Since the late 1960s, social commentators have been concerned about the intensity and pace of technology-fueled change and the emerging risks this has posed to business and society. In 1970, for example, writer Alvin Toffler famously described the rapid arrival of new information and production technologies as “future shock,” which he characterized as the experience of being suddenly immersed in a completely foreign country — disorienting, dizzying, and confusing.
“By violently expanding the scope of change, and, most crucially, by accelerating its pace,” he wrote in Future Shock, “we have broken irretrievably with the past. We have cut ourselves off from the old ways of thinking, of feeling and adapting.”
Fast-forward to today and, hyperbole aside, those same fears and challenges remain. CAEs, for example, responding to the CEB's 2014 Audit Plan Hotspots survey said that the two key macro-level risks facing departments this year are the accelerating pace of change and intensifying regulatory scrutiny. One of the key drivers? IT.
The way business is now conducted — through complex interconnected networks — has made the true nature of emerging risk difficult to assess. Boards and executive management have turned to their internal audit departments to help them in this task, and CAEs increasingly are judged and valued for their ability to be more forward looking. This is forcing auditors to think, feel, and adapt differently to the emerging risk landscape.
A New Outlook
Taking a fresh perspective is not easy, especially without a clear grasp of what is required of internal audit in this area of emerging risks. PricewaterhouseCoopers’ (PwC’s) 2014 State of the Internal Audit Profession study found that 85 percent of managers surveyed expected internal audit to address the organization’s business-critical risks, including emerging risks. Only 65 percent said their audit functions did that well. More disturbingly, 81 percent of internal auditors said they were meeting those expectations, suggesting a gap in perceptions.
Michelle Hubble, a PwC partner and the report’s co-author, says the maturity of enterprise risk management (ERM) processes in many organizations has helped boards get a better understanding of who is managing emerging risk and how well they are doing so. She says this presents internal audit with a great opportunity to lead, because its primary focus is on risk and control. But, she warns CAEs to get alignment from their stakeholders before jumping into the emerging risk area.
“By alignment, I don’t mean everyone is going to have to agree on exactly what internal audit is doing, but instead, it allows for general agreement on the direction and areas of focus of the function,” she says. In other words, there must be a fundamental understanding that the chief financial officer and audit committee chair want internal audit to tackle emerging risk. Agreement on what is expected of the function provides the CAE with the support and remit to obtain the resources he or she may need.
Inevitably, some boards will want to retain focus on monitoring and control. Gerrit Sarens, associate professor in auditing and governance at the Université Catholique de Louvain in Belgium, says in those businesses, internal audit remains largely compliance-oriented. He sees them as both old fashioned and less suited to deal effectively with rapid change. “More and more, there is a shift at the board level to focus on the future and on strategic discussion,” he says, “and boards are becoming less interested in the past.”
What Sarens calls the “old audit paradigm” is becoming less relevant, and he urges internal auditors to switch attention to testing the resilience of the company to withstand risk events and to assessing its agility to adapt to a dynamic business environment. He says this way of thinking places more emphasis on emerging risk. “Strategic boards are more interested in emerging risks, and CAEs need to be able to think out of the box because the future is so uncertain,” he says. “This can require a huge shift in the mind-set of internal audit because the comfort zone for internal auditors is typically the past.”
When Pamela Jenkins arrived as vice president of audit services at Rosemont, Ill.-based US Foods, the audit function was largely doing compliance-based audits. Over the last several years, she has worked hard to align its work with the needs of the business and says she believes a more strategic view is the most effective way to understand the organization’s emerging risk areas.
“I feel strongly about the need to align internal audit with the company’s strategy,” she says. “You need to understand the risks around that strategy and ask, ‘What is going to stop us from achieving that?’”
Up-to-date knowledge of the industry you are in and the risks emerging from new business models also is vital, she says. Take Blockbuster, for example, the home movie and video rental company. It went from having 9,000 stores and 60,000 employees in 2004, to bankruptcy in 2010, because it did not move fast enough in the face of competition from newcomers such as Netflix and Redbox.
“You need to understand your business sector, otherwise your company may be completely gone in the next few years,” Jenkins says.
If working at a strategic level is important, internal audit is ideally placed to do so, says Kathy Swain, vice president of internal audit at Allstate Insurance Co. in Northbrook, Ill. “Where we can make a unique contribution on emerging risk in internal audit is in our ability to work across the entire organization and understand the strategies and goals of the business,” she says. “Where the individual outcome of a single piece of work is out of alignment with those objectives, internal audit is often first to notice.”
Achieving this perspective involves taking an exhaustively consultative approach to engage all levels of the business in dialogue. But she admits that transparency and access to what is going on in the business are constant challenges. Internal audit has to work hard to maintain good relationships with the business, while at the same time promoting the value of its independent perspective.
