By Richard F. Chambers, Senior Internal Audit Advisor – AuditBoard
As the world emerges from the Coronavirus pandemic, it is natural for business leaders to reflect on the lessons they learned and how the business models of their companies may be changed forever. It is also important for us to reflect on the lessons from the pandemic that reinforced what we knew or believed before the deadly virus turned the fortunes of our organisations upside down or right side up, as the case may be.
I have been part of the internal audit profession for more than four decades. For much of the past decade, I served as the Global President and CEO of the Institute of Internal Auditors (IIA). As I travelled around the world, I was asked one question many times: “What advice do you have for internal auditors?” My answer for many years was almost always the same: “Follow the risks.” In recent years, I have refined that advice, and responded: “Audit at the speed of risk.”
As I reflect on the lessons the internal audit profession has learned during the Covid-19 pandemic, I believe that internal auditors learned that those two important pieces of advice are as important as ever!
Corporate board members would do well to follow the same advice I offer internal auditors. While hindsight will always be important in the board oversight role, increasingly board members must look forward in their oversight of risk management. When coaching internal auditors on developing effective risk assessments, I stress the fundamentals of risk assessment and I highlight how risk velocity and volatility have made the process much more complex.
The importance of assessing risks
Not long ago, annual risk assessments by internal auditors were considered a leading practice but were not required by the IIA’s professional standards. Today, however, the IIA provides guidance that mandates periodic risk assessments as part of audit planning.
The Covid pandemic taught us that, with the speed of risk that organisations face in today’s world, performing an annual risk assessment won’t likely serve organisations well. Covid reinforced the importance of deploying a continuous risk-assessment component to our risk assessment methodology in order to provide assurance.
In working with different internal audit departments over the years, I have observed that, even if internal auditors vary their approach, certain features are common to the development of their risk-based plans. These include:
- The establishment and maintenance of a risk register or inventory for the organisation, linked to key business objectives
- The assignment of an inherent rating for risks in the inventory
- A process for scoring or rating risks on an annual basis
- A process for gathering and analysing data, management perspectives, and other evidence on the current level of risk for each element in the inventory
- A scoring or rating methodology that is assigned, based on the data, perspective, and evidence gathered
- A ranking or prioritisation of risks, based on the scoring methodology
- A determination of the most highly rated risks to be included in the proposed internal audit plan
- A review of the proposed annual internal audit plan with key management officials
- Submission of the proposed annual internal audit plan to the audit committee for approval
Over the years, I have seen elaborate, time-consuming methodologies, including formulas used to score individual risks. Sometimes these formulas seemed better suited for a rocket launch than calculating a single risk in an audit plan. As I often coach internal auditors, simplified formulas can be just as effective as complicated ones. After all, risk assessment is as much art as science; no matter how complex the process, professional judgment will invariably be a factor.
What Covid-19 taught us
As we all know, the Covid-19 pandemic emerged virtually overnight to present some of the greatest global risks ever seen. Its rapid emergence and continuous source of new and evolving risks has impacted our lives and the organisations we served for almost two years. Even looking ahead to 2022, it is likely that pandemic-related risks will continue to emerge. I believe it is more critical than ever that internal auditors and the organisations they serve embrace a continuous approach to risk assessment and audit planning.
As a profession, internal auditors have cultivated a long and respected legacy as purveyors of hindsight. Almost all of us are adept at looking at last year’s data and telling management where past mistakes were made. While hindsight is a necessary part of internal auditing, 20/20 hindsight is one of our least valuable skills. Often, management and boards are already aware of past mistakes. As internal audit matured, we also became purveyors of insight. Insight is generally seen as more valuable than hindsight, but it too suffers from limitations in an era when risks emerge at warp speed. Today’s insight may well be tomorrow’s hindsight.
There will always be a need for hindsight and insight, but foresight is the ultimate source of value. Stakeholders seek to navigate the future more than revisit the past or dwell in the present. As internal auditors, we must focus our telescopes ahead. We need to concentrate on the risks of tomorrow if we are to not only protect but enhance value for our organisations. “Looking ahead to 2022, it is likely that pandemic-related risks will continue to emerge. I believe it is more critical than ever that internal auditors and the organisations they serve embrace a continuous approach to risk assessment and audit planning”
In recent years, I have begun to use weather analogies when addressing challenges and opportunities for the internal audit profession. In many ways, identifying future risks is like forecasting the weather.
When our parents and grandparents were young, there was no such thing as weather radar. If they were curious or concerned about potential changes in weather, they simply peered out their windows or stood on a hill and scanned the horizon for potential storms. Of course, their weather predictions were often wrong. Climbing to the hilltop may have expanded their view, but weather patterns are far too complex to know if the clouds you see contain damaging winds, or if they are even coming your way.
That’s why modern meteorologists have turned to more advanced methods. They monitor approaching storms with Doppler radar. They use digital satellite images to record cloud patterns around the world, and they plug the data into supercomputers, applying advanced statistical equations and algorithms to create more accurate forecast models. Of course, we all know that even meteorologists sometimes get it wrong, but their degree of reliability has increased dramatically with the advent of new tools and technology.
From hilltops to desktops, Covid has taught us that we all need to get smarter about risks, and there’s a lot we can learn from meteorologists. They don’t just observe the weather and make guesses about what the future might hold. They use every resource at their disposal to identify potential trouble spots and patterns before the storm materialises or inflicts significant damage.
There is no silver bullet for identifying emerging risks. However, if we aren’t looking in the right direction, there is a greater likelihood of missing emerging risks. But just as storms in the Northern Hemisphere often emerge from the West, there are directions from which potential risks facing your company are likely to emerge. These include:
- Economic forecasts (macroeconomic as well as those facing your industry)
- Known strategic business risks facing your company
- New corporate initiatives being planned
- Legislative and regulatory outlook facing your industry
- Geopolitical developments and political risks in regions where your company operates
- Disruptive threats or opportunities facing your industry
- Performance of your primary competitors
- Risks emerging as headlines via traditional or social media
Identifying emerging risks should be a collaborative process with management. After all, management is likely to have already identified many emerging risks that threaten the organisation. We should position ourselves as a partner, not a competitor trying to one-up management, when it comes to emerging risk acumen. After fully vetting our inventory of emerging risks, we should be prepared to share our perspectives with the audit committee. Our conversation must include our own plans for monitoring and responding to these risks as the organisation’s internal auditors.
Many organisations demonstrate proficiency in identifying emerging risks, but many more need to embrace the lessons from the past year in transforming their approach. As the famous Danish philosopher Søren Kierkegaard observed: “Life can only be understood backwards; but it must be lived forwards.” I encourage boards, management and internal auditors to embrace the lessons learned from the Covid pandemic, and make sure we follow the risks by looking ahead.
About The Author:
Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA, is a global internal audit advocate and senior internal audit advisor for AuditBoard, the leading Cloud-based platform transforming how enterprises manage risk. He also serves as the overseas Honorary Dean of China’s Nanjing Audit University and is the Founder and Chief Practice Leader of Richard F. Chambers and Associates, a global internal audit training and client service firm.
Prior to establishing his own firm, Richard served for more than 12 years as President and CEO of the Institute of Internal Auditors (IIA), the global professional association and standard-setting body for internal auditors. He has more than four decades of internal audit experience, including service as national practice leader in Internal Audit Advisory Services at PwC; Inspector general of the Tennessee Valley Authority; Deputy Inspector General of the U.S. Postal Service; and director of the US Army Worldwide Internal Review Organisation at the Pentagon.