Tools for the job: Black swan opportunities
Black Swan events exist. The COVID-19 pandemic came as a shock even though experts had warned it was a matter of when, not if, something of this magnitude would happen. Even those who listened underestimated the amount of disruption it would cause, partly because such risks trigger a series of knock-on effects that may last for a long time and be hard to understand and to predict.
Over the past two years, internal audit teams have played a critical role helping executive teams to understand the risks their businesses face. In many cases, their responses have had profound effects, providing much-needed insight and assurance at a time of continual and escalating disruption. During this period, the profession has steadily increased its use of technology and data to quantify risk, and internal audit leaders have been able to advise boards better, and faster, as a result.
But, as these leaders reflect on the lessons learnt during the pandemic, they have a unique opportunity to take their mission one step further, and move from disruption to innovation. At a recent event for chief audit executives, one participant said the profession had its best shot in 20 years to drive a risk management, controls, integrity and automation agenda. It’s time to seize that opportunity.
To do this, internal audit leaders need to focus on the following: using technology and data to understand how risks are linked; applying continuous auditing to the different areas of their businesses; developing dynamic risk assessment techniques; and allocating more time for horizon-scanning, challenging senior leaders, and assessing operational resilience (particularly given ongoing disruption from issues including Brexit, energy price rises and supply chain issues).
Fast and focused
Automation can not only help internal auditors to make better, more accurate decisions, but can also enhance their ability to see the bigger picture. One recent example I’ve seen is that of a healthcare business which recently re-focused to put data at the centre of all its business processes. The impact of COVID-19 and ensuing risks around people, supply chains and credit prompted the board to ask questions about the resilience of the business. It turned to the internal audit team to provide assurance on its resilience and the internal auditors needed to use all the new technology and data to provide this.
Another business decided to change the way it conducts audits. When faced with supply shortages, it decided to monitor all its supply chains for critical materials. The experience encouraged the internal audit team to introduce more short, sharp reviews on specific areas using data to identify critical resilience issues quickly.
Meanwhile, an audio technology company changed the focus of its audits to concentrate more on emerging risks. The internal audit team is closely monitoring its supply chains, together with its risks around customer insolvency, to see how these may combine to affect the business. They are not only more aware of the changing risks they face, but also increasingly conscious of the ways these are interlinked and what this could mean.
The board’s perception of the role of internal audit continues to develop. The ability of internal auditors to know a business from top to bottom – as well as their close relationships with risk and compliance teams – puts the function in an ideal position to influence important decisions. Experiences during the pandemic and many different emerging responses to interdependent risks will help internal audit leaders to find new ways to quantify the risks their companies face today and in the future.
Internal audit teams that harness the power of technology and gain swift and regular insights using data will have more time and ability to view the horizon. There they will see a range of risks from climate change, to government policy, cyber and data security, digitalisation, skills shortages, and more. Instead of trying to understand each one in isolation, they will be able to develop scenarios based on a combination of risks and identify many different potential impacts. This will allow them to evaluate the resilience of their businesses in new ways and prepare management for the future before it happens.
We’ve lived through one Black Swan event. More will happen. If we learn the lessons it has taught us about the interdependence of risks, then we will be far better equipped to understand and quantify their combined longer term impact and this, in turn, will be essential for internal audit to embrace its once-in-a-generation opportunity.
Innovation after disruptio: Five questions to ask yourself
Q Is my internal audit team able to operate in real time?
A Can you react quickly to changing risks, get hold of information; store it centrally and use data mining tools to automate data collection. This will support dynamic risk assessment.
Q Are workflows automated?
A This could include automatic notifications at key stages of an audit – when planning is complete, or working papers are ready to review. For example – in addition to automating management actions. This will free up time.
Q Does my team have the skills and tools to adopt a data-led strategy?
A Maximise the tools available to create efficiency and streamline processes. Help your team members to increase their data analysis skills, to understand the information they have, and to access the data points they need. This will help decision-making.
Q Are we sufficiently aligned with the first and second lines?
A The board’s assurance should come from all three lines and these need to be aligned to provide consistent risk assessment, avoid duplication and provide a joined-up approach to risk reporting.
Q Is my team plugged into the strategy of the firm?
A Internal audit is increasingly playing an advisory role around evolving risks. All teams should be taking steps to improve the way they anticipate changes to the risk profile of the business, and to become more proactive in the challenge they provide. In addition, they need to free up time to provide more insight to executive teams and become more involved in strategic initiatives.
Janet Barberis is managing director at Protiviti UK.
This article was published in March 2022.