Richard Chambers has shared his valuable insights in another post. In Europe’s Internal Auditors Are Already Identifying the Risks for 2021 he makes a number of excellent observations, especially his opening paragraph:
As we enter the fourth quarter of a historically difficult and disruptive year, internal audit leaders around the world are looking to next year with some degree of trepidation. If the COVID-19 pandemic has taught us anything, it is that new risks can emerge at lightning speed and have profound impacts on our organizations and lives.
I also like that he pointed out that internal auditors (at least in Europe, which is where the data is from) are spending their time addressing what were perceived as the top risks.
While he references a report from a consortium of European internal audit associations (ECIIA) that sought to understand what practitioners believed were the top five risks to address in 2021, he said:
As the COVID-19 marathon continues to reshape the risk landscape, internal auditors must be keen to the changing needs of the organization and pivot to address those quickly and effectively.
It’s not just COVID that could be “reshaping the risk landscape”. Organizations and practitioners should be thinking about an uncertain global and national economy, the potential for unrest and civil disruption, and more.
Organizations and practitioners need to have:
- the ability to sense and anticipate what might happen and how it could affect the organization (this is the essence of risk management); and
- the agility to respond promptly and effectively.
Risk management needs to be continuous (at the speed of risk and the business) and internal audit planning similarly agile.
To some extent, this makes any survey that purports to identify risks further into the future than a quarter, let alone for all of 2021, prima facie ridiculous – especially as the survey was completed at least 4 months ago, six months before the start of 2021.
But the report has some interesting points to make.
Perhaps the most stunning is that neither in this nor in the 2020 report was risk management identified as one of the top five risks.
If you can’t anticipate and address the risks and opportunities ahead, how do you expect to succeed?
Similarly, there doesn’t seem to be any attention paid to the organization’s ability to react when conditions change. While we are talking about internal audit agility, why are we not also talking about the ability of our leaders to change strategies, objectives, and tactics as needed? Do they continue to be rewarded for achieving goals set and agreed with the board during a different time?
Information security remains at the top of the priority list, but I wish that auditors would place a higher level of priority on determining whether the organization has actually assessed the risk to the organization (i.e., not just to information assets). Are they putting sufficient resources or too many towards cyber?
The question posed by the report is totally inadequate:
Has the business performed a risk assessment to identify possible network weaknesses and data assets whose susceptibility to attacks and theft has increased in the last 12 months?
The questions should be:
Has the business performed a risk assessment to understand how a breach might affect the business and the likelihood of an unacceptable effect?
Are prevention, detection, and response measures appropriate to the level of risk?
Is the investment in prevention, detection, and response appropriate to the level of risk?
I am encouraged that liquidity was identified as one of the top three risks for non-financial companies. I would go one step further and include capital and credit risk and I like how a CAE in Belgium referred to ‘financial resilience’.
I said earlier that “Organizations and practitioners should be thinking about an uncertain global and national economy, the potential for unrest and civil disruption, and more.”
The ECIIA report talks about “macroeconomic and geopolitical uncertainty” and I am pleased to see 33% of CAEs rated it as a top five risk – while disappointed that 67% did not. I encourage you to read the section from page 35 to 41, including supply chain disruption.
Overall, the ECIIA report is an interesting read for internal auditors.
But our attention should be on continuous audit planning.
I suggest meeting with the CEO and other executives at least monthly and keeping eyes, ears, and noses open and alert.
What are the risks and opportunities that leaders are (or should be) focused on today and expect to be focused on tomorrow?
How can we help with assurance, advice, and insight?
I welcome your thoughts.
- Auditing at the speed of risk with an agile, continuous audit plan - June 22, 2022
- Do smaller companies manage risk better than larger ones? - May 18, 2022
- Is there an effective risk culture? - April 20, 2022