Internal Audit Role Expanding Further into Risk Areas

With more companies focusing on enterprise risk management and strategic risk, the role of internal auditors is being expanded to include risk identification and risk management, a study by the Institute of Internal Auditors (IIA) and Protiviti has found.

According to Relationships and Risk, Insights from Stakeholders in North America, the top three areas where respondents wish to expand the role of internal audit involve identifying and managing risk. Of 433 North American stakeholders surveyed, 85% said they want internal audit involved in identifying known and emerging risk areas; 78% would like to see internal audit facilitating and monitoring effective risk management practices by operational management; and 78% want audit to identify appropriate risk management frameworks, practices and processes.

The survey also found that 58% of stakeholders believe internal audit should be more active in assessing strategic risk.

When asked to choose the best avenues for internal audit to improve its role in responding to the organization’s strategic risks, stakeholders said:

  • Internal audit should focus on strategic risks as well as operational, financial, and compliance risks during audit projects.
  • Internal audit should periodically evaluate and communicate key risks to the board and executive management.

The report concluded that chief audit executives (CAEs) should consider methods to meet and surpass the needs and expectations of their stakeholders, including:

  • Focusing on risk activities—risk identification and management—when performing advisory services.
  • Demonstrating an understanding of strategic risks in all audit work. Educating stakeholders on ways you can give attention to nontraditional strategic risks.
  • Building soft skills. Communication and relationship building are needed to set priorities when there are competing expectations.

The Risks of Social Media: Internal Audit

Internal audit has never been easy, but modern business practices are challenging IA professionals even further. Social media, fraud risk and data analysis tools are areas in need of attention and, in some cases, improvement.

The 2013 Internal Audit Capabilities and Needs Survey, released by Protiviti, show that 43% of respondents have no social media policy within their organization. Among those with a policy, many fail to address even the most basic issues, such as information security and approved use of social media applications.

What’s most alarming, however, is that more than half (51%) of organizations do not address social media risk as a part of their risk assessment process — 45% indicate they have no plans to do so in the coming year’s audit plans. Of those that do address the topic, 84% rated their organization’s social media risk-assessment capability as “not effective” or “moderately effective.”

“The survey findings are surprising in that they show how many businesses are either inadequately prepared or altogether inactive in putting effective processes and policies in place around social media,” said Brian Christensen, executive vice president, global internal audit, at Protiviti. “From a risk management perspective, this poses significant potential problems for businesses that can range from reputational risk to IT infrastructure risk as a result of unchecked exposures to customer, vendor and company information.”

Other findings related to internal audit include:

  • Continuous auditing was the top priority in terms of audit process knowledge in 2011 and 2012, but dropped down to #18 in the 2013 rankings.
  • For audit process knowledge, auditing IT – new technologies was the third-highest “needs-improvement” priority, and scored significantly lower than any other area evaluated with regard to existing competency.
  • Concerns among chief audit executives were generally aligned with the broader sampling of respondents. However, they did rank audit process knowledge around Computer-assisted Audit Techniques (CAATs) as a higher priority for improvement, compared to the overall ranking.

In 2013, we can no longer view social media as a “new” risk. Businesses must prepare for the worst, whether it’s an attack on a company’s reputation via Facebook or a rogue employee stealing an organization’s Twitter account password, social media risk can manifest itself in many ways. There is only one way for companies to deal with it, however.

Be prepared.

Why Risk Management Should Collaborate With Internal Audit

Risk management and internal audit should work together. That’s according to a joint report between RIMS and the Institue of Internal Auditors released last week. “The two disciplines are more effective working together than separately, especially when there is a common understanding of each other’s roles,” said Carol Fox, director of RIMS’ strategic and enterprise risk practice. She noted that internal audit’s role helps inform top executives about the companies’ strategic risks while risk management function helps leadership use the proper techniques and methods to assess all the possible outcomes of different strategic paths.

In short, internal audit sees everything that is going on within a company. And risk management can take that knowledge and ensure that all contingencies can be properly understood.

During a panel session at RIMS 2012 Conference & Exhibition on enhancing the value of risk management, Diane Askwyth a risk manager at Harrah’s Entertainment, echoed these sentiments and expanded on how risk managers can partner with their colleagues in internal audit. “You have to look at internal audit as another pair of eyes for you,” said Askwyth. “It’s a very powerful resource if you can get that in your corner.”

In fact, more than just serving as an additional resource, that partnership can greatly enhance your standing in a company. Because if risk management isn’t using the knowledge that audit has, audit will be. And that will mean that the risk management department’s standing will be lowered by comparison.

“The group that knows the most about what’s going on in the entire organization on a very granular level is internal audit,” said Askwyth. “And from that perspective, they have a big advantage over us. So they can either be your enemy or they can be your best friend. It’s your job to make them your best friend — or else they’ll slit your throat.”

Kristina Narvaez of ERM Strategies, LLC  has some advice. She says there are three “Cs” that should govern risk management’s relationship with internal audit. “You can complement and collaborate but you don’t compete against each other,” she said.