During my travels over the past five years, I have had the opportunity to speak with many audit committee chairmen of leading corporations in the United States and Europe. One of the questions I invariably posed during my conversations was: "what is your foremost expectation out of internal auditing?" With amazing regularity, the response came back: "no surprises." By "no surprises," the chairmen (in reflecting the views of themselves and their fellow audit committee members) were suggesting that internal auditing should identify issues before they became a major problem for the company — and by extension — the audit committee.
At first glance, an expectation of no surprises might seem like a reasonable expectation. However, when you think about it, you realize what an extraordinary expectation that is. It suggests that internal auditors should be omnipresent — anticipating risks of every type and providing assurance that management has taken appropriate actions and/or implemented appropriate controls to mitigate the risks before they result in major consequences. If every internal audit department lived up to this utopian expectation, there would literally never be any bad news that wasn't already known because the "caped crusaders of internal auditing" had already identified it and led to its eradication.
Is the total eradication of surprises what audit committees really expect from our profession? I seriously doubt it. Instead, I believe they are suggesting that internal auditing should be striving to identify risks that could present problems in the future, and not simply dwell on what went wrong in the past. When taken to its natural extension, this expectation would fundamentally alter the mind-set of many internal audit functions. Instead of conducting an annual risk assessment, designing a corresponding audit plan, and auditing against it for a full year, internal auditors would take a more continuous approach to assessing risks. Audit plans and coverage would be constantly evolving as "potential surprises" surfaced. Such an approach would add significant value for internal audit stakeholders — particularly in the dynamically changing environment that the current economic crisis presents.
For those internal audit functions that want to embark on a "surprise averse" strategy, I would offer three key tactics:
Update your risk assessments and audit plans as often as possible. Continuous risk assessment doesn't have to occur daily. It also does not have to address every risk facing the company. Identify key risks as part of your annual audit plan that you will monitor on at least a monthly or quarterly basis.
Keep close tabs on the business. Some of the most effective continuous risk assessment strategies I have seen are relationship-based. The CAE should interact with executive management on a continuous basis to identify emerging risks that might not be apparent from his or her corner office. At the same time, the CAE's direct reports should be maintaining relationships with key business unit executives/managers throughout the company. Identification of emerging risks is much more likely to happen through informal frequent interaction than a formal structured risk assessment.
Benchmark with your peers — particularly in your industry. A risk may not have emerged in your company. However, if it is making its way through your industry, it definitely bears watching.
I am confident that many of you have your own approaches to continuously assessing and identifying emerging risks. I encourage you to share them in responding to this blog.