Organizations exist to provide value for their stakeholders, and increasing that value requires businesses to accept appropriate risks. But which risks? And how much uncertainty is too much? To make those decisions, management must evaluate and balance growth opportunities, goals, related risks, and effective deployment of resources, while never taking their eyes off the strategy and enterprise objectives.
Clearly, internal audit has an important role to play in this process. Yet some internal auditors are torn between performing traditional internal audit activities — the time-honored “tick and tie” procedures — and activities that contribute more directly to value creation. “Both those activities are important,” says Larry Baker, a senior leader in internal audit, enterprise risk management, and strategic planning in Oklahoma City. “Even when management is convinced the organization is doing everything possible to ensure that a process is working effectively, internal audit still needs to do an independent audit of the controls that make management feel so comfortable.”
However, in any business, time and resources are limited, and internal auditors who wish to serve as trusted advisors to the organization must ensure their efforts provide maximum return on investment. Priorities must be set. For some internal auditors, the act of prioritization may necessitate a fresh look at what matters most to the business.
Identifying the “Right” Risks
Bill Watts, partner at Crowe Horwath in Columbus, Ohio, recalls a time more than a decade ago when the approach to determining what to audit was not as thoughtful as it is today. Audits tended to be very structured and repeatable. Then came the U.S. Sarbanes-Oxley Act of 2002, which indirectly caused companies to re-examine their control structures and how to improve controls, leading to evolution in other areas. “Internal auditors today must think more broadly, across the enterprise,” he notes. “Where is the company strategy focused, what are the major initiatives, and where is the money being spent? Those answers tell you what’s important to the entity, and that’s where internal audit should focus.”
There is yet another question that can help internal audit identify the “right” risks to address, says Brad Ames, internal audit director for Hewlett Packard Enterprise in Palo Alto, Calif.: Who is accountable for a specific strategy? “Once you know that, you can build an authentic relationship with them and make them your stakeholders,” he explains. “Ask them what they see that would inhibit them from accomplishing their strategic objectives. Begin the risk discussion, always establishing visibility into risk so they don’t overvalue or fear it. Determine in advance how the partnership will accelerate business strategy. This context will help them feel more confident about the risk, making them less likely to allow it to cause them to undercommit to the strategy.”
In most organizations, one of the areas of focus will involve technology. All businesses must learn how to optimize the use of technology — not only in any technology-enabled products and services they offer to customers, but also in their own internal business processes for greater efficiencies and effectiveness. Many organizations’ strategies include specific objectives related to technology, a clear signal that internal audit must focus on it as well — in Ames’ words, “presenting itself as relevant to strategy.”
It is also important for internal auditors to recognize that, even as they raise their focus on strategic initiatives, they must maintain many customary audit activities, such as looking at segregation of duties, fraud potential, regulatory compliance, and transactions. However, Ames points out, even the traditional audit activities can and should “move toward strategy.”
The Risk Connection
|Making a Case for a More Strategic Approach|
Internal auditors can make inroads into altering their organization’s culture to accept a more strategic approach to internal auditing. Here are techniques the audit leaders interviewed for this article recommend to lay the groundwork and prove the department’s readiness:
- Even while performing traditional internal audit activities, have the courage to step outside the norm occasionally. Be sure to communicate the positive results of the “experimentation” and the ways it benefited the organization. Use that win to build the next one.
- Take the “journey begins with a single step” approach and start by making one small adjustment. Then, when the time is right, make another. The key is to take each step with the firm intent of going on the whole journey.
- Spend more time talking to customers and listen carefully to their responses. If you are doing a traditional activity such as matching invoices, spend an hour talking to the people who process the invoices. It’s often possible to learn more from hearing than seeing, and that knowledge, which may uncover previously unknown issues or opportunities, can help you build a case for expanding internal audit’s role.
- Polish your soft skills. Those who can ask good questions, establish relationships (within the bounds of independence and objectivity), listen carefully, and summarize succinctly are generally more effective in uncovering truths — and in building compelling business cases for desired outcomes based on those truths.
