responsiveness to create, capture, and sustain value while adapting to the changing business environment.
It’s essential to keep in mind that these priorities are not static and vary as enterprise objectives and needs evolve. In this article, Part two, we are looking, as you have now guessed, at risk management and monitoring.
In the Institute of Internal Auditors’ Internal Auditor publication, “Optimizing Internal Audit,” I defined risk assessments as they relate to ongoing organizational activities to include: an understanding of internal audit priorities that drive annual audit plans and information obtained and evaluated by internal auditors from continuously interacting with stakeholders. Internal auditors simply must have a strong understanding of the macro and micro risks and emerging risks impacting their respective organizations.
Eight Steps to Navigate Volatile Risk Environments
There are eight primary steps internal audit teams can take in collaboration with stakeholders to identify and mitigate emerging and evolving risks that could have a significant impact on their organizations if ignored. They include:
1) THREE LINES OF DEFENSE COLLABORATION: There are many adaptations of the three lines-of-defense (LOD) approach to involve business lines, risk management, and compliance and audit team collaboration in identifying and managing risks. KPMG provided an excellent example of collaboration in a white-paper by Doron Telem titled “The Three Lines of Defense: Making the Transition to a Mature Risk Management Model.” In the paper, Telem asserts that such collaboration, “could entail workshops with management, as well as some external expertise and interviews (including with non-management individuals) to ensure as many issues as possible have been considered.”
I prefer consulting the IIA position paper: “Three Lines of Defense in Effective Risks Management and Control” as the base-line. The IIA paper acknowledges the unique factors impacting every organization that must be considered in coordinating the three LOD duties and the underlying role of each group in the risk management process.
For a recap of the three LOD:
• The first LOD consists of department managers who are the owners of risks.
• The second LOD consists of risk management, control management, and compliance professionals with limited independence identifying and mitigating risks.
• The third LOD consists of risks assurance professionals with greater independence, such as internal audit reporting to the audit committee or other governing body.
Before assigning any Manager as a “risk owner,” steps must be taken to validate that a risk owner has the technical skills to understand the dynamic nature of the risks assigned to them. If a Manager began as a bank teller say 30 years ago, for example, and excelled through promotions into leadership positions, assigning key risks to such a Manager without evaluating his or her skills in the context of the current operating environment would be significantly risky. The threats to banking have evolved a great deal during the past 30 years.
The IIA paper concludes that all three-lines should exist in some form at every organization, regardless of size or complexity. A modified version of this framework is needed to include lessons learned from COVID-19 for any organization, including government agencies and institutions, to identify and mitigate risks effectively.
2) EFFECTIVE RISK MANAGEMENT METHODOLOGY: According to the IIA’s 2018 North American Pulse of Internal Audit report, Chief Audit Executives (CAEs) need to position internal audit to be an internal disruptor, relentlessly challenging the status quo and identifying and focusing on emerging risks. According to the IIA’s 2019 report, “over the past decade, the speed at which risks emerge and evolve has accelerated dramatically, compelling organizations to adopt new strategies and reorder priorities to survive and thrive in an increasingly complex risk environment.”
An objective methodology should be used to evaluate and prioritize risks in the context of the organization’s strategic direction. The process should be simple, ongoing, and provide flexibility and agility to make timely changes as new information becomes available. A comprehensive risk assessment methodology should include mitigation strategies in the context of the organization’s resources, culture, processes, technology, and risk tolerance.
Can internal audit adopt a simple risk management framework that provides flexibility to address emerging and evolving risks and the agility to adapt to the changing business environment? Complexity is the enemy.
To demonstrate its end-to-end value creation, value capture, and value sustainment capabilities, internal audit must focus on simplicity and sustainability. Internal audit can’t provide complex solutions towards addressing complex risk management challenges that are emerging and evolving at an accelerated pace.
3) ESTABLISH CLEAR ROLES AND AUTHORITY: How much authority does the Operational Risk Management (ORM) function and the Chief Risk Officer (CRO) have in influencing critical decisions at your organization? For big organizations, ORM is a highly specialized function requiring complex data analysis and modeling skills with the responsibility to identify and monitor risk exposures against tolerance levels.
Executives, committees, and business unit managers making key decisions might not view risks through the same lens as ORM experts. Could there be instances when ORM predicted an incident but lacked the authority to mitigate the risks? It happens all the time.
Small organizations do not need formalized ORM and CRO functions. However, there must be an independent process with adequate oversight responsibilities to identify and prioritize risks and address challenges related to emerging and rapidly evolving risks. Any disconnect between ORM or risk management oversight teams’ conclusions and management decisions create challenges for an independent function such as internal audit.
