Disruption – threats and promises
Disruption and chaos present opportunities as well as risks – but if your internal audit function is not moving faster and smarter than ever before, it will fail to take advantage of the former while enduring more of the latter. This was the key message for all the participants in the Chartered IIA’s Disruption roundtable in November.
“Risk and chaos can be a good thing – hold on to that,” urged Paul Middleton, managing director at Protiviti. “It can spark creativity and growth, but you need the mindset and environment to allow it to happen.”
To achieve this mindset, internal audit leaders must move on from many of the formal processes and procedures they have followed in the past. Annual plans, standard long-form reporting (usually some time after an audit is ended) and a commitment to auditing any area simply because it’s always been done historically should already have been consigned to history, but Middleton and others at the event went further.
“You need to feel empowered to tear up audit plans, reassess how you manage and start again by rethinking how you perceive and manage risk and how you conduct audits,” Middleton said. “Failure to do this should be viewed as a risk in itself.”
Liz Sandwith, chief professional practices adviser at the Chartered IIA, pointed out that Julia Graham, CEO at Airmic, told delegates at the Internal Audit Conference to burn their risk registers – because they were inevitably out of date and would hinder anyone who became too wedded to them. Similarly, anyone with an annual plan was advised to tear it up as a waste of time, Sandwith said.
Roll in real-time
Plans today should be rolling, flexible, constantly reassessed and refocused. Attendees discussed the ways in which they are trying to speed up reporting with rapid deep dives, one-page reports, dashboards and real-time feedback.
“If you see somewhere that could create a bottleneck in the process, take it out,” one attendee advised, explaining how his team now ensure that all management actions are agreed before a report goes out, so future amendments are unnecessary.
Some pointed out that audit committees can be reluctant to let go of the formal reporting and plans they’ve seen in the past. If so, they need to be encouraged to see beyond the superficial appearance of assurance and appreciate the added value of different methods.
When it came to highlighting the chief reasons for disruption – the looming risks and potential crises likely to affect organisations in the near future, most attendees agreed on the key themes. They highlighted “people”, “cyber” and “culture” as the main risks for their organisations, followed by “inflation”, “third-parties” and “talent”. Other threats listed included “supply chain resilience”, “politics”, “energy market volatility”, “sustainability” and “governance changes”.
Perhaps surprisingly, “recession” did not appear on the list and other financial risks were few and far between. This might be a good sign if it means that organisations are confident about their resilience and ability to cope with financial uncertainty, but could also indicate over-confidence.
Sandwith asked whether some risks may never make it on to the list simply because they were seen as “NEQ” – not easily quantifiable. “If CAEs don’t put them on the risk register because they’re not sure how to deal with them, then they are likely to go under the radar and be ignored,” she warned.
Avoid complacency
Another key theme often missing from risk registers and plans is operational resilience and crisis management. All teams should be focusing on this, because all organisations are still facing so much disruption, Sandwith argued.
Resilience is more important than ever. Just because you survived the pandemic does not mean you can assume your organisation is resilient and able to survive future shocks, she warned.
Janet Barberis, managing director at Protiviti, added that some important risks are being underrated because people tend to see them as highly unlikely. This view may be fair in some regions, but internal auditors should take care to consider whether they are more likely in other areas – and what impact they could have. Although globally disruptive events affect people worldwide, that does not mean they have the same likelihood or potential impact in all areas, she warned.
“Consider energy supply threats,” she said. “Power blackouts may not be high on risk lists, but if they did happen, they could potentially have a massive impact on our organisations. The likelihood of this risk materialising may vary by location and country, but you need to think about how this affects your organisation across all its locations as well as the impact on your supply chain. Similarly, Covid is causing more lockdowns and restrictions in some parts of Asia than in Europe and the US. This needs to be factored into your risk assessments and plans. Think about how you join the dots and the interdependencies of these disruptive risks,” she urged.
Look to the horizon
Middleton pointed out that most internal audit teams are still not doing enough “horizon scanning” to identify longer term threats. “In 2019 and early 2020, the key risks listed by CAEs and chief executives did not include a global pandemic, even though the first stories about Covid were appearing in the papers,” he points out. “All their focus turned out to be entirely wrong. We need to get better at spotting and highlighting the emerging risks that could have a massive impact if they occur.”
He compared the risks highlighted in a survey of CEOs focusing on 2021 and predictions for 2031. “These are not bold enough,” he insisted. “As internal auditors, we have to have the courage to say ‘these are the risks that should be up there and this is the impact that we believe they could have’.”
The global economic and political environment is completely different from last year – and completely different from most people’s predictions last year. Any internal audit team still focusing on a plan or risk assumptions that they made 12 months ago is therefore working on entirely the wrong agenda.
“Managers need confidence to make the right long-term decisions,” Middleton said. “Internal audit must be working well to ensure that management can have confidence in their predictions and views of a rapidly evolving global situation.”
To provide this assurance, internal audit not only needs to plan, conduct audits and report more rapidly, it also needs to look at how it partners within the organisation and whether it has the necessary expertise and resources. Internal auditors need to consider their alignment with other assurance providers in the organisation, use data more efficiently and comprehensively and ask how quick they are to respond to risks that arise and to changing behaviour or culture.
“Do you have the industry expertise to identify emerging risks and the credibility to provide effective challenge? Are you adapting your internal audit strategy to be more data-led and to provide greater insights and coverage? Is your audit plan fluid enough to change fast and does your methodology support quicker responses?” Barberis asked.
Internal auditors always benefit from spending more time in the business learning about management’s concerns, she added. Similarly, those who identify that they lack expertise and skills should be looking to where they can gain these – for example, from co-source partners or industry and institute forums.
“A strong assurance framework is a powerful tool. Does your organisation have an assurance map and is it clear to the audit committee where all the different elements of assurance come from?” she added. “As expectations from the audit committee chair of their CAE have increased given the disruptive environment and a strong relationship and regular dialogue is crucial.”
“It’s a very exciting time to be in internal audit,” Barberis said. “We are in a good place for internal audit to raise its game. We need to look at how we partner with business, whether we are adding value, how our approach has changed, how we are using data and how we are building on the changes we began during the pandemic. We need to be better at joining the dots.”
This article was published in January 2023.