At a recent internal audit conference, I asked audience members to raise their hands if their department had provided opinions on internal control effectiveness, risk management effectiveness, compliance effectiveness, or loss management practices. With few exceptions, attendees indicated that they focused only on the effectiveness of controls.
Research shows that risks contributing to the majority of significant loss in value are not subject to audit. A study by research and advisory firm CEB, now part of Gartner Inc., found that internal audit time is focused in inverse proportion to the areas of the business where major losses of value occur. Controls, not value, are driving audit resources.
Years ago, when drivers would pull up to a gas station, someone would "audit" their car. An attendant would manually test tire pressure, check the car's oil level, and possibly inspect the transmission and radiator fluids to ensure safe and reliable vehicle operation. Today, these controls are automated and displayed on a dashboard. Can auditors do the same in business? "The Process Pyramid" below depicts the hierarchy of business processes. At the top of the pyramid are strategic, value-adding processes that are often neglected by internal auditors. The bottom two levels of day-to-day activities and regulatory compliance activities are critical, but they are intended to protect business.
Focusing on control-intensive, day-to-day business processes does not constitute a value-added audit strategy. Is internal audit hampering the automation of controls by continuing its focus on these activities? The time has come for internal auditors to step aside from their focus on internal control and transform their practices for assessing control effectiveness.
Shifting the Focus
Suppose internal audit collectively adopted the premise that practitioners can only add value if they focus on areas with the greatest value-add potential. With that assumption, how can internal auditors develop a different way of looking at the audit universe? The Three Value Questions below are designed to help identify what's important and pinpoint those areas where internal audit should place its focus.
Years ago, I was the chief audit executive of an oil and gas company. I had as many as 90 internal auditors on staff. We focused our efforts and built a risk-rated audit universe around refineries, terminals, pipelines, and gas stations. Essentially, we audited physical inventory and the systems that accounted for volumes and values.
In those days, the stock market did not assign any premium to our ability to maintain and manage inventories. The best inventory control systems received zero value. Poor operational risk management was a negative factor. Zero was the top score. Failure to manage risks in core business activities eroded value. Success was expected and not rewarded.
But what drove the value of oil businesses at that time was the ability to find and develop oil and gas reserves. The value of these reserves is determined by complex geological, engineering, and economic models. Reserve values far exceeded the value of crude and refined product inventories. Nonetheless, my staff spent virtually no time verifying proved and probable reserves. I estimate that if our audits reduced inventory losses by .05 percent, we preserved value of about $4 million but added none. Focusing on the value of proved reserves, though, would likely have added or preserved 10 times that amount, and probably with one-third the staff.
If a business activity is a critical but non-value adding, consider reducing its priority from an internal audit perspective. Look for ways to automate controls and hand accountability back to business management to run it. Help the business get rid of the dip sticks and tire pressure gauges. Business management can manage core business processes perfectly well. If they don't, you have a management problem, not a control problem.
Scan the horizon for emerging risks and opportunities. While non-value adding activities should be de prioritized, they may still contain the potential for catastrophe. Those risks cannot be ignored, and ensuring catastrophic risks are identified and managed is as important as auditing value adding strategic activities.
The answers to the three value questions change all the time and must be reviewed at least annually to reflect the economic and competitive environment. And often the answers are intangible. Years ago a stock market analyst proved that the key value-adding activity for airlines was improving customer experience and recommended buying airline stocks based on his assessment. His recommendations turned out to be accurate. But you will not find "customer experience" on the balance sheet or in an office. Nor is it a value adding activity in the airline business today.
The Limits of Control
Years ago as a volunteer fireman in my community, I was assigned to assist in a fire inspection at a local school. I was a professional internal auditor and thought I knew exactly what to do. I started by counting and inspecting fire extinguishers. My colleagues with more experience told me to stop. They explained that while fire extinguishers were effective controls, they only worked if there was a fire. Our job was to prevent fires in the schools. If we relied entirely on fire extinguishers, then we implicitly would be willing to accept the risk of a fire and be prepared to extinguish it.
What we did instead was look for sources of ignition and flammable materials. By eliminating either of those completely, the risk of a fire was virtually eliminated. Keep the fire extinguishers, but recognize their limitations. Fire extinguishers are only useful if you are prepared to tolerate the occasional fire.
