Ours is a dynamic profession. Just as internal auditors move from one engagement to the next, the entire profession continually evolves to meet new challenges. Half a century ago, most internal audits were financial. But in the 1970s and 1980s, a new trend developed. Operational auditing became a hot topic at conferences and seminars. Thought leaders such as Larry Sawyer pointed out that internal audit can function as “the eyes and ears of management”, and audit executives across the world slashed borderline financial audits from their plans in favour of operational auditing.
By the early 21st century, internal audit functions had ventured beyond operational auditing to offer new services. Consulting engagements became the Next Big Thing. A few internal audit executives even stopped providing assurance services.
Then came the collapse of Enron, WorldCom and several financial giants. The swing of the pendulum reversed. Financial controls again became the primary focus of internal auditors. Changes in laws, regulations and stock exchange listing requirements brought new expectations about financial controls. Quite a few audit executives stated they simply did not have the time or resources to address non-financial issues – until a series of widely publicised cyber attacks rocked the business world.
Why the history lesson? As Winston Churchill pointed out, those who fail to learn from history are condemned to repeat it. It’s important to pay attention to risk trends, but we must never forget that each organisation is unique, and there are times when the trendy risks may not be those that should concern us most. The pendulum will swing again, and the velocity is increasing.
At the moment, the pendulum has swung away from financial auditing. According to the Chartered IIA’s Risk in Focus 2020: Hot Topics for Internal Auditors, the top three risks currently facing businesses and other organisations in nine European countries are cyber security (78 per cent), regulatory change (59 per cent) and digitalisation (58 per cent).
Financial risks came sixth on the list. But many audit executives believe that financial risk is again becoming a leading concern. Maybe that difference of opinion is a good thing. Maybe the difference of opinion is because their risks are different.
Obviously, we need to pay close attention to the top three risk categories mentioned in Risk in Focus. They are massively important. But we must not have tunnel vision. Although the “top three” risks are undeniably high, problems at a number of FTSE-100 firms have demonstrated that we all face unique risks — and those risks are changing rapidly.
If you think annual risk assessments will get the job done, you’re probably wrong. And if you think all significant types of risk are included in your risk universe, you might be wrong about that, too. It’s time to look again.
You already know your risks are changing. It’s not just the risks that were problem areas last year, not just the risks that made headlines this year, not just the risks that scored highest in surveys, not just downside risks, not just internal risks – and not just the types of risk that the internal audit department has the most experience tackling.
Ours is a challenging job. It can be challenging even to ensure that we have a shared understanding with our stakeholders about risk. Recent research by IIA-Global, “On Risk 2020: A Guide to Understanding, Aligning, and Optimizing Risk”, found that boards are overconfident in their perceptions on risk, consistently viewing the organisation’s capabilities as greater than executive management does. For every type of key risk studied, the study found that board members rated their organisation’s ability to manage it higher than executive management did.
That’s a serious misalignment, and we can’t afford to ignore it. The report suggests boards may be failing to question critically information from executive management, either because they lack details or because they are unable to understand and evaluate new and emerging risks. It also suggests that executive management may not be fully transparent with boards about risks and their reservations about their ability to manage them. This is where internal audit can come in.
I hope that all internal auditors will read the two reports, and will continue to keep a sharp eye out for new and emerging risks. Our risks are changing faster than ever before, and the Next Big Thing in internal auditing is probably just around the corner.
Richard F Chambers writes a blog at chambersontheprofession.org and tweets at twitter.com/rfchambers. His third book, The Speed of Risk: Lessons Learned on the Audit Trail, 2nd Edition, is available at theiia.org/bookstore
This article was first published in November 2019.