By Richard Chambers | March 4, 2019
For nearly five years, I have been urging practitioners to “audit at the speed of risk.” I first used the phrase in a July 2014 blog post that addressed the growing volatility of risk and how sticking to a traditional annual audit plan could leave audit functions addressing yesterday’s challenges.
We’ve made progress since then, but there is a long way to go.
Internal audit’s role in providing timely assurance on the effectiveness of risk management is more important than ever, as previously unknown risks quickly emerge and grow while thorny, known risks persist. That’s why it is essential for internal audit to be aligned with management and the board’s views on risks.
The 2019 North American Pulse of Internal Audit, which formally debuts next week at The IIA’s annual General Audit Management Conference in Dallas, raises important questions about the ways today’s dynamic risk universe is altering how internal audit aligns with the board. The report, Defining Alignment in a Dynamic Risk Landscape, focuses on four key risks and examines whether internal audit’s coverage is truly aligned in those areas.
The troubling news is that the report finds potential misalignment in cyber and data analytics, third-party relationships, emerging and atypical risks, and board and management activities. What’s more, it raises serious questions about whether internal audit’s insights and recommendations are getting through to boards.
For example, despite several board surveys clearly identifying cyber and IT issues as top risk priorities, internal audit plans continue to allocate more resources to traditional, lower-risk areas, such as operational, compliance/regulatory, and financial reporting.
Another challenge highlighted in the report involves the quality of information going to the board. A recent survey of board members by the National Association of Corporate Directors found that 53 percent of respondents said the quality of management reporting must improve. Yet, according to Pulse respondents, internal audit rarely reviews information provided to the board, with 6 in 10 chief audit executives (CAEs) reporting they provide such assurance only for unusual situations, or never.
The Pulse offers an intriguing observation into how the dynamics of modern risks are redefining alignment. The talented professionals who serve on our boards face myriad factors that threaten to disrupt efforts to achieve organizational goals. As boards face growing pressure from shareholders and regulators to perform their oversight roles, they are desperately seeking as much reliable information as possible to make strategic decisions related to risk. This offers a significant opportunity for the profession.
From the Pulse report:
“In today’s dynamic risk environment, CAEs must do more than simply understand and fall in line behind the board’s view on risk. This new outlook must center on assuring the board has a comprehensive and unencumbered understanding of the organization’s risk universe. This shift in perspective, while subtle, holds great significance in internal audit’s ability to provide independent assurance, add value to the organization, and elevate its stature to the level of trusted advisor.”
I don’t want to leave the impression that the Pulse findings reflect internal audit is out of touch with boards. Indeed, if anything, the report reflects CAEs’ deep understanding and concern about improving alignment in the four focus areas.
To be sure, Pulse has a long history of identifying areas where internal audit can improve and examining new areas where practitioners can add value to their organizations. The 2019 Pulse continues that tradition by providing lists of action items, resources, and key takeaways.
A frequent theme in my blog is urging practitioners to continually seek ways to improve their skills and the value internal audit provides to our organizations. Every year since 2011, Pulse has provided an important touchstone for practitioners to do just that.
Keep an out for this year’s Pulse report. It is packed with great information that will serve as fodder for much more commentary from me in the coming weeks.
As always, I look forward to your comments.
I welcome your comments via LinkedIn or Twitter (@rfchambers).