Strategic Risks Not Clearly Spelled Out for Internal Auditby
Internal audit, get ready for some mixed messages.
A new report from the Institute of Internal Auditors (IIA) indicates that while an organization’s management and board members want internal auditors to focus more on strategic risks, those risks aren’t clearly defined.
“Internal auditors have some work to do to understand what strategic risk means to stakeholders and to demonstrate to stakeholders why internal audit engagement in nontraditional areas could deliver great value to the organization,” the report states.
The report, Relationships and Risk: Insights from Stakeholders in North America, is based on a survey of 1,124 respondents and more than 100 interviews.
For stakeholders, the basic focus of internal audit is assurance, the report states. They assume assurance is done well, but advisory services also are valued. Those should include identification of known or emerging risks, monitoring risk management, and identifying the right way to contain the risk.
So, it’s no surprise that respondents said internal audit could add the most value beyond assurance through risk management.
And that’s where we get into strategic risks. As one unnamed CEO who was interviewed for the report says, “We need to better define how we link internal audit objectives to the achievement of strategic objectives.”
Two areas of strategic risk that internal audit could be involved in drew tepid interest from respondents: 27 percent said internal audit should offer advice on new products or projects, and 44 percent think internal audit should be consulted about new technology.
In case you missed it, not everyone is on the same page – or speaking with one voice, as the report puts it. Management might have one viewpoint, while the audit committee or board has another. That means the chief audit executive’s (CAE) professionalism is key.
“Business maturity is important. The CAE must be strong, realizing there are competing interests between the audit committee/board and management,” according to an unidentified audit committee chair that the report quotes.
CAEs soon will face the quandary of deciding what can and can’t be done, and reconciling that decision with stakeholders, the report states. How to do that?
Here’s how respondents rated various tactics for CAEs to resolve their conflict:
- The majority (77 percent) said CAEs must build strong relationships with management and, it should go without saying, let their people skills shine.
- Reporting into the C-suite alone isn’t going to resolve the conflict, and only about half (51 percent) of respondents indicated that as a tactic for setting priorities.
- Slightly less than half (49 percent) chose regular attendance at board or board committee meetings.
- Getting involved in enterprise risk management drew 48 percent of respondents’ support.
- Reporting directly to the audit committee got a thumbs-up from 44 percent.
Terry Sheridan is an award-winning journalist who has covered real estate, mortgage finance, health care, insurance, personal finance, and accounting and taxation issues for newspapers, magazines, and websites. A Chicago native and former South Florida resident, she now lives in New England.