Yesterday I had the pleasure of hosting another of Compliance Week’s occasional editorial roundtables, where we gather a small group of compliance or governance executives to discuss issues of the day in corporate compliance. We hosted a dozen internal audit executives in New York, to talk about internal auditing’s transformation these days into a much more strategic, risk-management sort of role.
I found the conversation fascinating as usual, and we’ll have a full article covering all points raised in our Nov. 6 edition. But for now, let me fire off a few quick thoughts.
First, internal audit departments clearly are experiencing some sort of transformation—but whatever you do, don’t call it “risk management.” I made that mistake once or twice during the roundtable when grasping for a short-hand phrase to describe what’s happening, and more than a few auditing executives in the room slapped down that idea quickly. Yes, internal auditors are willing to work as adjuncts to a company’s risk management function (or with line-of-business executives directly if no dedicated risk management function exists), helping them to see or understand what their risks are. But internal auditors are also insistent that they don’t want to manage those risks one bit, and are acutely aware of the distinction.
Second, regardless of the name you want to put on this transformation, the boards and audit committees of the world are behind it. Virtually all of the attendees said their boards want more information about risk. Sure, most boards can’t precisely define what that means, and lean on internal auditors to supply the data and observations they should study so they “know their risks.” But at least boards are now cognizant that, you know, this is their job. That's more than you could say for them a few years ago.
Third, internal auditors aren’t entirely clear on what they’re supposed to do about risks either. As one attendee put it: “I can work with the business units to find their risks. But it can be very hard to translate that risk into an audit-able event.” If a company wants practical, sustainable risk management, that is pretty much the heart of the challenge for internal auditors. And since every company and its risk profile is unique, I don’t see any easy solution.
Fourth, at the end of the discussion I threw out a random question: Is it a conflict of interest for internal auditors to help management or the board shape a risk management program, and then audit the success of that program in the future? I've always considered it one of those esoteric questions usually debated by the policy wonks at the Institute of Internal Auditors, but to my surprise several attendees said this is indeed a potential conflict where internal auditors should tread carefully. Others said it wasn't really a problem, and at least one said even if it is, boards still need the help. Yet another thorny question with no easy answers, I suppose.
Again, we’ll have much more coverage of the roundtable and everyone’s insights in our Nov. 6 newsletter. The future of internal auditing is a rich subject, and this is no more than a primer.
No comments yet