For those of you who have joined me on the traveling circus/carnival/shell game that is this blog, you will have noted an off-again, on-again series of posts related to risks. The conceit within that series was that, even though we are in a new decade, the prior decade included events, experiences, and situations which should have caught internal audit's attention, but didn't seem to permanently stick on our radar.
Big things we should not have let slide.
But I further contended that it was not too late. The issues are still out there, they are worth our attention, and they are worth including in risk assessments we do for the rest of this decade.
The first post was titled
"The Top Five Events of the Decade That Should Have Impacted Internal Audit" and dealt with reputation/crisis management. This was followed by posts regarding
the gig economy,
bots/robotic process automation/artificial intelligence,
diversity, and #metoo.
Since we have a roomful of eagle-eyed auditors assiduously analyzing every detail, I'm sure it did not slip anyone's notice that seven topics are listed rather than five. Also, the title under which this document is stored is "10 Events." (There's just something about a 10-item list. I blame Dave Letterman.)
Five. Seven. Ten. There is nothing magical about any of these numbers. Nor do the seven items I chose represent the end-all and be-all of great audit risks. (Though there are a few that deserve such attention.) My original, brain-stormed list included many more than 10 items, events such as the false missile warning in Hawaii, political division and derision, the opioid crisis, fake news, Brexit, VW falsifying test results, the Wells Fargo debacle, Samsung phones catching on fire … you get the idea.
Each and every one of these (and all the others I had on my list) were situations where internal audit should have and still could be analyzing the underlying issues and risks toward helping their organizations avoid the potential pitfalls.
Now, had I completed this project soon after I envisioned it — if my procrastination and a pandemic had not interrupted the flow (and my guess is we all can say this about any project this year) — the choice of topics and contents therein might have been seen as prescient. Instead, the timing now seems a bit bandwagonish. But they are nice wagons on which to ride. And, trust me, I had them on the list before everything we thought we knew changed.
Good news. Anyone can seem Nostradamus-like. I did not do anything special to come up with these topics. I just watched what was happening in the world and translated that into why organizations in general and internal audit specifically should care.
So here we are, almost 15,000 words spewed into the blogosphere as we come to the end of the series. And I believe important issues have been discussed. But if you take only one thing away from all this verbiage, from all this loquacity, from all this blather, here it is.
Pay attention. Look for why events occur. Translate that into potential risks and opportunities that the organization should have on its radar. And then make it part of your assessment to ensure the organization has taken the proper steps. You might seem the soothsayer (telling the sooth, the whole sooth, and nothing but the sooth,) but you will be doing the most important thing any internal auditor can do: pointing out potential disasters in time for the organization to adequately respond.