The average internal auditor will tell you of the need to maintain separation between their audit work and the management of risk. I believe they are wrong, and that they are dwelling on the historical role of internal audit rather than contemplating how it needs to evolve. There are signs that an increasing number of auditors realize there is a need to take a more expansive view of the contribution they should make, and I was further encouraged by the final blog written by veteran audit expert Norman Marks for the Institute of Internal Audit (IIA).
For many years Marks has persuasively argued that internal auditors should look forward more, and spend less time writing reports about historical findings that are of little interest to senior management. He bowed out with an assessment of the state of audit that reiterated his chief hopes and concerns.
…internal audit heads (chief internal auditors, CAEs) will be welcomed at the top table when they have something interesting and valuable to offer on the topics typically discussed at that table: the enterprise’s objectives and strategies, major projects, performance, and risks to success.
If we do what I suggested in Auditing That Matters, we would be considered trusted advisors that provide assurance, insight, and advice that helps the organization succeed.
Marks elaborates how this relates to risk management.
Internal audit should focus on the more significant risks to the enterprise, not just those that may be important to a process, business unit, or middle manager. If you focus on risks to individual processes, business units, and so on you merit a seat at the middle management table — because those are the people interested in what you have to say. But if you have an eye on the future, on the risks that could either derail or represent opportunities to succeed today and in the next year or so, your insights are valuable to senior leadership.
To change, auditors need to think differently about the terrain they cover.
We need to discard the outdated concept of an audit universe and focus instead on a risk universe. We audit and provide assurance on the management of risks, not the management of business units.
Marks recognizes there are obstacles to be overcome.
One of the challenges is going to be to understand what risk and risk management are all about. Frankly, I don’t think enough people (and especially internal auditors) understand that it is not about the periodic review of a list of risks.
No, risk management is about ensuring that people are able to make informed and intelligent decisions, taking the desired amount of risk. It’s about making sure they think things through, considering all the things that might happen, both good and bad, before making a decision — and every decision creates or modifies risk.
Internal audit should audit the management of risk within and across the enterprise, not simply compliance with risk policies and standards.
Perhaps you would like to argue against Marks’ vision. He is already ahead of you…
The path to success lies in our ability to challenge everything we have done because it is what we have always done. We wouldn’t accept that from process owners. Why accept it in our own profession?