During my travels over the past five years, I have had the opportunity to speak with many audit committee chairmen of leading corporations in the United States and Europe. One of the questions I invariably posed during my conversations was: “what is your foremost expectation out of internal auditing?” With amazing regularity, the response came back: “no surprises.” By “no surprises,” the chairmen (in reflecting the views of themselves and their fellow audit committee members) were suggesting that internal auditing should identify issues before they became a major problem for the company — and by extension — the audit committee.
At first glance, an expectation of no surprises might seem like a reasonable expectation. However, when you think about it, you realize what an extraordinary expectation that is. It suggests that internal auditors should be omnipresent — anticipating risks of every type and providing assurance that management has taken appropriate actions and/or implemented appropriate controls to mitigate the risks before they result in major consequences. If every internal audit department lived up to this utopian expectation, there would literally never be any bad news that wasn’t already known because the “caped crusaders of internal auditing” had already identified it and led to its eradication.
Is the total eradication of surprises what audit committees really expect from our profession? I seriously doubt it. Instead, I believe they are suggesting that internal auditing should be striving to identify risks that could present problems in the future, and not simply dwell on what went wrong in the past. When taken to its natural extension, this expectation would fundamentally alter the mind-set of many internal audit functions. Instead of conducting an annual risk assessment, designing a corresponding audit plan, and auditing against it for a full year, internal auditors would take a more continuous approach to assessing risks. Audit plans and coverage would be constantly evolving as “potential surprises” surfaced. Such an approach would add significant value for internal audit stakeholders — particularly in the dynamically changing environment that the current economic crisis presents.
For those internal audit functions that want to embark on a “surprise averse” strategy, I would offer three key tactics:
I am confident that many of you have your own approaches to continuously assessing and identifying emerging risks. I encourage you to share them in responding to this blog.