It is a truism among internal auditors that explaining what we do as a profession often leaves the uninformed confused. So, it was a pleasant surprise for me when I recently explained the fundamentals of internal auditing to a doctor who immediately grasped its value to the organization.
"You guys are the thunder before the storm," he observed.
A nice turn of phrase that cleverly surmises what internal auditors do. But the more I thought about it, the more I became convinced that the phrase is just a good starting point.
Indeed, internal audit findings that point to ineffective risk management, defective design or implementation of controls, or other problems that increase risk can provide an appropriate rumble of warning to stakeholders. But modern internal auditors who want to provide foresight must use more sophisticated tools than simply relying on their eyes and ears.
Expanding on the weather analogy, internal auditors are often like professional meteorologists. Early weather forecasters were forced to rely on crude, basic tools, such as thermometers, barometers, and hydrogen balloons. Those tools were often unable to detect the approach of massive blizzards, hurricanes, or tornadoes — and massive loss of life was a tragic consequence. In the 21st century, meteorologists rely on advanced technology, such as Doppler radar and weather satellites, to anticipate the risk of storms far beyond the visible horizon. They are able to monitor and warn of the development of an approaching hurricane days or weeks in advance, or the formation of a deadly tornado early enough to allow those in its path to seek shelter.
The variables that affect weather are as complex as the variables that affect risk and risk management. Understanding those variables and finding ways to monitor and mitigate them are what both professions strive to achieve.
While internal auditors don't have a magical Doppler radar system that detects the potential of a massive fraud, poor compliance, or ineffective cybersecurity protocols, we do have tools such as data analytics, continuous auditing, and, increasingly, artificial intelligence that leverage technology to not only speak about the present, but to warn of perils that may lie ahead if management and boards remain complacent.
It is hard to overstate the importance of technological advancement to the profession. It has eliminated countless hours of tedious record reviews, streamlined processes, improved the accuracy of our work, and provided the time and resources to expand our scope of services to organizations. However, it is important to also realize that technology is a tool, not a turnkey solution. A 2016 U.S. White House report, Preparing for the Future of Artificial Intelligence, cites data that suggests that the most effective use of artificial intelligence is in combination with human intelligence.
Some worry that an over reliance on technology might hurt or obscure internal audit's value to the organization. I've said before that I don't see advanced technology as an existential threat to internal auditing. It is a tool that can help us zero in on problem areas and improve our efficiency. But it may never be capable of exercising the judgment and instincts that the best internal auditors bring to the table. Auditors don't just identify when there is something wrong; they have an obligation to determine why it occurred (the root cause) and offer recommendations to mitigate the likelihood of a recurrence. Foresight is defined as "the ability to predict or the action of predicting what will happen or be needed in the future." As with the weather, it does little good to limit our perspectives to what happened yesterday or what is happening today; we must also speak of tomorrow.
So, does internal audit have something like a weather satellite to spot risk hurricanes or typhoons and carefully track them as they approach the organization? Not quite, but we do have a number of techniques and best practices available to us, supplementing technology tools, to elevate our perspective and take in an expanded view of risks to the organization.
- Integrated thinking and enterprise risk management offer internal auditors help from within the organization. When implemented effectively, these practices break down barriers that often mask risks or weaken mitigation efforts. Internal audit can play a significant role by providing assurance on the effectiveness of both these practices.
- Strong business acumen and expertise within the business sectors where our organizations operate enhance the internal auditor's ability to see the secondary or tertiary effects of risk on the organization and improve our insight and foresight.
- Supportive relationships with risk managers, including chief risk officers, chief information security officers, and chief information officers, allow internal auditors to keep current on what risk managers are seeing and find where gaps in risk management may exist.
Stakeholders are increasingly turning to internal audit to provide warnings of emerging risks far beyond the horizon. Recent surveys suggest risk management strategy will be the next area where we will be asked to offer that glimpse beyond the vanishing point. If we are to succeed, we must constantly seek new and innovative ways to achieve a satellite view of risk.
As a young boy, I was fascinated with the weather, and professed that I wanted to be a meteorologist when I grew up. As I grew older, I became more pragmatic about career aspirations. However, today I see fascinating parallels between the profession I longed for and the one I pursued. Both are focusing on the future.
As always, I look forward to your comments.