In an age where extreme weather events, rapid technological change, and geopolitical turmoil are becoming more frequent — and in some cases, more catastrophic — organizations are increasingly having to react more quickly to high-impact events. Business interruption to companies' physical assets and supply chains caused by climate change, for example, can cripple production schedules. Risks that may have been categorized as unlikely but with a high impact — such as Brexit — can suddenly leap to the top of an organization's risk register overnight. Newly emerging risks that seemed nearly impossible, like the U.S.–China trade war, can result in priorities that have been mainstays of boardroom agendas for years being knocked off the critical list. Moreover, disruptive technological and other advancements may require organizations to pivot on short notice to either leverage new capabilities or manage new threats.
The message is clear: Risk planning needs to be more immediate and short-term — what may have been considered a priority risk three months ago may not look as bad on reflection. And as boardroom focus moves with changing, often disruptive circumstances, internal audit has to become more agile too.
Shorter Time Horizons
Phil Tarling, an internal audit consultant based in the U.K. and former chairman of The IIA's Global Board of Directors, believes that it is becoming increasingly common for chief audit executives (CAEs) in several industry sectors — particularly manufacturing, high-tech, and pharmaceuticals — to use six-month, or even three-month, audit plans. "Given the speed at which the nature of risk is changing, it is without doubt that some organizations' audit plans are focusing on only the next three to six months," Tarling says. "Manufacturers that use 'just-in-time' management, for example, will require internal audit to have a very flexible audit plan and approach, particularly in light of the uncertainty surrounding Brexit and the possibility of a 'no deal' scenario, as well as the U.S. trade war with China, which may impact sourcing."
Short-term planning has many advantages. For example, Tarling suggests that CAEs who use shorter term audit plans will be more capable of refocusing their efforts and resources than those organizations that have annual audit plans.
"CAEs who plan their work for three months at a time will know that they need to keep a tight control of their budgets and workload so that they have enough in reserve to adapt quickly to the needs of the business," Tarling says. "CAEs that use annual audit plans tend to allocate most of their budgets and resources up front, which leaves less capability for slippage or for change. That is no longer tenable for organizations that are more exposed to political and economic risks."
As a result, internal audit needs to be increasingly flexible in its planning, Tarling says, stressing that CAEs must build contingencies into their audit planning and budgeting to allow for swift changes in focus and resources. He adds that internal audit must be capable of reacting quickly to new business needs, and they need to proactively identify emerging risks or other priorities that may require greater focus and management oversight. "The function needs to be as flexible and agile as possible," he says.
The End of Annual Plans
Similarly, John Chesshire, chief assurance officer for the States of Guernsey, an island that is part of Britain and located in the English Channel, says the annual audit plan is becoming obsolete. "I dispensed with this formulaic approach a number of years ago and, like a growing number of CAEs, I now plan my team's mix of assurance, advisory, and other engagements on a much less rigid basis," Chesshire explains. He used to invest a great deal of time in annual planning, though often within weeks the plan would shift because of new priorities such as a local crisis or other sudden changes. Eventually he saw the relevance of an annual plan diminish and fade.
Quarterly planning offers several benefits for CAEs — particularly for those with small audit teams, Chesshire says. "With a more flexible approach we can be much more responsive to the changing risk landscape and ensure we add maximum impact at the right moment in our organization," he explains. "This is key when we may only realistically get one shot at an engagement on a particular high trajectory risk or issue."
Chesshire adds that his key stakeholders appreciate the approach, too. They see that it enables internal audit to add value by delivering services at the right time, precisely when they're needed. Plus, he says, it's fostered internal audit's credibility over the years and helped enhance stakeholders' trust in the audit function.
But Chesshire points out that his audit team doesn't just focus on "quick wins" or tactical tasks. "I seek to map every engagement back to our assurance universe and the risk-based subjects it contains," he says. "That way, I can demonstrate that a more responsive, agile service does not mean one that ignores the bigger picture or our core activities or gets pulled away from particular areas of risk by whoever shouts loudest."
While some industry sectors and particular types of organizations will be more exposed to changing risk priorities than others, internal audit functions everywhere will need to be able to demonstrate that they can react to changing circumstances and deliver assurance on newly prioritized risks quickly. CAEs need to be agile leaders — long-term, 12-month audit plans may well prevent them from achieving that.