From the very beginning of our careers in internal auditing, most of us are trained to audit a handful of "core" risks. We rapidly become comfortable with traditional financial audits, regulatory compliance audits, and various common operational audits. We look at what was done in the past, and often we decide to audit the same things again in the same way – sometimes without even updating the audit plan.
Occasionally, the repetition is justified. After all, some risks are inherently worthy of internal audit coverage. But we now live in an era when risks are extremely dynamic. It is unlikely that all of last year's risks should be driving this year's audit plan. New risks surface every day, and we need to keep in mind that auditing at the speed of risk often means tackling areas where we may have little experience. Traditional, routine risks are easily identified, well known, and readily assessed; but they are not necessarily the risks that will imperil shareholder value today or tomorrow. Emerging risks, such as cybersecurity, can be more difficult to identify and assess, but that's one of the reasons they often are the risks for which internal audit focus is the most critical.
Our tendency to stick to traditional financial and compliance audits may mean that we are overlooking the most significant risks facing our organizations. As evidence, a 2014 study by CEB indicates that 86 percent of significant declines in market capitalization in the past decade were caused by strategic risks. Operational risks were a distant second at 9 percent, and legal/compliance and financial reporting risks combined accounted for only about 5 percent. By contrast, the Audit Executive Center recently reported that 57 percent of internal audit resources in North America this year are earmarked for financial, compliance, and operational audits, while only 8 percent are focused on strategic business risks. It seems glaringly obvious that, if we are truly risk-based in our approach to internal auditing, we cannot continue to focus only 8 percent of our resources where 86 percent of the risks to our organizations reside.
A sampling of "The Most Important Risks For 2015," recently published by Protiviti, provides strong evidence that our comfort zones must evolve if we are to address them in our internal audit plans. Some of these risks include:
- Economic conditions in current markets may not present significant growth opportunities.
- Cyberthreats could significantly disrupt core operations and/or damage the brand; privacy/identity and information security risks may not be addressed with sufficient resources.
- Succession challenges and the ability to attract and retain top talent may constrain efforts to achieve operational targets.
- The organization's culture may not sufficiently encourage the timely identification and escalation of significant risk issues.
- Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base.
- New technologies may disrupt the organization's business model.
The CEB study noted that, at most companies, assurance functions such as internal audit "consider strategic risks to be out of their scope and instead see them as business owners' responsibility." This is a misconception that could have disastrous results. It's true that strategic risks, such as navigating a landscape of disruptive technologies, are a responsibility of senior management, but management is also responsible for handling operational, financial, and compliance risks, all of which are within our scope – and within our comfort zone. Perhaps it's time to ask ourselves why we would allow such a massive scope limitation to go unchallenged.
Other stakeholders have also expressed a desire for internal auditors to step outside their traditional comfort zones. For example, regulators in the financial services industry are starting to call for assurance regarding organizational culture, which is also on Protiviti's list. But while most of us are comfortable analyzing and reporting on statistics from ethics surveys or hotlines, the more subjective aspects of auditing organizational culture can take many auditors outside their comfort zone. Is this one of the reasons these important audits are often postponed indefinitely?
A willingness to go outside the internal audit "comfort zone" doesn't mean undertaking activities for which internal auditors are not qualified. But our professional standards state that the chief audit executive must establish risk-based plans. Ignorance about new risks is no excuse for failing to audit these risks; neither is a subconscious bias against "uncomfortable" engagements that call for subjective judgment. If the internal audit department does not have the necessary skills to carry out risk-based audit plans appropriately, the chief audit executive simply must find a way to develop or obtain the necessary skills. Perhaps, this will entail calling in an outside expert (as more than 60 percent of Fortune 500 CAEs indicate they do) or ramping up the training program, but it should never entail ignoring significant risks.
As internal auditors, we should follow Edward Whitacre Jr.'s advice: "Be willing to step outside your comfort zone once in a while; take the risks in life that seem worth taking. The ride might not be as predictable if you'd just planted your feet and stayed put, but it will be a heck of a lot more interesting."