Can Internal Audit be a Command Center for Risk?
This is the question that Deloitte asks in a recent CFO Insights issue.
The article has some useful comments on the use of technology by internal audit, such as “leveraging innovative techniques, such as data analytics and predictive modeling, to identify emerging risks and allocate resources to maximize coverage. I agree with the authors when they say:
“[It] behooves finance to equip the function with capabilities to deliver more-informed audit reports. And given the continuing desire of CFOs to play more-strategic roles, having a forward-looking IA department can be a valuable weapon in their arsenal.”
“As in most areas of an organization, new technologies are increasing the speed of delivery and allowing better insights. In IA, in fact, the use of technology is increasing the impact of audit findings through, for example, data visualization. In addition, other techniques are making reports more timely and accessible.”
“The data captured by new technologies can help IA and the business know where the risks are, how to prioritize them, and how to better focus audits and management’s efforts to mitigate risks. For example, regression testing and predictive modeling can allow CFOs and auditors to quickly identify anomalies. Specifically, advanced-analytic and data-modeling techniques that use self-learning algorithms can automatically categorize anomalies within a wide range of variables to identify higher-risk audit entities. Analysis of this nature can then help direct audit activity toward areas of greatest risk. Particularly effective across geographic locations and overseas operations, it has also been used to analyze areas as diverse as revenue leakage, compliance risks, and other enterprise risks.”
“Specifically, to be a command center for risk, IA has to add the necessary modeling and analytical skills to its working knowledge of internal controls and risk management approaches. In addition, IA professionals need to move out of their comfort zone and focus on identified risks and resolve not to be satisfied with average performance. Moreover, finance and the audit committee should both expect IA to perform at a higher level and equip it with the resources and the mandate to do so.”
“Audit committees and senior management rely on internal auditing for objective assurance and insight on the effectiveness of risk management and internal control processes. Armed with their support, IA can leverage technology and data to better partner with finance—and contemporize its governance role to one that identifies and tackles the risks most relevant to the organization.”
However, the underlying premise of the piece is that internal audit is responsible for identifying and assessing risk, bringing that assessment to the executive leadership team. For example, they say “there is an opportunity for IA to move beyond its scouting role and serve as an integral part of the team for identifying and combating risk.”
This is not correct.
IIA Standards make it very clear that management is responsible for identifying, assessing, evaluating, and managing risk. The role of internal audit is to provide assurance that those risk management practices, including the design and operation of related controls, are up to the task.
So when Deloitte says that “IA can help the organization better understand its preparedness by using analytics to detect breach patterns and reviewing cyber-controls in a regular cadence”, that use of analytics should be part of internal audit’s responsibilities to assess management’s assessment of risk and to ensure its audit engagements are designed to address the more significant enterprise risks.
Internal audit should not step into management shoes and take on management’s responsibilities for identifying and assessing risk.
Internal audit can continue to identify and report areas where management’s identification and assessment of risk is flawed – as part of their responsibility to provide assurance on management’s processes and controls.
Deloitte has published some excellent papers in the past (especially their Risk Intelligence series) and I am sure they will provide us with excellent ones in future.
However, my wish is that they join internal audit executives in making it clear to boards, CFOs, and other executives that management is responsible for managing risk. Internal audit’s role is one of assurance and advice.
Can the risk management function report to the CAE? Yes, but with safeguards – as discussed in the IIA Position Paper, The Role of Internal Auditing in Enterprise-Wide Risk Management.
I welcome your comments.