Even then, not every manager wants to cooperate. Swain has found that taking a highly structured approach to the audit process helps encourage management support. For example, there is a formal kick-off meeting to start the audit, and she allows sufficient time for management to feed its views back into the process before the final audit report is written. Several years ago, she also made a decision to involve subject matter experts in the task of identifying and understanding emerging risks — in part, because risks in the insurance sector can be so complex that it may be beyond the expertise of an internal audit professional.
“Good auditors pull out the facts,” she says. “But for real value, you really need business people, or someone who can take all those facts, integrate them, and come up with insight from that on an emerging risk or a strategic flaw.”
One way that businesses have been doing this is through the use of ERM processes. Larry Baker, an ERM and audit professional at Devon Energy Corp. in Oklahoma City, says internal audit facilitates — rather than owns — the ERM process at his organization. While there is a lot of work at the management level to identify and deal with emerging risk, ERM adds some extra pieces to the puzzle that might otherwise be missing, he says.
“ERM helps us look at risk more globally,” Baker explains. “It helps management and our executive team take a step back on occasion so they can think a little more broadly and strategically about risk and get out of the daily grind of making the business successful.”
In that context, he says much of the work internal audit does on emerging risk revolves around discussions. ERM provides tools, including surveys, analytic documents, and workshops, that give internal audit a platform and structure to enable those conversations. Baker says the key is to get the knowledge of what risks exist — either emerging from outside the business or from areas that may have been overlooked within it — to the right decision-makers in a credible way.
“I’ve learned there is power in getting subject-matter experts together in one room and having management help select those people,” he says. “When you get results from this process, people genuinely believe in them, they trust them, and they want to move forward.”
A more strategic and business-centered view of emerging risk has edged internal audit away from the kind of organizational and operational independence that was highly valued by the profession 10 or 15 years ago. Detractors sometimes refer to this as internal audit’s ivory tower, but those working within the profession today increasingly see this sort of independence as untenable.
“Internal audit’s position has changed, because if you are seen to be outside the business, you don’t have the influence you need to get your recommendations put into practice,” says Phil Tarling, vice president of the Internal Audit Centre of Excellence at the Chinese telecommunications multinational Huawei in the U.K. “We aim to make recommendations that provide businesses with solutions, and that is helping us to get in with management and the board. But as we get further in, we have to become more involved, which sometimes means getting our hands a little dirty and doing things that we wouldn’t have done before.”
The trade-off works for Tarling because it has made him more focused on what the business is doing across all of its operations. His department recently has been involved in looking at emerging risks related to the company’s use of foreign exchange market instruments and its marketing operations — something he says is a far cry from internal audit’s traditional focus on payroll, human resources, and treasury management.
One of the key drivers of the emerging risk identified in the CEB survey was the way organizations have become more interdependent because they use IT for the delivery of their products and services. As a result, traditional business and IT audits are beginning to merge. That has encouraged some organizations and public sectors, such as Horsham District Council in the U.K., to use data analytics software in their audit work. Peter Baker, Horsham’s principal auditor, says this helps in identifying emerging risks, particularly those that revolve around the intersection of business and IT systems between organizations in the supply chain.
“For example, one perceived risk that has emerged from this trend relates to the way that organizations authorize payments,” he says. Instead of checking payments against real signatures to show who has authorized them, most businesses now authorize the order rather than the payment itself, and they do so electronically. With systems intricately linked across businesses, or even transferring to the cloud, the risk of fraud has increased.
Data analytics turns that risk into an opportunity because it allows auditors to see who authorized every single transaction in the business and, therefore, provides greater assurance. “If you find one exception that contravenes the controls around 50,000 transactions, you have a problem,” he says, “and spotting that is likely to be impossible using traditional audit sampling methods.” Baker says the additional assurance data analytics can give derives from this deeper audit sampling. In addition, he spends less time with staff and management obtaining basic data for the audit because he can access it via his computer.
Paradoxically, in auditing for emerging risks using data analytics, Baker has come to value his traditional audit skills more. While he sees the days of the pure IT auditor coming to an end as business processes and technologies continue to merge, critical thinking and basic questioning skills are vital to identifying emerging risk in such a complex environment.
Reacting to Change
As the future continues to cascade into the present, the only thing that will remain constant is change. Internal auditors must continue to adapt their processes to identify and mitigate the emerging risks arising from this dynamic landscape. Being ready for this challenge requires not just new techniques, but an open mind, too. Internal auditors should perhaps think of the future then, not as a new country or landscape, as Toffler suggested, but more like where they stand now.