An auditor walks into a bar. He tells the owner, “I am here to help you. What are your biggest risks; what keeps you up at night?” The owner replies, “My biggest risk is that bartenders may serve underage drinkers. This represents a significant compliance, financial, and reputational risk for my bar.” The auditor, pleasantly surprised to hear such a knowledgeable owner, says, “Thanks — I really appreciate the input. So, let’s start with an inventory count.”
It doesn’t take much effort to learn what our clients consider their biggest risks. However, we seem to avoid certain areas — even when clients express specific concern about them. One reason may be that we have not made the connection between the risks and the process. But it also might be that we find the process hard to define, we don’t think it is part of our audit universe, or we’re just a little afraid to go into unknown territory.
There are three risk areas our clients consistently rate as significant: reputation, human capital, and money. Nonetheless, internal audit seldom explores certain areas that impact those risks significantly.
Ethics Across organizations and industries, ethics is foundational to risk and control frameworks, and it is at the core of reputation. Even the fallout from episodes like the 2010 BP oil spill in the Gulf of Mexico was as much about perceived ethical lapses as it was the spill itself. Yet few auditors even consider the impact of ethics in individual audits. And while ethics is hard to define and hard to test, difficulty should never be the cause for us to ignore a risk.
Human Resources Depending on an organization’s structure, human resources can oversee everything from hiring to development to personnel policies to anything else that touches on human beings. To complicate matters, human resource departments are not accustomed to being reviewed and may be somewhat protective of the sensitive information they handle. But the most important resource of any organization is its people, and we have a responsibility to provide assurance that this resource is protected and developed.
Marketing Where does all the money go? For most organizations, anywhere from 5 to 15 percent of revenue is spent on marketing activities. Some audit functions have made forays into this area by performing reviews of advertising — often doing little more than making sure payments match the bills. But there is a lot more to marketing than just the ads. Upon review, auditors will encounter unfamiliar concepts and jargon that may confuse more than confirm. But this isn’t a reason to shy away from an area that significantly impacts the money spent on the organization’s brand and reputation.
If I am wrong — if you have taken the plunge and are creating impactful results in these areas — please let me know. But I think most auditors are still living in denial, fear, ignorance, or a little bit of all three.