​​Internal Auditors Need Foresight to Provide Foresight​​

Comments Views

I frequently observe that the internal audit profession is on a journey — from hindsight to insight to foresight. Following its origins more than a century ago, internal audit focused primarily on hindsight. Our predecessors assessed what happened the week, month, or even year before. They provided assurance of the effectiveness of (primary financial) controls from the past.

Eventually, the profession began to focus too on the "here and now," providing assurance on the effectiveness of (often operational) controls in the present. This assurance, coupled with internal auditors' perspective on risks facing their organizations, provided valuable insight for management and the board.

Then, increasingly, internal auditors began to also provide foresight — a service upon which the future of the profession may well depend.

Many internal auditors shy from foresight because, frankly, they do not understand what it means in the context of an audit, or how to provide it. For many, it sounds like we are being asked to use a crystal ball to predict the future with no real basis other than our instincts or hunches.

But that is simply not what foresight is all about. Foresight is defined as "the ability to predict or the action of predicting what will happen or be needed in the future." Synonyms include "planning, vision, anticipation, prudence, readiness, and preparedness." So, foresight isn't about simply making predictions. It's about helping our organizations prepare for the future.

I first raised the imperative to provide foresight in a 2015 blog. In making the case for foresight, I observed that:

For internal auditors, foresight is the ability to contemplate key risks and challenges that our organizations could conceivably face, so that we can share those perspectives with management and the board. This way, we help our clients prepare for challenges or opportunities before they materialize. Foresight enables us to warn of pending disasters that may befall our organizations in the event management is ignoring strategic or business risks. For example, foresight might have saved Kodak, Blockbuster, or Lehman Brothers. Of course, management might choose to ignore the foresight that internal auditors provide. But at least the flag will have been waved.

Since 2015, the imperative to provide foresight has become more urgent. Our stakeholders are clamoring for timelier, more relevant perspectives focused on the real risks to our organizations. Hindsight and insight simply do not capture their attention like foresight.

In lectures around the world, I liken internal auditors' delivery of information/perspectives to that of a television weather report. We first get a recap of yesterday's weather (high and low temperatures, precipitation, etc). That is hindsight, and we generally pay little attention because we likely observed it for ourselves. Next comes current conditions (insight) — something we can often figure out on our own simply by looking out the window. Finally, we get the forecast and the weather has our full attention. Internal audit's stakeholders often respond in a similar manner when we provide hindsight and insight. This information may not be breaking news for them. In fact, second line of defense functions may have already conveyed the same perspectives.

Our colleagues at ACL published a blog by Dani​el A. Clark some time back that outlined a five-step plan for providing greater foresight:

Step 1: Gain or refine your ability to provide insight. By understanding the nature of things, one begins to more fully comprehend the predictable aspects of behavior. If you don't have insight today, create a work group that can help you obtain the knowledge you seek through their own experiences. This will cut your own learning time in half and you will be ready much sooner to move toward the future.

Step 2: Understand the changing environment. There are indicators in the environment that provide a roadmap of possibilities, and your insight will narrow those possibilities down into probabilities. Always remember that the environment includes your team, your company, your geography, your industry, and your planet. Global events do impact even small regional or community banks, for example. Don't sell yourself short by forgetting about those items.

Step 3: Use of data analytics is the key! Migrate to data-driven auditing as fast as you can. Teach yourself and your team the ins and outs of analysis, data interpretation, and data management.

Step 4: Know what your business partner's strategic decisions are and on what they are based. This will provide you a general geography, if you will, of where you will be able to go in your discussions with them. Linking your foresight to their strategy will resound in a meaningful manner, and they will objectively listen to your suggestions.

Step 5: Finally, take a stand. Make a decision based on the information you have obtained. You can determine, with a good degree of predictability, what probably will occur tomorrow if some things do not happen today. Communication of your conviction will be the difficult part, as many managers do not like to decide on things without concrete evidence that it has happened.

Internal auditors should provide foresight for selfish reasons, as well. Our future prosperity or even survival may well depend on the inclusion of foresight in internal audit's menu of services.

I often observe that artificial intelligence is ideally suited to the provision of hindsight. It is conceivable that "machines" will be able to provide insight, too. However, foresight requires more human judgment, which I believe will prove more difficult for artificial intelligence to replicate. So, quite ironically, internal auditors should have the foresight (readiness and preparedness) to provide foresight in their organizations.​

I welciome your thoughts as always.

The opinions expressed by Internal Auditor’s bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.

 

 

Comment on this blog post

comments powered by Disqus
  • ITACS_Dec1_Dec15_A_Dec2017_Blog1
  • PwC RPA_Dec2017_Blog2_Cx
  • IIA CIA_LS_Dec2017_Blog3