Technological advances are transforming the nature and importance of the organization’s knowledge assets — intellectual property, software, data, technological expertise, organizational know-how, and other intellectual resources. The value of the global knowledge management market was around $2 billion in 2016 and is expected to exceed $1.2 trillion by 2025, according to Zion Market Research. At this worth, organizations should want to know if their knowledge assets are safeguarded.
Knowledge assets are vulnerable to loss and can be compromised by internal and external sources. In a 2018 study from the Ponemon Institute and Kilpatrick Townsend & Stockton, 82% of respondents acknowledged that their companies very likely failed to detect a breach involving knowledge assets, up from 74% in 2016.
Often, audit of knowledge assets is limited to assessing risks, controls, and value derived from the technologies used in their processing (knowledge flow) and the digital records maintained that focus on effective document management. This is only a part of knowledge management auditing in the true sense. It does not get to the core issues of the effectiveness of their protection, how they promote business objectives, and the new opportunities they exploit.
What has been missing is a structured approach to assess the interplay between strategic and operational risks and controls in enterprisewide knowledge assets management. Unfortunately, there are no comprehensive professional guidelines to assess the adequacy of risks confronting knowledge assets, particularly living knowledge assets held by individuals. Internal auditors must adapt to the evolving risk landscape in knowledge management by reorienting their methodologies and practices to recognize the role of knowledge assets in achieving business objectives.
Look for Risk Indicators
With disruptive technologies at the forefront, knowledge management tends to be a high-risk activity for most organizations. Risks to knowledge assets are any loss that may decrease the potential to effectively pursue an organization’s business objectives. Key risk indicators in a typical knowledge-based organization include uncertainties about critical knowledge needs, potential business opportunities lost in their absence, and their impact on business objectives. Other indicators may be process related, such as multiple repositories of information in IT-based systems such as an intranet, collaboration platform, or emails that are not integrated. These indicators can lead to wasted resources and inefficiencies and weaknesses in access restrictions to intellectual property.
Attrition is a common risk involving significant replacement costs that can destabilize even the most successful and steady organizations. It is estimated that the average cost of turnover is 1.5 times the annual salary of the job. Internal auditors also should be vigilant about risks specific to tacit knowledge assets management, which include a high tacit-to-explicit knowledge ratio, high staff turnover, a high percentage of core knowledge held by people nearing retirement, and high market demand for key personnel. It is likely in such cases that these assets will be lost.
Assess Strategic Risks
Explicit and Tacit Knowledge Comparison
There are two types of knowledge defined in business. The first, explicit knowledge, is easy to codify, store, and share. It includes textbooks, journals, white papers, patents, literature, audio-visual media, software, and database access. The second, tacit knowledge, comes from personal experience and is not easily replicable or transferrable, such as know-how, methodologies, training algorithms, and professional skepticism.
Within tacit knowledge, there are two dimensions: technical and cognitive. The highly subjective and personal insights, intuitions, and inspirations derived from an individual’s experience fall under the first category. The second category consists of beliefs, perceptions, values, and emotions ingrained in individuals over years.
Some argue that tacit knowledge accounts for about 80% to 90% of the knowledge held in a typical organization. Knowledge assets are created at the intersection of, and interaction between, explicit and tacit knowledge.
Strategy-related risks in knowledge management typically include the absence of, or a weak, knowledge management strategy; lack of involvement from senior management in knowledge management activities; and lack of alignment between key processes and knowledge assets in place.
If knowledge is a key driver for the business or is one of the main products of the business entity audited, such as a consulting firm or an educational institute, internal auditors should ask:
Next, internal auditors should remap the business’ critical processes to identify what information is needed to run them. If these needs are not being met, they should determine who needs the missing knowledge. Practitioners should review the enterprisewide risk register to assess whether knowledge management-related risks are recognized, paying attention to the risks of loss of knowledge when core capabilities are outsourced. The instances of high staff turnover and poor knowledge retention among outsourced providers could hamper service quality, involving potential legal risks.
