Risk, No Action” Doesn’t Justify “Risk, No Audit”

A recently released EisnerAmper report, Concerns About Risks Confronting Boards – 2015 Survey, includes an interesting warning the authors describe as “risk, no action.” The report identifies reputational risk, cybersecurity, and regulatory compliance as the top three risks driving concerns among board members. No real surprises there. But there remain troubling gaps between what board members acknowledge as risks and the actions they or management take.

For example, while identifying reputational risk as the top risk, the survey found little board knowledge about one of the biggest vulnerabilities to organizational reputation — social media. According to the survey, just 6 percent of board members feel they are well-versed in social media risk.

Similarly, there is little doubt that cybersecurity issues now have the rapt attention of most boards, yet the survey found a scant 24 percent of board members believe their boards are “well-versed” in understanding cybersecurity risks, while another 10 percent feel they are falling short of fully understanding it.

The report’s authors offer a minor concession to board members, noting, “While action may very well fall to those in the day-to-day operational roles, there seems to be little happening at the board level to encourage addressing the risks in a more comprehensive fashion.”

One would be naïve or ignorant about risk management in modern business to think every identified risk is addressed equally. The IIA’s International Standards for the Professional Practice of Internal Auditing mandates​ that risk assessments serve as the basis for the audit plan, but it is no secret that audit plans do not address every risk an organization may face.

What the EisnerAmper report highlights is subtler and, frankly, more dangerous: It is one thing for an organization to prioritize risks and make conscious decisions to delay or forego audits because of limited resources or inadequate staff expertise. It is another for boards to recognize a high-level risk and not address it comprehensively.

Another risk disconnect is highlighted in recent IIA surveys involving corporate culture. Surveys by The IIA’s Financial Services Audit Center and Audit Executive Center each uncovered significant gaps between the number of respondents who consider corporate culture an organizational risk and the number who actually audit culture.

I will be speaking more in depth about culture in March at our annual General Audit Management conference in Dallas. My keynote address, “When Culture Is the Culprit,” will examine numerous instances in which toxic corporate culture proved to be a huge risk to an organization, including Toshiba, Hertz, and FIFA.

So what options do CAEs and other internal audit leaders have in a “risk, no action” scenario?

• Maintaining strong communications is a must for any healthy relationship between internal audit and the board. Open lines of communications, both formal and informal, make it easier to spot gaps before they become problematic.
• It is imperative that board members understand the risks and the steps the organization is taking to mitigate them. In a previous blog, I identified five things the audit committee won’t tell internal audit. One of them was, “We wish you would connect the dots.” Don’t be afraid to offer overall assessments on the effectiveness of risk management or internal controls, especially if you see particular vulnerability for the organization.
• Continuous risk monitoring is increasingly the norm as traditional, annual fixed audit plans quickly become a thing of the past. The dynamics of modern business demand more nimble and flexible risk assessment and mitigation. This level of vigilance also should be applied to areas where internal audit sees the potential for growing gaps in risk coverage.

While it is ultimately up to management and the board to identify risks and risk appetites, internal audit cannot sit idly by when gaps develop in the board’s awareness or willingness to address pressing risks. “Risk, no action,” does not justify “risk, no audit.”

I welcome your comments and observations.