Ours is a dynamic profession. Just as internal auditors move from one engagement to the next, the entire profession continually evolves to meet new challenges. A half-century ago, the vast majority of internal audits were financial. But in the 1970s and ‘80s, a new trend developed. Operational auditing became a hot topic at conferences and seminars. Thought leaders such as pioneer Larry Sawyer pointed out that internal audit can function as “the eyes and ears of management,” and audit executives throughout the world slashed borderline financial audits from their plans in favor of operational auditing.
By the beginning of the 21st Century, internal audit functions had ventured beyond operational auditing to offer a wealth of new services. Consulting engagements became the Next Big Thing. A few internal audit executives even stopped providing assurance services – that is, until the collapse of Enron, WorldCom, and other financial giants.
With those corporate implosions, the swing of the pendulum abruptly reversed. Almost overnight, financial controls again became the primary focus of internal auditors. Changes in laws, regulations, and stock exchange listing requirements brought new expectations regarding financial controls, and quite a few audit executives stated they simply did not have the time or resources to address non-financial issues.
That is, not until a barrage of widely publicized cyberattacks rocked the business world.
Why the history lesson? As Winston Churchill pointed out, those who fail to learn from history are condemned to repeat it. It’s important to pay attention to risk trends in the news. But we must never forget that every organization is unique, and there are times when the “trendy” risks that everyone is talking about may not be the risk that should concern us the most. Sooner or later, the pendulum will swing again, and the velocity of risk is increasing.
The pendulum has swung away from financial auditing. According to IIA-UK & Ireland’s new publication, Risk in Focus 2020: Hot Topics for Internal Auditors, the top three risks currently facing businesses and other organizations in nine European countries are cybersecurity (78%), regulatory change (59%) and digitization (58%).
Financial risks did not appear until sixth place on the list. But many audit executives believe that financial risk is once again becoming a leading concern. Maybe that difference of opinion is a very good thing. Maybe the difference of opinion is because their risks are different.
Obviously, we need to pay close attention to the top three risk categories mentioned in the IIA-UK & Ireland’s report. They are massively important. But we cannot afford to have tunnel vision. Although the “top three” risks are undeniably high, corporate meltdowns at FTSE-100 firms such as BAE Systems, Barclays, BP, GlaxoSmithKline, HBOS, Kazakhmys, HSBC, and Royal Bank of Scotland demonstrate that we all face unique risks — and that those risks are changing rapidly.
If you think annual risk assessments will get the job done, you’re probably wrong. And if you think all significant types of risk are included in your risk universe, you might be wrong about that, too. It’s time to look again.
You already know your risks are changing.
It’s not just the risks that were problem areas last year.
Not just the risks that made headlines this year.
Not just the risks that scored highest in surveys.
Not just downside risks.
Not just internal risks.
And not just the types of risk that the internal audit department has the most experience tackling.
It’s a challenging job. It can be challenging even to ensure that we have a shared understanding with our stakeholders about risk. Just-released research by IIA-Global, OnRisk 2020: A Guide to Understanding, Aligning, and Optimizing Risk, found that boards are overconfident in their perceptions on risk, consistently viewing the organization’s capabilities as greater than executive management does. For every type of key risk studied, according to the study, board members rated their organization’s capability for managing the risk higher than executive management did.
That’s a serious misalignment, and it’s one we can’t afford to ignore. The report suggests boards may be failing to critically question information brought to them by executive management, either due to a lack of information being brought forth or from limitations in their own abilities to understand and evaluate new and emerging risks. It also suggests that executive management may not be fully transparent with their boards about risks and their own reservations about their organizations’ ability to manage them. This is where internal audit can come in.
I hope that all internal auditors will read the two new research reports about risks in 2020. And I hope that all of us will continue to keep a sharp eye out for new and emerging risks. Our risks are changing faster than ever before, and the Next Big Thing in internal auditing is probably just around the corner.
This article was originally published by Audit and Risk – The Magazine of the Chartered Institute of Internal Auditors (Issue 50: November/December 2019)