The Protiviti View  | Insights From Our Experts on Trends, Risks and Opportunities

The Protiviti View

Insights From Our Experts on Trends, Risks and Opportunities
Search

POST

3 mins to read

Going Beyond Assurance

Larger Font
3 minutes to read
May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.

 

 

In my last post, I gave a high-level summary of the North American results of the The IIA’s 2016 CBOK Stakeholder Study, as presented in an April 6th webinar I hosted. This installment looks beyond the traditional role of assurance to explore ways internal audit departments can effectively serve as strategic advisers to senior management and the board of directors and help identify new and emerging risks.

Every day in the media there’s news of some new or emerging risk, such as new digital advances, changing demographics and geopolitical events. COSO will be releasing an enterprise risk management (ERM) standard in June, which makes it timely for us to ask, “How does an organization look at enterprise risk? How does risk manifest itself within the organization?”

I see an opportunity for internal auditors to facilitate that discussion and monitor for new risks and advise on how they should be managed. This role is clearly within the realm of the internal auditor’s scope and influence, as laid out by The IIA in its definition of internal auditing. It makes sense because the internal auditor is a person who has a broader view of risk than anyone in the organization. Internal audit is one of the few functions that’s not siloed and has a view across all the pillars within the enterprise, from IT to operations and finance. So the opportunity is right there in front of the profession.

Identifying corporate risks and applying risk management frameworks is an important role for internal audit to play because it establishes the nomenclature by which companies communicate about risk and sets the foundational elements of internal control and effective risk management. We, as internal audit professionals, can help provide a common language and a process to assist and guide the organization, both its business leaders and the board, around this conversation.

Looking at the feedback from the CBOK survey, I see a clear acknowledgment that we can, and are, in fact, expected to do just that.

Every audit committee that I sit in and board members I talk to want to have the discussion about the internal auditor’s role in identifying known and emerging risks. It’s not satisfactory just to go through the basic blocking and tackling. We need to be asking: What don’t we know? What are the emerging risks? Which of these risks should we be addressing?

Some of the hot topics in recent weeks have been major merger announcements in the hotel and airline industries. Is there a space for internal audit in those types of transitions? I think the answer is a resounding “yes.” Boards are hungry to understand how the risks change during major transformations. Because of the direct reporting relationships of internal auditors to the boards of directors, we can help be that liaison to report and provide insightful risk information going forward.

We often talk about the value of internal audit’s work. We all recognize that it’s not enough in this day and age to just go through the motions, check the boxes, and declare the job done. We need to explore and understand: How do we help our business improve? We need to be involved in enterprise projects, a large ERP implementation, for example, from the beginning in order to identify risk and ensure it is managed proactively – not come in at the end to assess it. We should be providing consultative services around the control environment – not taking management responsibility, but providing real-time feedback on important initiatives for the organization that managers on the firing line can use. It’s an exciting blueprint for the internal audit profession, and we are invited to take an elevated, strategic role in it that I find highly appealing.

So what kind of auditor does it take to play this role, and how can this auditor demonstrate the strategic risk savvy that’s required for it? It’s a question I’ll attempt to answer here next week. I’d love to hear your opinion in the comments, as well.

Was this post helpful to you?

Thanks for your feedback!

Subscribe to The Protiviti View Blog

To face the future confidently, you need to be equipped with valuable insights that align with your interests and business goals.

In this Article

Find a similar post by topics

Authors

Brian Christensen

By Brian Christensen

Verified Expert at Protiviti

EXPERTISE

No noise.
Just insights.

Subscribe now

Related posts

Article

What is it about

While the return-to-office decision is often framed in a straightforward manner — we believe collaboration, productivity and innovation flourish more...

Article

What is it about

The top priority for healthcare internal auditors this year is cybersecurity, according to a survey by Protiviti and the Association...

Article

What is it about

What to watch: President-elect Donald Trump will take office in January 2025 with Republican control of both the Senate and...

Search