logo-newlogo-newlogo-newlogo-new
  • Home
  • Blog
  • Audit Trail Academy
  • Advisory Services
  • Books
✕
  • Home
  • Chambers on Internal Audit
  • Uncategorized
  • To Audit Emerging Risks, We May Have to Leave Our Comfort Zone

To Audit Emerging Risks, We May Have to Leave Our Comfort Zone

When Culture Is the Culprit: Lessons From Toshiba, Hertz, and FIFA
August 24, 2015
5 Reasons Internal Auditing Never Gets Old
September 8, 2015
August 31, 2015

From the very beginning of our careers in internal auditing, most of us are trained to audit a handful of “core” risks. We rapidly become comfortable with traditional financial audits, regulatory compliance audits, and various common operational audits. We look at what was done in the past, and often we decide to audit the same things again in the same way – sometimes without even updating the audit plan.

Occasionally, the repetition is justified. After all, some risks are inherently worthy of internal audit coverage. But we now live in an era when risks are extremely dynamic. It is unlikely that all of last year’s risks should be driving this year’s audit plan. New risks surface every day, and we need to keep in mind that auditing at the speed of risk often means tackling areas where we may have little experience. Traditional, routine risks are easily identified, well known, and readily assessed; but they are not necessarily the risks that will imperil shareholder value today or tomorrow. Emerging risks, such as cybersecurity, can be more difficult to identify and assess, but that’s one of the reasons they often are the risks for which internal audit focus is the most critical.

Our tendency to stick to traditional financial and compliance audits may mean that we are overlooking the most significant risks facing our organizations. As evidence, a 2014 study by CEB indicates that 86 percent of significant declines in market capitalization in the past decade were caused by strategic risks. Operational risks were a distant second at 9 percent, and legal/compliance and financial reporting risks combined accounted for only about 5 percent. By contrast, the Audit Executive Center recently reported that 57 percent of internal audit resources in North America this year are earmarked for financial, compliance, and operational audits, while only 8 percent are focused on strategic business risks. It seems glaringly obvious that, if we are truly risk-based in our approach to internal auditing, we cannot continue to focus only 8 percent of our resources where 86 percent of the risks to our organizations reside.

A sampling of “The Most Important Risks For 2015,” recently published by Protiviti, provides strong evidence that our comfort zones must evolve if we are to address them in our internal audit plans. Some of these risks include:

  • Economic conditions in current markets may not present significant growth opportunities.
  • Cyberthreats could significantly disrupt core operations and/or damage the brand; privacy/identity and information security risks may not be addressed with sufficient resources.
  • Succession challenges and the ability to attract and retain top talent may constrain efforts to achieve operational targets.
  • The organization’s culture may not sufficiently encourage the timely identification and escalation of significant risk issues.
  • Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in the existing customer base.
  • New technologies may disrupt the organization’s business model.

The CEB study noted that, at most companies, assurance functions such as internal audit “consider strategic risks to be out of their scope and instead see them as business owners’ responsibility.” This is a misconception that could have disastrous results. It’s true that strategic risks, such as navigating a landscape of disruptive technologies, are a responsibility of senior management, but management is also responsible for handling operational, financial, and compliance risks, all of which are within our scope – and within our comfort zone. Perhaps it’s time to ask ourselves why we would allow such a massive scope limitation to go unchallenged.

Other stakeholders have also expressed a desire for internal auditors to step outside their traditional comfort zones. For example, regulators in the financial services industry are starting to call for assurance regarding organizational culture, which is also on Protiviti’s list. But while most of us are comfortable analyzing and reporting on statistics from ethics surveys or hotlines, the more subjective aspects of auditing organizational culture can take many auditors outside their comfort zone. Is this one of the reasons these important audits are often postponed indefinitely?

A willingness to go outside the internal audit “comfort zone” doesn’t mean undertaking activities for which internal auditors are not qualified. But our professional standards state that the chief audit executive must establish risk-based plans. Ignorance about new risks is no excuse for failing to audit these risks; neither is a subconscious bias against “uncomfortable” engagements that call for subjective judgment. If the internal audit department does not have the necessary skills to carry out risk-based audit plans appropriately, the chief audit executive simply must find a way to develop or obtain the necessary skills. Perhaps, this will entail calling in an outside expert (as more than 60 percent of Fortune 500 CAEs indicate they do) or ramping up the training program, but it should never entail ignoring significant risks.

As internal auditors, we should follow Edward Whitacre Jr.’s advice: “Be willing to step outside your comfort zone once in a while; take the risks in life that seem worth taking. The ride might not be as predictable if you’d just planted your feet and stayed put, but it will be a heck of a lot more interesting.“

Share

Related posts

March 13, 2023

New IIA Report Is a Timely Benchmarking Resource for Internal Auditors


Read more
May 16, 2022

THE STAGGERING TOLL OF COVID RELIEF FRAUD: WHERE WERE THE THREE LINES?


Read more
February 3, 2022

To Live a Life in Color, You May Have to Change Channels


Read more

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

What’s Trending

03-20-23

New Report Reveals Surprising Insights from Internal Audit Executives


03-13-23

New IIA Report Is a Timely Benchmarking Resource for Internal Auditors


03-02-23

6 Things Audit Committee Members Often Won’t Say to Internal Audit


Read More

Archive

  • March 2023
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011
  • January 2011
  • December 2010
  • October 2010
  • September 2010
  • August 2010
  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • August 2009
  • July 2009
  • June 2009
  • May 2009
  • April 2009
  • March 2009
  • February 2009

Contact Us

PO Box 1441
New Smyrna Beach, FL 32170

+1-407-463-9389
rchambers@richardchambers.com

About AuditBeacon.com

AuditBeacon.com is a resource center for internal auditors and risk professionals from around the world. In addition to more than 500 blogs authored by Richard Chambers, the site includes links to news and insights on internal audit and other information that illuminates the value of this important profession. AuditBeacon.com is provided as a service by Richard F. Chambers and Associates, LLC.

Copyright © 2023 Richard F. Chambers & Associates. All Rights Reserved.
  • Home
  • Blog
  • Audit Trail Academy
  • Advisory Services
  • Books