Last week, I was privileged to address IIA–Sweden and then the internal audit team of a Stockholm-based bank. The continuing theme was that we need to focus our limited resources on the
risks that matter. I was asked this interesting question: Are all risks auditable?
The question was asked after I had described some of the risks that we had identified at some of my companies, such as competitor risk at Business Objects (a software company, since acquired by SAP). How can an internal audit engagement add value by "auditing" such a risk?
The answer I gave is that we don't really "audit" the risk. We are not in the business of second-guessing management decisions.
We are in the business of assessing the controls that are relied on by management to manage the area of risk, including related management decisions and actions. We do that by:
- Understanding the risk area and its related processes.
- Identifying the controls and such that management is relying on to provide reasonable assurance that the risk is maintained at desired levels.
- Assessing the design of those controls.
- Testing and assessing the operation of those controls.
- Providing management and the board with our assessment of management's capability to manage the risk.
The following questions about decision-making may help:
Are the right people making the decisions?
Do they have all the information they need to make informed, intelligent decisions?
Is that information reliable, current, and timely?
Have they consulted all relevant parties, including all those who might be affected by the decision?
Do they have an appropriate understanding of risk levels and the effect their decision would have on risk levels?
Do they have an appropriate understanding of the risk levels acceptable, even desired, by more senior management and the board?
Is there reasonable assurance that actions will be taken that are necessary to support the decision?
These and similar questions can be used to assess the processes by which risks that matter are identified, assessed and evaluated, and treated.
For example, when we considered competitor risk at Business Objects, I looked at:
Who was monitoring competitor risk in all its forms (e.g., changes in their pricing model or in marketing; whether major companies like IBM were acquiring our competitors)?
Are they the right people, with the necessary contacts and network — intelligence if you like — to monitor and assess competitor risk for all relevant competitors?
Is their information reliable, current, and timely?
Are they working with everybody required to address changes in competitor list?
World-Class Internal Audit: Tales From My Journey, I mentioned how I had conducted an audit of creativity and ideas (for marketing) at the Tosco Marketing Co. I considered the processes and related controls over:
Who was responsible for identifying new ideas that could be used in marketing?
Was there an appropriate process for encouraging and soliciting these ideas?
Were all employees motivated to participate?
Was there an appropriate, unbiased process for evaluating all ideas?
In this way, I was able to assess the system of internal controls relied on by management to deliver useful ideas that could be used in marketing initiatives, delivering revenue to our convenience stores and gas stations.
I believe we can make a contribution in this manner, assessing the controls relied on to manage such nontraditional areas of risk.