Going Beyond Assurance

Brian Christensen, Managing Director Global Leader, Internal Audit and Financial Advisory
May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.



In my last post, I gave a high-level summary of the North American results of the The IIA’s 2016 CBOK Stakeholder Study, as presented in an April 6th webinar I hosted. This installment looks beyond the traditional role of assurance to explore ways internal audit departments can effectively serve as strategic advisers to senior management and the board of directors and help identify new and emerging risks.

Every day in the media there’s news of some new or emerging risk, such as new digital advances, changing demographics and geopolitical events. COSO will be releasing an enterprise risk management (ERM) standard in June, which makes it timely for us to ask, “How does an organization look at enterprise risk? How does risk manifest itself within the organization?”

I see an opportunity for internal auditors to facilitate that discussion and monitor for new risks and advise on how they should be managed. This role is clearly within the realm of the internal auditor’s scope and influence, as laid out by The IIA in its definition of internal auditing. It makes sense because the internal auditor is a person who has a broader view of risk than anyone in the organization. Internal audit is one of the few functions that’s not siloed and has a view across all the pillars within the enterprise, from IT to operations and finance. So the opportunity is right there in front of the profession.

Identifying corporate risks and applying risk management frameworks is an important role for internal audit to play because it establishes the nomenclature by which companies communicate about risk and sets the foundational elements of internal control and effective risk management. We, as internal audit professionals, can help provide a common language and a process to assist and guide the organization, both its business leaders and the board, around this conversation.

Looking at the feedback from the CBOK survey, I see a clear acknowledgment that we can, and are, in fact, expected to do just that.

Every audit committee that I sit in and board members I talk to want to have the discussion about the internal auditor’s role in identifying known and emerging risks. It’s not satisfactory just to go through the basic blocking and tackling. We need to be asking: What don’t we know? What are the emerging risks? Which of these risks should we be addressing?

Some of the hot topics in recent weeks have been major merger announcements in the hotel and airline industries. Is there a space for internal audit in those types of transitions? I think the answer is a resounding “yes.” Boards are hungry to understand how the risks change during major transformations. Because of the direct reporting relationships of internal auditors to the boards of directors, we can help be that liaison to report and provide insightful risk information going forward.

We often talk about the value of internal audit’s work. We all recognize that it’s not enough in this day and age to just go through the motions, check the boxes, and declare the job done. We need to explore and understand: How do we help our business improve? We need to be involved in enterprise projects, a large ERP implementation, for example, from the beginning in order to identify risk and ensure it is managed proactively – not come in at the end to assess it. We should be providing consultative services around the control environment – not taking management responsibility, but providing real-time feedback on important initiatives for the organization that managers on the firing line can use. It’s an exciting blueprint for the internal audit profession, and we are invited to take an elevated, strategic role in it that I find highly appealing.

So what kind of auditor does it take to play this role, and how can this auditor demonstrate the strategic risk savvy that’s required for it? It’s a question I’ll attempt to answer here next week. I’d love to hear your opinion in the comments, as well.