By extrapolating from the fire extinguisher example, it is possible to propose a model for getting auditors out of control and deeply involved in the rest of the business. The Four Quadrants Model below assesses the level of each risk, using a conventional consequence x likelihood method, and introduces a "risk acceptance willingness" score indicating the willingness to accept a risk event at any given level of risk. Counterintuitively this model suggests that as risk levels rise, reliance on internal controls should decrease. Like fire prevention in schools, we can add value best by understanding the events and conditions that could cause losses in strategic risks with effective risk management, not effective control (e.g., fire extinguisher) management.
Let Management Protect Value
In the control-focused approach, we recognize that the level of fire risk in a school is extremely high, and its consequences unacceptable. Controls (e.g., fire extinguishers), however, would not be sufficient or appropriate. Prevention is the only effective strategy, and it requires an understanding of root cause and the ability to manage risk before the event occurs.
In many core business processes, control-focused approaches are perfectly acceptable and extremely efficient as a risk management strategy. Unfortunately, these controls draw enormous attention from auditors, and that attention is undeserved. Automating the controls can dramatically reduce audit time.
Get Into Risk
Businesses intentionally take high-stakes risks with full knowledge of the level but no willingness to accept the risk event. Examples include new product development, geographic expansion, and oil and gas exploration — particularly in frontier areas. The justification for this approach is to add value. To be acceptable, the business value for taking such a risk must exceed the expected loss. Years ago I had a client with complex business operations in remote environments around the world — all daily activity throughout these locations fed in real time into a data center in the head office. If a communication failure or breakdown occurred in the corporate data center, the results could be catastrophic. A single spare switch costing about $25,000 would have enabled quick recovery in such an event, but the IT department chose not to purchase one in order to save money. The downside dwarfed the savings, constituting a bad risk.
Internal audit has a role in reporting on the effectiveness of risk management, and standards exist for them to do so. Yet in my informal polling, few internal audit departments appear to be engaged in this activity. Remember, fire extinguishers don't prevent fires. Reporting on control effectiveness along high level/low appetite risks makes no sense.
Understand the Role of Human Behavior
In every field of human endeavor, human error accounts for at least 50 percent of failures. It's true for auto accidents, environmental incidents, aviation accidents, fires in the home, U.S Sarbanes-Oxley Act of 2002 deficiencies, cyber risks, anti-money laundering and anti-bribery violations, and every other activity I am aware of. Yet none of the internal auditors I have asked have ever reported on compliance effectiveness against an accepted set of standards for their organization.
In fact, the only two universal compliance standards, one from the International Organization for Standardization and another from Standards Australia, are proprietary and not even in the public domain. I am not aware of specific guidance from The Committee of Sponsoring Organizations of the Treadway Commission or The IIA.
It is impossible and irresponsible to ignore human behavior in risk management. It is also impossible to "control" our way to compliance. Internal auditors can examine the processes for ensuring that employees know what is important, why it's important, and how to comply. Technology is available to monitor compliance, which represents a gaping hole in comprehensive risk management. Internal audit has a role to play in providing insight and assurance.
Support Business Losses
Businesses incur losses for strategic reasons. Automobile manufacturers gain market share with warrantees. Retailers offer "no questions asked" money-back refunds. These losses don't need controls, they need analysis. If you are offering a warranty, what is the expected defect rate? How many defects per year? What's the expected cost per defect? How can the organization detect fraudulent claims? These are all questions on which internal auditors can offer assurance and insight. I know of none that do so.
Recently I ordered a blood pressure monitor from a well-known retailer. It was delivered quickly, but it didn't work. Over the course of three days, I had multiple conversations with the manufacturer, who was clearly using a control-based approach to limit claims. I called the e-retailer and within 60 seconds the company provided me with a packing slip to return the defective device and the choice of a replacement shipped for free or a refund. That's a loss-management strategy that actually adds value, and it is the reason this e-retailer has become dominant. It's a lesson to short-sighted manufacturers.
Leaving Controls Behind
The time has come for auditors to turn their attention away from control, turn over management of core business processes to professional managers, and hold them accountable. In most cases organizations have reached the limits of control effectiveness, and internal audit will not add further value by continuing to assess it. Internal auditors can best add value by advising on control design and automation. In many cases, because they are so easy to add in our computerized environment, controls are hindering the business.
But there is huge opportunity for adding value and potential to deliver urgently needed assurance advisory services in assessing and managing business risks, loss management, and compliance effectiveness. It's time for internal auditors to get out of control.