New IIA Pulse Report Shines a Bright Light on the State of Internal Audit!
March 14, 2022“Where Was Internal Audit?” It’s Easier Asked Than Answered
March 28, 2022In speaking to an audience recently, I observed that the past year has been the most tumultuous I can ever remember when it comes to risk velocity and volatility. In the past 12 months alone, we have witnessed an awesome stream of risk-induced disruptive events including:
- Brazen cyber-attacks on infrastructure targets
- COVID-induced supply chain disruptions
- The COVID Delta Variant
- The “great resignation”
- A surge in inflation to the highest levels in 40 years
- The COVID Omicron variant
- War in Europe for the first time in 70-years
- Record fuel prices
There was a time when one of these events in a year would have been noteworthy. Now we feel fortunate to make it through a month without a risk coming to fruition that we might not have even seen coming. As internal auditors, we have a responsibility to maintain risk-centric audit plans to enable us to focus on the most significant risks facing our organizations, and to ensure our scarce resources are dedicated where they may yield the best value.
It is a truism among internal auditors that explaining what we do as a profession often leaves the uninformed confused. I recalled in a speech recently that I once explained the fundamentals of internal auditing to a doctor who immediately grasped our value to the organizations we serve.
“You guys are the thunder before the storm,” he observed.
It was a nice turn of phrase that cleverly surmised what internal auditors did. But the more I thought about it, the more I became convinced that the phrase was just a good starting point.
Indeed, internal audit findings that point to ineffective risk management, defective design or implementation of controls, or other problems that increase risk can provide an appropriate rumble of warning to stakeholders. But in a period like the past year when the storms rolled in one right after the other, by the time we heard the thunder, the storms were already overhead. We cannot simply wait until we hear the thunder, we must become more adept at monitoring and interpreting changing weather patterns well in advance of potential storms.
Expanding on the weather analogy, I often compare internal auditors to professional meteorologists. Early weather forecasters were forced to rely on crude, basic tools, such as thermometers, barometers, and hydrogen balloons. Those tools were often unable to detect the approach of massive blizzards, hurricanes, or tornadoes — and massive loss of life was a tragic consequence. In the 21st century, meteorologists rely on advanced technology, such as Doppler radar and weather satellites, to anticipate the risk of storms far beyond the visible horizon. They are able to monitor and warn of the development of an approaching hurricane days or weeks in advance, or the formation of a deadly tornado early enough to allow those in its path to seek shelter.
The variables that affect weather are as complex as the variables that affect risk and risk management. Understanding those variables and finding ways to monitor and mitigate them are what both professions strive to achieve. When I deliver lectures on the topic, I often point out that there are emerging risk indicators hiding in plain sight (macroeconomic forecasts, our companies’ strategic plans, industry trends, etc.). But I also point out the potential that technology tools can play in our ability to anticipate tomorrow’s storms.
While we as internal auditors don’t have a magical Doppler radar system that detects the potential for the next COVID variant, macroeconomic calamity or geopolitical event that will ravage the business model of our companies, we do have tools such as data analytics, continuous auditing, and, increasingly, artificial intelligence that leverage technology to not only speak about the present, but to warn of perils that may lie ahead if management and boards remain complacent.
It is hard to overstate the importance of technological advancement to the profession. It has eliminated countless hours of tedious record reviews, streamlined processes, improved the accuracy of our work, and provided the time and resources to expand our scope of services to organizations. However, it is important to also realize that technology is a tool, not a turnkey solution. Today’s internal audit leaders are keenly aware of the importance technology will play in the future success of their teams. In a recent IIA survey, CAEs were asked where they would spend a hypothetical budget increase. Adding staff was naturally the top choice, but technology came in second. When asked where they would focus additional technology spending, 68% indicated data analytics and more than a third said they would also like to spend more on robotic process automation and AI.
Some actually fear these technology tools could make internal auditors obsolete. I’ve said before that I don’t see advanced technology as an existential threat to internal auditing. It is a tool that can help us zero in on problem areas and improve our efficiency. But it may never be capable of exercising the judgment and instincts that the best internal auditors bring to the table. Auditors don’t just identify when there is something wrong; they have an obligation to determine why it occurred (the root cause) and offer recommendations to mitigate the likelihood of a recurrence. Foresight is the “ability to predict or the action of predicting what will happen or be needed in the future.” As with the weather, it does little good to limit our perspectives to what happened yesterday or what is happening today; we must also speak of tomorrow.
So, does internal audit have something like a weather satellite to spot risk hurricanes or typhoons and carefully track them as they approach the organization? Not quite, but we do have a number of techniques and best practices available to us, supplementing technology tools, to elevate our perspective and take in an expanded view of risks to the organization.
- Integrated thinking and enterprise risk management offer internal auditors help from within the organization. When implemented effectively, these practices break down barriers that often mask risks or weaken mitigation efforts. Internal audit can play a significant role by providing assurance on the effectiveness of both these practices.
- Strong business acumen and expertise within the business sectors where our organizations operate enhance the internal auditor’s ability to see the secondary or tertiary effects of risk on the organization and improve our insight and foresight.
- Supportive relationships with risk managers, including chief risk officers, chief information security officers, and chief information officers, allow internal auditors to keep current on what risk managers are seeing and find where gaps in risk management may exist.
Stakeholders are increasingly turning to risk managers and internal auditors to provide warnings of emerging risks. Surveys have suggested that the effectiveness of risk management will be an area where we will increasingly be asked to offer assurance – particularly to our boards. If we are to succeed, we must constantly seek new and innovative ways to achieve a satellite view of risk. To my doctor friend, I would say “if we wait until we hear the thunder, it’s probably too late to offer enough warning or fully prepare for the approaching storm.”
As a young boy, I was fascinated with the weather, and professed that I wanted to be a meteorologist when I grew up. As I grew older, I became more pragmatic about career aspirations. However, today I see fascinating parallels between the profession I longed for and the one I pursued. Both are focusing on the future.
As always, I look forward to your comments.
I welcome your comments via LinkedIn or Twitter (@rfchambers).