The average internal auditor will tell you of the need to maintain separation between their audit work and the management of risk. I believe they are wrong, and that they are dwelling on the historical role of internal audit rather than contemplating how it needs to evolve. There are signs that an increasing number of auditors realize there is a need to take a more expansive view of the contribution they should make, and I was further encouraged by the final blog written by veteran audit expert Norman Marks for the Institute of Internal Audit (IIA).
For many years Marks has persuasively argued that internal auditors should look forward more, and spend less time writing reports about historical findings that are of little interest to senior management. He bowed out with an assessment of the state of audit that reiterated his chief hopes and concerns.
…internal audit heads (chief internal auditors, CAEs) will be welcomed at the top table when they have something interesting and valuable to offer on the topics typically discussed at that table: the enterprise’s objectives and strategies, major projects, performance, and risks to success.
If we do what I suggested in Auditing That Matters, we would be considered trusted advisors that provide assurance, insight, and advice that helps the organization succeed.
Marks elaborates how this relates to risk management.
Internal audit should focus on the more significant risks to the enterprise, not just those that may be important to a process, business unit, or middle manager. If you focus on risks to individual processes, business units, and so on you merit a seat at the middle management table — because those are the people interested in what you have to say. But if you have an eye on the future, on the risks that could either derail or represent opportunities to succeed today and in the next year or so, your insights are valuable to senior leadership.
To change, auditors need to think differently about the terrain they cover.
We need to discard the outdated concept of an audit universe and focus instead on a risk universe. We audit and provide assurance on the management of risks, not the management of business units.
Marks recognizes there are obstacles to be overcome.
One of the challenges is going to be to understand what risk and risk management are all about. Frankly, I don’t think enough people (and especially internal auditors) understand that it is not about the periodic review of a list of risks.
No, risk management is about ensuring that people are able to make informed and intelligent decisions, taking the desired amount of risk. It’s about making sure they think things through, considering all the things that might happen, both good and bad, before making a decision — and every decision creates or modifies risk.
Internal audit should audit the management of risk within and across the enterprise, not simply compliance with risk policies and standards.
Perhaps you would like to argue against Marks’ vision. He is already ahead of you…
The path to success lies in our ability to challenge everything we have done because it is what we have always done. We wouldn’t accept that from process owners. Why accept it in our own profession?
You can read Norman Mark’s final blog for the IIA by clicking here. And if you are not already a regular reader of his personal site then you should start now!
I am not an auditor but I think that what happened in the past is of lesser importance than what is happening right now. If one looks at the latest incident on the stock market to Steinhoff, I am sure with proper Risk Management it would have not been a disaster that threatens the very existence of the company. My experience says that auditors look backwards at what has already occurred in the past and Risk Managers look at what is happening right now to try and avoid problems in the future. If I were a CEO I would want to be proactive rather than reactive to risk.
I couldn’t agree more, today’s connected world and the extremely dynamic environments within which organizations strive leaves much to be desired from traditional Internal Audit. I sometimes marvel to see large organizations – worse still in the ICT space – having legacy practices like 2/3 year rolling audit plans; makes you wonder the basis for such plans when technology and associated risks evolve at a much faster pace. Indeed to remain relevant, internal audit must evolve and in MHO be incorporated under the more proactive and larger umbrella of “Risk Management”. I have included Risk Management in quotes as this requires whole new discussions on the whats and hows of risk management – this probably explains the slow death of legacy internal audit.
Hi Daniel, great comment. Aligned to your observations, I tend to think of “risk management” as something which is being born, whilst internal audit is dying. Risk management is immature and some of us have hopes for its future, but nobody understands its full potential and many consider it a burden, like they would consider a baby to be a burden rather than a productive member of the team. However, the new must replace the old, and we need this baby to grow up as quickly as possible because internal audit isn’t showing the ability to adapt to a more dynamic environment.