caution: avalanche risk sign
Internal auditors are at risk themselves if they fail to focus on the broader business's success PHOTO: Nicolas Cool

What are the biggest risks for internal audit this and next year?

That was the topic of an article written by consultants at corporate governance recruitment firm Barclay Simpson titled, "What are 6 of the biggest risks for internal auditors in 2018?" From the title it's unclear whether they are answering the question of “what are the biggest risks for internal auditors?” or whether it is an attempt to answer “what are the biggest risks that should be on the audit plan?”

If it's the first, there’s nothing new here — and a lot is missing.

If it's the second, they have totally missed the mark.

So what are the biggest risks for internal auditors in 2018?

Here are eight things for you to consider.

1. Auditing risks that don’t matter to the board and top executives

If internal audit continues to audit risks to processes and business units rather than risks to the achievement of enterprise objectives, it will remain a staff function that costs money rather than delivers critical value.

If you want auditing that matters, audit what matters.

2. Failing to communicate what matters when it matters

The traditional way of communicating audit results is a formal written report issued weeks if not months after issues are identified. The report says what internal audit wants to say rather than what management and the board need to know.

We need to deliver the information leadership needs, when they need it, in an easy-to-consume and actionable form.

There should be more talking and less writing.

3. An inability to change direction as risks change

How agile is internal audit? If you don’t have the ability to modify the audit plan rapidly and frequently, what assurance is there that you are auditing what matters today and tomorrow?

Can you provide the information management needs in time to affect their decisions?

4. A lack of the resources necessary to address the risks that matter

Some internal audit departments shy away from sources of risk because they claim they don’t have the ability to audit them. My response to that is that if they are important to the organization, you have to find a way.

5. Wasting precious time and resources

We may start each audit with a focus on enterprise risks that matter. But the work often extends to include risks of concern to local management — or the internal audit staff. Extending the audit work has a cost: the opportunity to perform another audit, one that is focused on another enterprise risk. Consider Parkinson’s Law: don’t keep auditing just because the time has been scheduled. Once you have an opinion and agreed with management on the necessary corrective actions, stop.

6. Auditing the past and not the future

The core principles for internal auditing talk about being forward-looking for a reason. Richard Chambers, president of the Institute of Internal Auditors (IIA) talks about foresight versus hindsight, and I talk about auditing forward.

The challenges for the organization in the current and future periods should be where we spend our time, assess related controls, and share our insights.

Telling people what they did wrong in the past only has value it if is relevant to how they will do things in the future.

7. Losing key members of the audit department

Hiring, retaining and getting the most out of personnel is not only an issue for the organization as a whole, it is always an issue for internal audit.

If CAEs fail to pay attention, fail to be effective leaders and managers of their own team, the quality of work will suffer — and the value of internal audit will decline along with it.

8. Failing to attain and retain the confidence of management

If management does not believe we are helping them succeed, why should they support us?

One area I frequently focus on is the percentage of internal audit ‘findings’ and recommendations that are embraced and implemented by management. Some internal auditors blame management when their recommendations are not acted on promptly, when perhaps they should be questioning whether their recommendations were the right ones. 

Managers are not stupid. If they don’t see the reason for a change, they won’t make it. Auditors need to actively listen to ensure they understand management’s perspective and whether suggested corrective actions make business sense. They also need to ensure that they have communicated their concerns effectively. Putting issues in writing is not the same as being persuasive.

Internal audit can and should be perceived as helping management and the organization as a whole succeed. When 90 percent of their recommendations are embraced (i.e., not just passively implemented because “internal audit said so”), that is an unacceptable 10 percent failure rate.

Our entire focus should be on helping the organization succeed. We are at risk ourselves if we are seen as irrelevant to that task.

I welcome your comments and perspectives.