- Arm yourself with expertise before acting. In today’s environment, there is a lot of pressure to do more with less, add value, and show productivity. This may cause internal auditors to jump into activities they don’t fully understand. Don’t make that mistake. Be prepared. Perform research, get training, and ask experts to help you where needed. If you are given a chance to try something new, the odds of getting a second chance will depend on doing the first one well.
- Don’t fear failure. Not every effort will be a success, but that can’t be a reason to give up. Develop your resilience by learning from failure and moving on.
The upcoming revision of The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management–Integrated Framework, scheduled for release in early 2017, describes an enterprise risk management (ERM) program that is highly interrelated with controls. Whether internal auditors use COSO ERM to guide their risk-driven strategic activities, or build their own frameworks based on its precepts and shaped by experience and common sense, Watts warns against “cherry-picking activities” from the framework. Focusing only on certain parts of a framework while ignoring others is likely to hinder generating full benefit from the process, perhaps even missing opportunities. Taking a broader, holistic view that aligns the organization’s ERM program with strategy facilitates internal audit’s understanding of the strategy itself and its role in the major initiatives the business deems critical to accomplish the strategy.
This is not to say that an internal audit focus on organizational objectives, as outlined in the strategy, automatically improves ERM within the organization. “Hopefully it does, but it’s far from given,” says Charlotta Löfstrand Hjelm, chief internal auditor at Lansforsakringar AB in Stockholm. “If there is no objective, there is no risk. The important thing is to show where value is created and how it can be affected by certain unwanted events — or enhanced, if we can articulate how to capture this.” Showing how goals affect value and risk in other areas can be helpful, as can positioning objectives as the link between the audit plan — including consulting and advisory activities, not only assurance audits — and the different plans from the organization, such as strategic plans, business plans, and risk reports.
Auditors tend to be good at using a risk-focused approach. In fact, Ames speculates that management tends to perceive internal audit as being all about compliance or risk. In his view, a risk-based approach is “our foundation,” but internal auditors should be more focused on increasing value to the business, positioning internal audit as partners in strategy.
The Need for Speed
A phrase often used to characterize one aspect of the relationship between internal audit and risk management is that internal auditors must “audit at the speed of risk.” In today’s business environment, types of risk, likelihood of occurrence, and degrees of impact change almost daily. If internal audit is focused on supporting strategic objectives, and if a key factor in accomplishing those objectives is understanding the risk surrounding them, then the speed at which internal audit can identify and act on risk is important. Internal auditors must find ways to remain informed and take proactive measures.
Lisa Lee, vice president, Audit at Google Inc. in Mountain View, Calif., says in a fast-paced environment, the key for internal auditors to add value is to communicate concerns quickly. “Where it makes sense, engaging early with process owners to conduct risk assessments and assess control design effectiveness will help provide clarity on the highest risks that need to be managed,” she explains. Moreover, she says, “Assessing the maturity of controls can help provide meaningful information, as manual or detective type controls may be appropriate when a process or product is first launched, but as the process or product matures and scales, so should controls.” Using a maturity model, such as a scale from 0 (indicating a nonexistent control) to 5 (indicating an optimized control), can be helpful in instances where there may be a need for more robust controls.
The traditional approach of having an annual audit plan may not mesh well with the speed of today’s business. Internal auditors may struggle to adhere to the plan while also trying to accommodate constant change and ensure focus remains on the most critical risks. Lee notes that at Google, internal audit maintains a running list of initiatives and commits to a quarterly audit plan based on addressing the current high risks.
Making changes to the way internal audit operates may not always be welcomed with open arms. In some organizations or industries, long-established cultures and beliefs may not lend themselves to change — at least, not easily or quickly. If traditional internal auditing is the organization’s expectation, the audit department must continue to perform it as effectively as possible, making sure to contribute value and communicate that value regularly (see “Making a Case for a More Strategic Approach,” above).
Lee says she believes in letting the work speak for itself. “Management appreciates receiving relevant and timely information,” she explains. “If internal audit can provide information that will help executives do their job better or help them achieve their goals, then buy-in isn’t a problem because they see value in internal audit’s work.”
