When It Comes to Risk-based Auditing, Don’t Let the Tail Wag the Dog

At last count, more than 80 percent of internal audit departments assess risks as part of their audit planning process. So, why is it that legitimate risks to the organization are often glossed over, or overlooked entirely, when internal audit is assessing risks? I fear this happens far too often, and that it poses a huge and potentially growing exposure both for internal audit’s clients and for the reputation of the profession.

I have looked under the hood of scores of internal audit functions over the past decade, and I have engaged dozens of other CAEs in discussions regarding their risk-assessment practices. As I have witnessed firsthand, and many CAEs have candidly acknowledged, quite a few risks never make it onto internal audit’s risk radar. There are a number of reasons for this oversight: The audit committee may explicitly limit the areas where they want internal audit to focus; a new risk may emerge so rapidly that its potential to wreak havoc is not fully recognized; or internal audit staff are subconsciously biased to assume that, because areas have historically been well controlled, no risks are present.

However, there is another and more troubling reason why key risks are frequently omitted from the risk assessment and subsequent audit plans: The internal audit department simply does not have the skills to address the risks.

How often do we audit only the things for which we have the skills and turn a blind eye to those risks that we cannot easily assess with the talent on staff? Assessing only those risks that we know we can audit is the classic situation of the “tail wagging the dog.” When this happens, internal audit provides a false level of comfort to management and the board that these aren’t risky areas at all, because they would not negatively impact the organization or they are well-controlled.

Clearly, the proper course is to assess the full portfolio of risks that could prevent the organization from achieving its objectives, identify the areas where residual risks remain high, develop a preliminary risk-based internal audit plan, and only then determine whether internal audit organically possesses the resources to address them. Often, it does not.

There are solutions for the CAE when in-house skills are lacking. These include hiring the requisite talent, co-sourcing, or leveraging expertise from elsewhere in the organization. But you don’t leave risks off the matrix just because you don’t have the skills to assess them – at least not without acknowledging it to management and the audit committee.

From my experience, the most common areas that fail to make the risk assessment because of internal audit’s skills gap are those related to technology (cybersecurity, cloud computing, mobile technology, etc.) and to business/strategic risks. When these risks blow up and significantly damage shareholder value, the rhetorical “where was internal audit” question is often posed. Unfortunately, I have seen more than a few CAE career casualties because a lethal risk wasn’t reviewed – in some cases, because of inadequate skills.

That is why I advise CAEs to sit down with management and the audit committee at the time the audit plan is being presented and be candid about what’s not being looked at and why. Is something not included because internal audit decided it was a lesser risk? Is it because internal audit doesn’t have adequate resources? Or, is it that internal audit does not have the necessary expertise? All too often, it is because we don’t have the expertise, and it is convenient to look the other way.

As pervasive as the shortage of internal audit skills to address specialized risks is now, I fear it is only getting worse. There is mounting evidence that we are in the midst of a growing talent shortage in the profession. Increased competition for talent and an expanding scope of work assigned to internal audit are dual threats that could have profound consequences.

The IIA Audit Executive Center’s 2015 Pulse of Internal Audit survey, which will be fully presented at our upcoming General Audit Management (GAM) Conference in March, hints at the intense scramble for talent. Indeed, 40 percent of North American CAE respondents said attracting and retaining qualified internal auditors was a high or critical priority for their audit plans. When asked to describe why skills gaps existed on their teams, 54 percent cited competition for a limited talent pool.

Evidence of this battle for talent was illustrated at a CAE roundtable I attended recently in New York. Among the two dozen CAEs in attendance, several described losing new hires to a competitor before they showed up for their first day on the job!

Our upcoming report on the 2015 Pulse survey will share strategies for navigating the talent shortage, including techniques employed by survey participants to address the skills gap.

I encourage all CAEs and stakeholders to consider whether their audit plans may be unduly constrained by the level of expertise on the internal audit staff. In a perfect world, this would never be so. But in a perfect world, internal audit wouldn’t have much to do.​