I added the phrase ‘their opinion’ to the end of the title, because while PwC always reports what respondents say, it is understandably difficult to do so with bias. PwC (PricewaterhouseCoopers LLP) has always had a perspective to share, and frankly I always look forward to hearing it -- whether I agree with it or not.
More Risks or More Aware of Risks?
You can download the 2012 (8th) edition of this report here.
I recommend you skip past the highly questionable statement at the beginning, that business are facing more risks than ever before (I suspect they are just more aware of the risks rather than the number of risks has grown in the last year), to the substance.
For example, they make this statement which is not only true but essential to understanding the speed of business and the required speed and relevance (in my opinion) of internal audit:
With global trade, supply chains, and financial markets all intricately linked, risks become apparent quickly, unexpectedly, and with significant impacts on company operations, reputations, and even survival.”
PwC echoes my view that internal audit has to change:
Stakeholders and CAEs alike have recognized that in order for internal audit to be effective in supporting organizational risk management efforts, the minimum standard of performance has to rise. In today’s ever-shifting risk landscape, internal audit can’t settle for simply reacting to events; instead, it must adopt a strategic mindset that is responsive to risks and helps ready their organizations for new threats and opportunities.”
Who's Managing the Risks?
The report includes this very important observation:
…on average less than half (45%) of those surveyed told us that they are comfortable with how well their most critical risks are being managed -- despite the fact that 74% of those surveyed have formal enterprise risk management (ERM) processes in place.”
But, rather than pointing out that internal audit teams need to assess and help improve risk management programs, PwC has focused on telling internal auditors to improve their understanding of the “organization’s risk landscape”.
Isn’t the point that perhaps the greatest risk to an organization’s success is their failure to understand and address risks -- in other words, that they don’t have effective risk management? A case can be made that internal audit has a great opportunity to add value by being a catalyst for improving risk management frameworks, processes, and understanding!
PwC positions internal audit as “having an important role to play in monitoring their organizations’ top risks”. That seems dangerous to me: I strongly believe that it is a management role to monitor, report, and respond to risk. INTERNAL AUDIT’S ROLE IS TO PROVIDE ASSURANCE THAT THOSE PROCESSES, INCLUDING THE CONTROLS RELIED UPON TO MANAGE RISKS AT ACCEPTABLE LEVELS, ARE DESIGNED AND FUNCTIONING AS NEEDED.
Additional Points of Interest
The report has a useful section, with a chart, that lists risk areas that don’t get sufficient attention from internal audit. I would have included these, in addition to risk management:
- The effectiveness of governance processes, including oversight of risk management
- The quality and timeliness of information used to run the business – at speed
One section of the report that I like is where PwC describes (with a nice illustration) a “new floor for internal audit”. In particular, I agree with this statement:
But risks have shifted and expectations have risen, and all internal audit functions need to rise to this new floor: providing assurance on a broader range of critical risks and clearly communicating deeper insights, all while staying in complete alignment with stakeholder expectations.”
An area for concern is that the study identified that only 55% of internal audit functions are building their audit plan based on a top-down, risk-based process that focuses on critical risks to the organization. That is not (either in my or PwC’s opinion) the path to success.
There’s a lot of good content in the report and I strongly recommend downloading and spending time on it.
What are your takeaways?
By the way, did you respond to the survey on whether COSO or ISO is a better risk management standard/framework?