The world of audit, risk management and compliance is not exactly renowned for being fast-paced, but when I look back at the past year, it strikes me that there has been progress in a number of areas.
Based on the commentaries of respected thought leaders such as Richards Chambers and Norman Marks, discussions with CAEs and other audit leaders that take place at so many conferences, as well Big Four reports and publications on a number of topics, there seems to be increasing alignment around common themes.
That’s not to say the picture is particularly rosy. One of the biggest issues is the gap between expectations for what internal audit could or should be doing…and what is actually taking place. Still, the fact that so many people are talking about the same topics and planning to address them is in itself positive.
This really goes to the core of what internal audit is about. A couple of Big Four reports have pointed to surveys showing that roughly 50% of board and C-suite respondents think that internal audit is not meeting expectations around the risk areas that are addressed in the audit plan.
It’s not that internal audit departments are doing a bad job in looking at the same old traditional areas and performing the same old sort of testing, and producing the same old sort of reports. But if the objective is for auditors to really contribute and be highly valued by their organizations, then auditors should be taking a lead from those CAEs who are driving their teams to look at risks in areas that really impact the ability of the business to meet its overall objectives.
Traditionally, auditors thought in terms of all of the different areas that should be subject to audit and included in the audit plan for the year. Thinking has shifted increasingly to that of looking at the risk universe and using that as the basis for assessment as to where to focus audit areas.
This makes a lot of sense as it is more closely aligned with what the business should be thinking about in their risk management activities. It may seem like semantics, but if auditors focus on the full range of risks and their impact on the ability of the organization to meet its objectives, then this is likely to create a shift in thinking about priorities.
When assessing the risk areas that should be addressed in the audit plan, too often auditors go with what is in their comfort zone of experience. However, internal audit’s job is to assess the way that all types of risks are managed in the organization, whether strategic, financial, operational, compliance or others relevant to a particular sector.
The concept of the Three Lines of Defense has gained a lot of traction in the past year. It seems to have been very effective in helping auditors to put their responsibilities in the context of those of control and compliance functions and those of business management.
The model is a great tool for auditors to use when talking about the need to take an integrated approach to audit, risk management and compliance and to move away from a silo-based approach.
The concept is not new; the ideas of continuous auditing, continuous monitoring and continuous assurance have been around for a long time. But in 2014 the light bulbs seem to have really come on around the notion that it is in everyone’s best interest — in all three lines of defense — to have a dynamic approach to assessing risks.
Risks are not static. The degrees of risk vary over time and new types of risks constantly arise. The ability to gain ongoing insight into a full range of risks can clearly be of great value to the business overall.
Technology is the great enabler of this approach and we now hear increasingly of the value of having an up-to-date overview dashboard of the current state of risk assessment across the organization. We are not there yet, of course, except in a very limited number of cases. But the fact that more of those involved in audit, risk management and compliance can see the benefits of a current, integrated and comprehensive view represents real progress.
Talking of technology… one survey report from the large audit advisory firms again stated that data analytics, continuous auditing and continuous monitoring are expected to increasingly drive audit and risk management activities.
This continues a trend in all the Big 4 firms reporting essentially the same thing for the past five years or so — which is not very impressive, particularly given that another survey report stated that about half of executives and CAEs consider that internal audit is not meeting expectations in their use of technology.
There is still a big issue around how many internal audit departments — as well as risk and compliance functions — are simply well behind the rest of the organization in leveraging technology to transform processes and their effectiveness overall.
(Source: ACL Blog)