The delivery of sustainable stakeholder value in the 21st century requires internal auditors to focus on both value creation (offense) and value preservation (defense). While internal audit’s focus on value creation has been increasing recently, many stakeholders still perceive its greatest contribution to be value preservation. Preserving value involves safeguarding against potential risks, thereby enabling the achievement of short-, medium-, and long-term objectives.
The value preservation imperative represents an organization’s obligation to demonstrate that it is taking adequate steps to defend against value erosion, reduction, or destruction. Internal audit needs to be mindful of how its organization is fulfilling this obligation. By viewing risk through the lens of corporate defense, auditors have an alternative way to think about managing risks and protecting value.
The Defense Program
Corporate defense is synonymous with value preservation. A corporate defense program represents an organization’s collective program for self-defense. A comprehensive corporate defense program requires a multidisciplinary approach that involves aligning, coordinating, and integrating eight distinct disciplines: governance, risk, compliance, intelligence, security, resilience, controls, and assurance (see “The Elements of Corporate Defense” below).
As internal audit develops its risk assessments and audit plans, it should evaluate each of these components to determine whether they are incorporated into the organization’s corporate defense framework and to assess whether they are being managed appropriately. Auditors need to fully appreciate the positive contribution each of these components makes both individually and collectively. Effective corporate defense requires a clear understanding of the continuous interaction, interconnections, and critical interdependencies that exist among these components. These complimentary disciplines continuously impact one another in today’s complex organizations. In fact, the symbiotic nature of their relationships means that each contributes to, and receives from, each of the other components.
As organizations have developed these unique functions and disciplines, the boundaries between these components have become blurred. Therefore, it is difficult to determine where one component ends and another begins. Each component provides a different but essential perspective on dealing with risks. For example, viewing any issue through a risk-centric lens will produce a different perspective than when viewing the same issue through a compliance-centric lens.
By considering these many different perspectives, internal audit can develop a more holistic view of any issue and provide management with insight to help it avoid potential blind spots. Cross-referencing each of these specialist disciplines can help provide the organization with a robust system of checks and balances and help ensure that each of these disciplines becomes ingrained into day-to-day activities.
The Risk Component
Organizations naturally face a variety of different risks in the course of their business, and therefore they need to have an adequate system in place to manage risk at strategic, tactical, and operational levels. Enterprise risk management (ERM) frameworks such as The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management–Integrating With Strategy and Performance and ISO 31000 can help provide a system to organize standard risk management activities to ensure that the risk component is addressed adequately within the corporate defense program (see “COSO ERM: Getting Risk Management Right”).
Internal auditors, however, need to examine how the risk component relates to the other critical corporate defense components, particularly such issues as governance risk, compliance risk, intelligence risk, security risk, resilience risk, control risk, and assurance risk. Conversely, internal auditors also should consider how these other components relate to the risk component — specifically, risk governance, risk compliance, risk intelligence, risk security, risk resilience, risk controls, and risk assurance. Such cross-referencing represents the essence of a robust corporate defense program.
Internal Audit’s Risk Assurance Role
IIA Standard 2120: Risk Management states, “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.” The standard goes on to say, “Risk management processes are monitored through ongoing management activities, separate evaluations, or both.” Ongoing management activities are represented by the eight components of the corporate defense model.
As the organization’s primary provider of independent assurance, internal audit must consider the effectiveness of each risk component in its totality to provide comprehensive risk assurance at strategic, tactical, and operational levels. This involves reviewing, assessing, and reporting on the effectiveness of a complicated, highly interrelated risk environment all the way from the boardroom to the front lines of the organization. Evaluating the organization through the lens of the eight critical components of the corporate defense model provides an alternative perspective to both COSO ERM and ISO 31000.
The requirement to provide comprehensive risk assurance may be one of the more serious challenges the internal audit profession faces. In this regard, internal auditors should begin by determining whether their organization has a formal corporate defense strategy in place. They also should report on the extent to which the organization has established a structured and integrated corporate defense framework. Moreover, auditors should review the current maturity level of each of the corporate defense components.
|The Elements of Corporate Defense|
A comprehensive corporate defense program includes these interrelated elements.
- Governance: How the organization is directed and managed, all the way from the boardroom to the front lines.
- Risk: How the organization identifies, measures, and manages the risks to which it is exposed.
- Compliance: How the organization ensures that its activities conform with all relevant mandatory and voluntary requirements.
- Intelligence: How the organization ensures that it gets the right information, for the right purpose, in the right format, to the right person, in the right place, at the right time.
- Security: How the organization ensures that it protects critical assets such as its people, information, technology, and facilities from threats.
- Resilience: How the organization ensures that it has the capacity to withstand, rebound from, or recover from the direct and indirect consequences of a shock, disturbance, or disruption.
- Controls: How the organization ensures that it has taken appropriate actions to address risk and help make certain that the organization’s objectives will be achieved.
- Assurance: The system in place to provide a degree of confidence or level of comfort to the stakeholders that everything is operating satisfactorily.