The great French military and political leader, Charles de Gaulle, is said to have observed that “generals are always fighting the last war.” The reasoning behind this often-used quote is that military threats are always changing and evolving, and there is a temptation to assume that the next threat will look just like the last one. My fear is that internal auditors are tempted to fall into this trap. However, focusing audit coverage on “yesterday’s risks” can result in being ill-prepared when new calamities appear.
In the late 1990s, the corporate sector became enamored with the “value-added” concept of measuring the worth of corporate functions. Rather than defend their traditional value propositions, many internal audit activities sought to redefine themselves as consultants and business partners. In the meantime, corporate financial fraud was festering in many of the largest and most prestigious companies in the world. Following the implosion of Enron, WorldCom, Parmalat, and others, we quickly re-equipped ourselves at the behest of our stakeholders to focus extensively on financial risks. In some cases, corporate internal audit activities became so immersed in their new roles that all they did was consulting in the late ’90s and Sarbanes-Oxley support in the mid-2000s. As a result, many internal auditors were totally unprepared for the next “big risk” that their organizations faced.
Later in the decade, as we were sitting back congratulating ourselves on having helped our organizations navigate new financial regulatory requirements, spectacular risk management failures were about to be exposed in many of the largest companies in the world. Some have observed with interest that no one has asked, “Where were the internal auditors?” Others have observed cynically that internal auditors are notoriously focused on yesterday’s risks, and that no one seriously expects them to help prevent the type of calamities we have witnessed in the past decade. My instincts are to be offended by such dismissive comments; however, I understand that even the perception that we are focusing on yesterday’s risks should be a wake-up call for the profession.
The common thread in the missed opportunities of the past decade appears to be our reluctance to truly formulate and execute risk-based internal audit plans. The IIA's International Standard 2010: Planning clearly spells out the requirement. Yet, I have talked with many chief audit executives in recent years who still subscribe to “carve out” or “cyclical audit” philosophies. In each case, all or part of the annual plan is dedicated to preordained areas, regardless of risks.
It is also disturbing to note the lack of internal audit activities that provide any assurance on the effectiveness of their company’s risk management. International Standard 2120: Risk Management mandates that internal auditing “evaluate the effectiveness and contribute to the improvement of risk management processes.” One could only wonder if some of the recent risk management failures could have been mitigated if corporate internal audit activities had correctly prioritized and been given the latitude to assess and report on risk management practices.
Going forward, we have another opportunity as a profession to assert our value as an independent, objective source of assurance about the real risks facing our organizations. This will necessitate some education of key stakeholders on the value we can bring. Many will be skeptical. Yet, I am confident that we can muster the talent and capabilities to deliver. If we don’t, we are destined to continue providing audit coverage of “yesterday’s risks.”