Risk-based internal auditing (RBIA), that keeps an organization’s risk appetite alive and assures the board that effective risk management processes are in place, received a gargantuan jolt as the COVID-19 crisis crippled the world. Many in IA teams realized their organizations had not created a “common risk language” for an effective audit plan. As a result, when a crisis of the magnitude that this pandemic has been, rampaged the corridors of businesses, there was a rude awakening that be it “risks” or “controls” – there was no one common language or definition for most organizations to follow.
Internal auditors are now, therefore, cognizant of the fact that having a common definition or language of risks and controls must be embedded in the audit plan itself. They needed to take a step back and start auditing the risk-based audit plan itself. Today, it is more about pre-empting risks than mitigating them.
Organizations across the board and their respective audit teams realized post the pandemic that there was an inherent problem with their RBIA approach. Despite the red flags raised by the Ebola, SARS or the H1N1 virus, risk and cost assessments of a possible pandemic or a calamity of this proportion were not factored in by audit teams. The pandemic made the IA teams aware that there was an immediate need to get out of an “inflexible” mindset to not just think in a more agile manner, but also act in a more agile way. This was felt the most when overnight the world en masse moved to a virtual one, raising fears of a collapse in internal controls together with heightened cybersecurity risks.
The internal auditors found themselves looking at more strategic roles to play in the organizations they were a part of, realizing this kind of a crisis couldn’t merely be thwarted with a run-of-the-mill business continuity plan. A comprehensive, agile and well-stratified crisis management plan that could cover all lines of businesses and their related risks was the need of the hour.
While businesses are still firefighting world over, it is not too late to reboot and frame a more realigned RBIA approach that can help fend off any such unprecedented crises.
Some of the strategic steps internal auditors can take today are:
What does this really mean? Audit plans, up until now, were designed in a way to handle failures only within their organization. It was only about their crisis management. No one really had a plan that would handle global crisis and risks for companies and their clients alike. That needs to change now.
The other “global” mindset has to be about thinking global within the organization itself. Risk management plans for a particular business unit will go against the grain of having a more holistic approach. To incorporate a global vision, the annual internal audit plan must look at not just how risky it would be for a particular business unit, but whether or not that would create risks for the larger organization.
Screening past failures to create risk-based audit plans will have little value today as the pandemic has sufficiently demonstrated. To give more oxygen to the audit plan, it is important to now see what might go wrong in the future, not what went wrong in the past.
Internal auditors are often perceived as people creating more hurdles for businesses. The pandemic has probably created an opportunity for internal auditors to build better bridges with businesses by reaching out to them, asking them what their business objectives are at this time, understand their challenges, identify risks that can get in the way of accomplishing those objectives and then decide what controls can be put in place.
IA teams must learn to think in more incremental ways. This is probably the time to switch over from an annual audit plan to smaller and more incremental plans.
Audit plans, in a post pandemic world, must leverage data more than ever before to gather better risk intelligence. Data helps assess risks more accurately. And, probably can help IA teams think of possible risk scenarios of the future.
Up until now risk scores that were assigned, were subjective in nature. This, too, must change. As IA teams start banking on more data, they need to take a more quantitative approach to risk assessments. Data can help determine likelihood and impact of every identified risk, help calculate relative risk scores for each of them and also help cross reference the auditable entities to the risks. All this will help IA teams fend off future risks.
The Institute of Internal Auditors’ (IIA) Vision 2030, 1published in May 2018, had described internal audit professionals as being “indispensable to effective governance, risk management and control.” Today, post the pandemic, that visualization of the internal auditor’s role seems prophetic. As auditors help organizations define a common risk language or aid in the adoption of that language, greater use of new age technologies will help them in their rapid transformation to being more agile. The constant need to reprioritize, a post-pandemic mandate for all audit teams, is made possible with the adoption of agile strategies. The reprioritization will not only help realign audit plans on the go, but also expedite risk assessments and help keep risks at bay.
Transformational technologies such as Artificial Intelligence (AI), Machine Learning (ML), Robotic Process Automation (RPA) and Cloud-based solutions can lead to the reincarnation of RBIA plans. While Cloud brings in more security and cost efficiencies to the mix, RPA puts RBIA on a fast track by letting bots take over the rote, repetitive control tasks. AI, on the other hand, helps auditors pre-empt risks and take decisions in real time with the use of data and data analytics.
While humans and machines work together to make the all-new audit environment more seamless, the controls must take the audit test. If a control fails the audit test, i.e., if there is a failure in the control itself, then the chances of risk are much higher. Therefore, after the strategic steps (proposed above) empower IA teams to get a sharper grip on the risks, they must then move on to better understand what the controls are as these are then the “actions” that businesses would need to take to arrest risks. IA now needs to go beyond the purview of intelligent internal controls and critical thinking into the zone of “creative” thinking, which is more linear and intuitive in character. A well-designed control shouldn’t be the end goal. The question to ask now is: What are the right controls?
IA teams were so far probably prepared for gray swan events. A black swan event, such as the COVID-19 crisis, brings to the fore the need to pursue a top down approach from which emerges one version/definition of risk that flows from the top down. And, that common definition of risk must be from an organization perspective, not a siloed one. It should facilitate a broader focus of risk, where one should not only look at fraud risks or risks affecting financial reporting objectives, but adopt a mixed method approach. Auditors should be as mindful of risks that affect particular lines of businesses as those that affect larger business objectives. The speed of risk – of how quickly the risk will materialize – must also be evaluated before IA teams start focusing on controls.
IA is an integral part of an organization, be it from the standpoint of fraud detection, productivity, quality controls or augmenting stakeholder confidence. IA’s role and presence ensures a seamless flow in managing risks across multiple levels of the organization. Here are some of the key aspects IA helps with:
As the WHO warns of more pandemics and asks the world to be better prepared to deal with the future ones, the point to ponder on is: The opportunities that black swan events open up are probably as unprecedented as the crises they bring along. And, this is something we see in the impending role transformation of internal audit functions in risk management.