4) CONTINUOUS MONITORING AND ASSESSMENTS: I have always wondered why the concept of continuous auditing and monitoring is frequently discussed by internal audit practitioners but not often implemented. Plenty of literature exists on this topic. A Deloitte white-paper, “Continuous Monitoring and Continuous Auditing: From Idea to Implantation,” for example, covers this topic in great detail. The paper provides two critical explanations as to why few organizations implement continuous monitoring and auditing.
- First, management has not seen a clear, strong business case for establishing either continuous monitoring or continuous auditing in their organizations.
- Second, management lacks a clear picture of how continuous monitoring and auditing would be implemented.
Internal audit should develop a strong business case and provide a clear picture for management to decide on continuous monitoring and auditing. Given the increasing threats and dynamic nature of risks confronting many organizations, an inflexible or static “annual audit plan and risk management” approach will not provide the responsiveness needed for internal audit to change course, and help management identify and mitigate risks (including emerging risk and rapidly evolving risks) quickly. Did the organizations that implemented continuous monitoring and auditing respond and adapt better to the COVID-19 challenges? My instinctive answer is, yes.
5) TEST HIGH-RISK CONTROLS, PROCESSES, AND FUNCTIONS: Performing audits and reviews that matter is a critical value-creation step for internal audit. If it does not impact strategy, does it matter? My instinctive answer here is no.
If the cost of implementing a given control should not exceed the benefits of that control, then some element of prioritization is needed to determine which controls to test and when. Internal controls that mitigate key risks to the organization across various business functions are the logical places to start. Management and internal audit can use other subjective factors to include operational or compliance needs and determine other areas to perform Test-of-Design (TOD) and Test-of-Operating Effectiveness (TOE).
Using limited resources to perform extensive TOD and TOE without a focused approach on risks and strategy implications is not ideal. With adequate planning and emphasis, performing TOD and TOE remain critical tools for internal audit to use in navigating volatile risks environments. Findings from controls testing, or Continuous Process Improvement (CPI) projects create value if recommendations are appropriately documented in a way management can understand. This speeds up corrective actions enabling management to “capture value” and “sustain value.”
6) CONSENSUS ON FINDINGS AND RECOMMENDATIONS: For any collaboration to be expected from management, and executive leadership, internal audit should have obtained their blessing on which areas to review as part of annual or periodic audit planning. Perform audits and reviews that matter. For the three-lines-of defense to function appropriately, stakeholders—including ORM and CRO—must collaborate extensively during the audit planning, execution, reporting, and remediation phases. Without this level of participation, internal audit will run into several roadblocks along the way to navigating volatile risks environments. The interpersonal, problem solving, communication, and technical skills of the internal audit team are the foundations of any effort to obtain consensus on findings and recommendations.
7) FOSTER A POSITIVE CORPORATE CULTURE AND TONE: Quantifying and qualifying the impact of failures of culture and tone, if not adequately addressed, are near impossible in the long term. Consistent shortcomings stemming from the poor tone, sub-culture clashes across different functions within an organization, lack of skills to identify and mitigate key risks, and inability to implement continuous monitoring and adequate oversight are a few examples that could expose an organization to significant risks and losses.
Internal audit will see these dynamics at varying levels while executing our missions. Failures to accept the reality and risks associated with these problems can be directly linked with the inability of the internal audit function to navigate volatile risks environments to create value, capture value, and sustain value.
8) EXCESSIVE RISK-TAKING: There are no easy solutions for regulators to effectively enforce regulations across industries to protect consumers and create desired outcomes. Regulators are often behind the times or allow loopholes—often temporary—in the enforcement of regulations. Management will often use these loopholes, or the “everyone is doing it” rationale to justify excessive risk-taking. Internal audit must understand external factors and loopholes used by management to obscure the true risk landscape and implement adequate processes to identify and mitigate risks.
While these eight steps are not the totality of internal audit’s role in helping the organization identify and manage risk, they provide a reliable roadmap for internal audit to navigate the volatile and complex risk environment and create value for the organization along the way.
Executives and managers should empower risk management and internal audit teams to help quickly identify risks, prioritize risks, evaluate the underlying process and systems related to risk management, and assess the design and implementation of internal controls to mitigate risks. Significant risks must be identified, and mitigation strategies and controls implemented promptly to avoid financial losses and reputational damage.
Jonathan Ngah, CISA, CIA, CFE, CGFM, is a principal at Synergy Integration Advisors, a professional services firm providing internal audit outsourcing and internal audit co-sourcing services to government institutions, private-sector, and not-for-profit organizations in the US and the Asia Pacific (APAC) regions.