​Anticipating Surprises

Emerging and atypical risks are an opportunity for internal audit, says Jim Pelletier, vice president, Standards and Professional Knowledge, at The IIA.

Comments Views

​The 2019 North American Pulse of Internal Audit study notes internal audit's ability to identify atypical risks isn't keeping pace with the frequency of surprise risks reported by management. How can internal audit help assess these risks?

Boards most commonly turn to executive management for information on emerging and atypical risks, but it's a serious governance concern if they aren't searching for input from others, particularly their chief audit executive (CAE). This represents a clear opportunity for internal audit to position itself as the objective source of information on emerging and atypical risks.

CAEs need to carve out enough time to strategize no matter the size of their department. They need to challenge their own risk assessment practices. Are they simply a mirror for what management is willing to share, or are they providing insights beyond that feedback? They should develop a data strategy and start planning for the resources they'll need to execute it. Most importantly, they need to be effective with their limited time with the audit committee and board. This involves understanding their audience and needs; being prepared to deliver meaningful, objective information; and speaking out on difficult issues.

Why is there greater reliance on management — rather than internal audit — to identify and assess emerging and atypical risks?

CAEs still depend heavily on traditional methods for assessing risks. In fact, 88 percent rely on periodic interviews with management. This is fine as long as it is just one source among many. Yet less than half of CAEs have identified and monitor key risk indicators and only 30 percent are leveraging data analytics in this space.

Internal audit can do better. Management may not always be willing to share everything it knows in interviews. Indeed, there may be strong disincentives for it to share more than the minimum. CAEs need to identify alternative sources — both internal and external — for gathering information on risks. With that comes the need for a comprehensive strategy for collecting and analyzing this data and delivering insights and recommendations.

Click here to download the 2019 North American Pulse of Internal Audit.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Ia Online StaffIa Online Staff<p>Written by <em>Internal Auditor </em>magazine staff.</p>https://iaonline.theiia.org/authors/Pages/Ia-Online-Staff.aspx


Comment on this article

comments powered by Disqus
  • AuditBoard_Jan 2020_Premium 1
  • IIA Integrated BOY_Jan 2020_Premium 2
  • IIA GAM_Jan 2020_Premium 3