A robust knowledge management strategy should focus on capturing knowledge assets that are critical to success and that underpin performance to create growth and a competitive advantage. Are there sound human resources policies and succession planning strategies for mentor and peer support before, during, and after key staff with the best situational awareness leave the organization? Are there processes to capture results of lessons-learned exercises, particularly with lawyers, consultants, and accountants’ knowledge and experience that is incorporated into organizational knowledge and change processes? The knowledge lost in such cases could be costly to replace and may require intensive corrective training or retraining.
In public sector audits, practitioners should pay attention to the procedures followed for valuation of investments in knowledge assets used to support the provision of public services such as water, transportation, and healthcare. There may not be well-defined standards and methodologies for estimating the social, economic, and financial value derived from the assets as they don’t have market-determined equity value.
Assess Operational Risks
Employees spend almost one-fourth of their time searching for information, according to a survey from The Economist Intelligence Unit. Unclear data definitions, ineffective data governance, and poor search engine performance lead to barriers requiring analysts and developers to resolve them. The root cause of most operational risks in managing knowledge assets is lack of alignment between the strategy and the processes built around it.
To start, internal auditors should review the accuracy and reliability of the knowledge assets inventory and the core processes they support, and the responsibilities of the people who manage them. The review results will help identify weaknesses in data governance — such as data silos where data is divided across various databases and divisions accentuating memory loss and poor internal coordination of information. The starting point for the review is identifying and using performance criteria for key activities approved by management. While doing so, internal auditors must be able to determine how the key activities are aligned with key stages of knowledge management in the organization, such as needs identification; acquisition; storage, retrieval, and dissemination; archiving; and performance management. If they do not align, that is a strong indicator that these assets are not generating a tangible return.
Intellectual property in the form of formulae, practices, processes, designs, instruments, patterns, commercial methods, or compilations of information can be subject to loss or compromised by internal or external sources. Internal auditors should assess that the owners of the intellectual property assets have appropriate controls to prevent cyberattacks that could lead to infringements and inappropriate access.
Internal Audit's Strategy
Auditing knowledge assets requires specific strategies and skills. Each organization’s knowledge needs are unique. As internal audit leaders prepare their audit plans beyond 2020, they should have a multipronged strategy to audit their clients’ knowledge assets from a value-for-money perspective:
- Retain the best internal audit talent through valuing and investing in the tacit knowledge asset held in the internal audit function.
- Develop and maintain a risk-based audit universe of clients’ business operations with significant investments in knowledge assets. This should provide a basis for identifying areas of audit engagement related to knowledge management.
- Identify and map the knowledge held in the audit department to capture and use the tacit knowledge held, particularly related to complex audit engagements. This information could be used to develop an appropriate knowledge management strategy and system to facilitate collaboration within the audit team.
- Empower audit teams to recognize the strategic importance of knowledge assets to the business. This will allow them to provide assurance on legal, commercial, technical, social, and financial aspects of the knowledge assets and the relevant risk indicators. For example, develop a bank of risk indicators — quantitative and qualitative — for assessing the processes used in tacit knowledge assets management.
- Review the adequacy of audit programs used for knowledge management audits. Strengthen them by focusing on strategic and operational aspects of the processes in place to highlight risks of inefficient use of knowledge assets.
- Focus on the value-for-money aspect of the engagement. Do not get distracted by the technologies and processes used to manage knowledge assets, particularly in engagements involving significant investments in them.
Closing the Gap
The five most valuable companies in the world report just £172 billion ($223.2 billion) of tangible assets on their balance sheets, though their total worth is £3.5 trillion ($454.2 billion). Almost all of their value is in the form of intangible assets, including intellectual property, data, and other knowledge assets, according to a 2018 budget report from Her Majesty’s Treasury in the U.K. Despite their critical role in business performance, knowledge assets are not traditionally audited with a focus on how organizations safeguard them to retain their competitive position and how they contribute to business performance. As key partners in the assurance process, internal auditors can take a strategic approach to bridge this gap and maximize its influence.