What are we missing? This is the key question for all internal auditors – particularly now. Global geopolitical upheavals are not emerging risks, but they seem to be converging at a greater scale and velocity than ever before. How do we filter the overwhelming “noise” so we focus on what matters to our organisation? How do we ensure our internal audit work has real impact on what matters? How do we support our stakeholders to uncover blind spots or connect the dots on emerging themes?
The Chartered IIA will be publishing a new report, Internal Control Failure!, in the coming days that highlights how more than £1bn in fines handed out by the Financial Conduct Authority (FCA) over the past five years were triggered by basic failures in firms’ internal controls. Some of the organisations mentioned have internal audit capabilities, but others did not. It shows that assurance works only when it is properly resourced and issues are taken seriously and acted upon.
We must all learn from these failures. Internal audit must never become complacent – as an internal audit leader, I must always ask, “Could this be us?”
For me, there are two key lessons. First, every organisation must think harder about how they get their assurance. They must challenge assurance providers and sources to ensure assurance is truly effective.
Second, every failure is an opportunity for internal auditors to rethink what they are doing. Could this happen to us? What are our gaps? Are we complacent? Are we developing biases that affect our objectivity?
Because current geopolitical developments demonstrate – yet again – that unforeseen crises are not unforeseeable. They hide in plain sight. We ignore them. We fear them. They are too big, so we leave them to governments and global bodies without considering how they could impact us.
We must raise the uncomfortable “what if” questions in our teams and at board level. Our annual Risk In Focus report pointed out that we have had three “once in a lifetime” events in three years. If we do not address the risks of global crises now, when will we do so?
Iran’s closure of the Strait of Hormuz was not unpredictable. Iranian leaders planned this response to an attack. We knew it could happen and that it would have a devastating effect on energy supplies and costs.
Similarly, Covid was not unpredictable. We have seen pandemics before and will see them again. What had changed was the globally interconnected world that spread Covid to every corner of the Earth, killing people and devastating economies.
Now is the time to ask what else is out there? Satellite warfare/sabotage? Natural disasters such as an eruption of the Yellowstone super-volcano? AI-powered cyberattacks on critical infrastructure? Quantum-enabled tech warfare?
We cannot prevent these crises, but we can and must support our organisations to plan to respond to, and recover from, the most immediate effects on our operations. We must change how we think about converging global risks.
This is where human skills come into play. Technology is a great enabler for modelling and projecting scenarios. However, good internal auditors have an innate intuitive sense, which they develop with experience. We must harness this.
If something looks “wrong” or makes us uneasy, we must question it. Where can we find out more? Who can we talk to? What sources of expert information are available to us? Intuition spots the weak points and the missing pieces. We must trust and hone it and then back it up with research and objective facts.
We must also change the way we approach our audit work. Categories such as “emerging risk”, “cyber risk,” “geopolitical risk,” and “supply chain risk” no longer work in isolation (if they ever did). Auditors cannot think in silos.
Audits must assure and inform the conversation on a broad interconnected range of enterprise risks. We must start with the biggest possible picture before creating an audit approach strategy that breaks audits into manageable pieces of assurance.
Create a mind-map with a multi-disciplinary team, including second-line colleagues and business risk owners, and ask how best to break this audit into bite-sized chunks. Then, check these will reconnect to give a macro overview or themes to the executive team or board.
Ask what the board and business risk owners need to know. Will your audits provide this? Is our work progressing board level discussions?
Meanwhile, this must not detract from our core assurance objectives. We cannot forget those brilliant basic controls that ‘keep the lights on’. Being an audit leader is a juggling act. Essential core assurance must continue while we ask the challenging questions about our audit concepts and blind spots.
The Chartered IIA’s upcoming research into FCA regulatory failures around internal controls indicates we are not there yet. But we are all in this together. Our profession is wonderfully supportive and willing to share. This is what makes the Chartered IIA so valuable.
Whatever you are struggling with, you can be sure that you are not alone. Geopolitical risk convergence affects all of us. Reach out to those in different sectors and learn from others’ successes and failures.
Use the Chartered IIA’s forums and drop-in sessions to meet peers and hear their stories. Ask for introductions. Attend conferences, events and webinars.
We need to expand our networks. Converging risks mean that we may learn more from those in other regions and sectors, or with different expertise, than ever before. Past experience shows what we miss when we fail to connect – and that the biggest global threats are often the ones hiding in plain sight.