But what if it is internal audit’s own leadership that needs to be convinced of the value of a more strategic approach to internal auditing? According to Ames, “It’s difficult for audit departments to break through from a routine, traditional approach to a more optimized, innovative view without support from the leadership in the audit department, itself. You might have a few who reach those levels, but never the whole department. And internal audit won’t become a partner in the strategy.”
The CAE is the linchpin. When risk is discussed in the organization, the CAE must step up to highlight the need for a strategic approach and explain the audit committee’s mission. If the mission described in that explanation is focused only on protecting, the opportunities for enhancement may be limited. The opportunities are even more limited if the CAE chooses not to listen to his or her internal auditors’ suggestions for how they can contribute more value to the organization. “Then perhaps it is time for the CAE to move on to another position,” Hjelm suggests, while also admitting, “This is, of course, easy to say, but hard to do.”
A Value-producing Proposition
Regardless of where in the organizational chart minds need to be changed, those internal auditors who understand that expanding their efforts across the organization’s value chain can help the department deliver increased risk coverage, cost savings, and measurable value to the business must carry the flag. And, in fact, that advocacy can play a key role in reaching the career goal many internal auditors set for themselves: becoming a trusted advisor. Hjelm explains that when risk turns to value, assurance also transforms to insight — a transformation expected of a trusted advisor. She counsels, “The audit report is not the main result of our work. The main result becomes our identification and description of what consequence a risk or a combination of risks has. Internal auditors’ understanding, knowledge, and ability to communicate in business language can help the board and C-suite focus on ‘hot’ areas.”
Focusing internal audit’s activity on the strategic objectives that matter most to the organization is a value-producing proposition. And, in fact, while it is a topic of attention now, it may not be an entirely new concept. Perhaps it is, instead, a matter of recommitting to basic, long-held beliefs that may have slipped out of view for a time, in the rush of checking items off the daily to-do list. Baker notes, “We sometimes forget that our whole life in internal audit has involved objectives, risk, and controls. Sometimes we focus more on controls, other times we zero in on risk. But objectives have always been there. And if we don’t assess risk and controls with objectives in mind, why do it?”
|From Critical Objectives to Critical Risks|
Critical objectives often have critical risks. Knowing how to identify those risks, prioritize them, and develop mitigation plans can help internal audit focus its efforts on value-producing activities for the organization. The following process, described by Larry Baker, has been in use at his previous employer, Devon Energy Corp., for many years. Each step is facilitated by internal audit.
Step 1 Identify and Define the Risks
- Based on their understanding of the organization’s strategic objectives, opportunities, and related risks, senior executives and other management identify major risk areas most important to the company. At Devon, this tends to be approximately 20 risk areas.
- Each risk area’s leader defines the risk, details the scope, and identifies two to four inherent risks in that area. The
- resulting list encompasses between 50 and 60 inherent risks.
- Employees who are knowledgeable about those inherent risks identify factors that drive each inherent risk (control weaknesses), the ERM activities in place to manage the risk (controls), and gaps or opportunities for improvement. They then develop recommendations for how to better manage the risk as needed.
Step 2 Rate the Risks
- Each year, the board, executives, and other management complete a survey on the 20 risk areas. They rate each in four categories: probability, velocity, readiness, and financial impact. Devon’s survey is fundamentally the same each year, which enables the company to compare results and trends.
Step 3 Address Risk in Detail
- Every quarter, a cross-functional group of vice presidents for three of the 20 risk areas is brought together for a two-hour workshop to focus on the inherent risks for those three areas. The group votes on how effectively the risk is being managed and how effectively it should be managed, then examines the gap between the two results. The gaps are discussed in order of size, largest gaps first.
- The focus is on determining whether there is anything the company should be doing that it isn’t doing, or if any new risks are emerging.
It takes approximately 18 months to cover all 20 areas. Internal audit uses these results to identify any new information or changes that need further examination. Significant changes often relate to areas most critical to the organization and, therefore, guide internal audit’s effort in valuable, strategic, and risk-driven directions.