Ensuring the Effectiveness of a Risk-Based Audit Plan
Protiviti’s Jim DeLoach explores how to bolster internal audit’s efforts in providing recommendations that are strong, actionable and in keeping with the board’s expectations.
We’ve always believed that boards should ensure that their organizations maximize the full potential of internal audit. There are four C’s directors should consider when evaluating the sufficiency of any risk-based audit plan: culture, competitiveness, compliance and cyber.
We’re not suggesting they are the only things a board should consider, but they should be on the board’s radar.
In 2015, the world’s largest ongoing study of the internal audit profession – the Global Internal Audit Common Body of Knowledge (CBOK) – was conducted by The Institute of Internal Auditors (The IIA) and Protiviti to ascertain expectations from key stakeholders, including board members, regarding internal audit performance. There were several imperatives for internal audit gleaned from the directors participating in the CBOK Stakeholder Study, which is conducted every five years. Among them: Focus more on strategic risks, think beyond the scope of the audit plan and add more value through consulting.
As we reflect on directors’ expectations from both the CBOK study and our own experience working with boards, we see several opportunities for internal audit:
- Watch for signs of a deteriorating risk culture.
- Approach its work with a strong business context that addresses the underpinnings of what makes an organization competitive in the marketplace; in other words, chief audit executives (CAEs) and their staff should “connect the dots” when considering the findings of multiple audits, particularly findings with significant implications for the efficiency and effectiveness of the operating model and the enhancement of the all-important customer experience.
- Broaden the focus of the audit plan on important compliance matters and the quality of the related reporting.
- Focus on risks of major importance. Cyber risk is center stage for many companies at this time and will continue to be in the forseeable future.
These four C’s – culture, competitiveness, compliance and cyber – offer suggestions to directors regarding what they should expect of a risk-based audit plan. We discuss each of them further below.
Executives and directors alike agree that, in most cases, a breakdown in risk management, internal control or compliance is almost always due to a dysfunctional culture. They also know that cultural dysfunction doesn’t develop overnight. The risks it spawns often require a lengthy incubation period before symptoms begin to appear and the inevitable consequences start manifesting themselves and potentially result in a reputation-damaging event.
Examples include an environment that isolates senior leaders from business realities, allows cost and schedule concerns to override legitimate public safety priorities, empowers falsification of emission reports or drives unacceptable risk-taking through inappropriate performance incentives. Once the culture is shaped in such a way to enable a toxic environment, it may take a long time for the consequences to emerge. But emerge they will, if the dysfunction is left unaddressed.
There is also a flip side to culture: Just as it is a source of unwanted consequences, it is likewise a source of all things good that drive and augment innovation, safety, diversity, customer focus and other distinctive aspects that define a company’s reputation and brand image. Accordingly, culture is about creating and preserving enterprise value.
An organization’s culture is much more than a commitment to ethical and responsible business behavior. It is the mix of shared values, attitudes and patterns of behavior that give the organization its particular character. In addition to corporate value statements and codes of conduct, as well as ethics programs, culture related to risk management is influenced by established policies and procedures, risk committee oversight activities, incentive programs, risk assessment processes, key risk indicator reporting and performance reviews and reinforcement processes, among other things. It also includes the risk appetite dialogue of the executive team and board, as well as the decomposition of risk appetite into risk tolerances and limit structures used day to day in executing the corporate strategy.
The question is, how does a board get its arms around culture? How do directors and executives know when cultural dysfunction exists? And most importantly, how do boards nip cultural dysfunction in the bud and improve the alignment of culture with the desired, on-strategy behaviors earlier rather than later, when it may be too late?
An opportunity we see is for boards to look to the CAE as independent “eyes and ears” with respect to the organization’s culture, in addition to independent second-line functions such as the chief risk officer and chief compliance officer. Specifically, internal audit can be asked to understand the overall working environment; identify the unwritten norms and rules governing employee interactions and workplace practices; highlight possible barriers to an effective internal environment and communications flow; report unacceptable behaviors, decisions and attitudes toward taking and managing risk; and make recommendations for addressing any problems identified.
In addition, internal audit can post warning signs suggesting a need for further investigation (e.g., unrealistic performance metrics that potentially encourage undesirable risk-taking to hit short-term targets, complex and unclear legal/reporting structures, poorly executed takeovers that allow “pockets” of bad behavior to thrive, lack of financial discipline and employees constantly on edge about the fear of being fired, to name a few). Internal audit can assist in assessing whether the tone in the middle and at the bottom matches the leaders’ perception of the tone at the top. This contrast can be quite revealing to a management team that really wants to listen and know the unvarnished truth.
This area poses an opportunity for internal audit to improve operating efficiency and effectiveness and the customer experience if business processes are not performing at a competitive level because practices are inferior relative to those of competitors or best-of-class performers. In essence, the board should expect internal audit to look beyond traditional compliance areas and financial reporting to help the organization improve its operations continuously.
Most organizations use some form of balanced scorecard when monitoring, whether they are establishing or sustaining competitive advantage in the marketplace. Key performance indicators address critical areas, such as quality, time, cost and innovation performance. They often include indicators of customer and employee satisfaction. Internal audit can assist with assessing the reliability of these metrics for decision-making. In addition, internal audit can benchmark selected metrics against competitors and best-of-class performers to identify performance gaps that need to be corrected in a timely manner.
Traditionally, the internal audit plan deals with ensuring that important areas relating to the organization’s compliance with laws, regulations and internal policies are under control. As the third line of defense, internal audit should ascertain whether:
- Front-line operators and functional leaders whose activities have significant compliance implications (first line of defense) own the responsibility to identify and manage compliance risk and have effective controls in place to reduce the risk to an acceptable level.
- The scope of the independent compliance function (second line of defense) is commensurate with the significance of the company’s compliance issues and results in reliable and timely insights to executive management, the board and primary risk owners.
- Regardless of whether there is a compliance function, internal audit can assess whether a cost-effective monitoring process is in place that addresses the top compliance risks, overall implementation of the compliance program and periodic updates of the compliance program in light of changes in applicable laws and regulations and the company’s needs.
This area continues to be a significant concern to boards, and it’s not going away. In a recent survey, cyber was cited as the third most critical uncertainty companies are facing. Internal audit can assist boards in this critical area in several ways. First, it can assess whether the company’s processes give adequate attention to its high-value information and information systems. Rather than implement all-systems-are-equal protection measures, resulting in unnecessary costs and a lack of attention to the enterprise assets that really matter, internal audit can assess whether the IT organization and the company’s business leaders agree on the organization’s so-called “crown jewels.” This evaluation includes identifying the organization’s most critical data, information assets and information systems and understanding why they are of highest value, why the company cannot afford to lose them, where they are housed and who is authorized to access them.
Second, internal audit can assist with understanding the threat landscape. Based on the company’s crown jewels, the nature of the company’s industry, operations and visibility as a potential target, internal audit should review management’s assessment of the organization’s cybersecurity risks. This assessment should consider such questions as:
- Who are the likely adversaries, and how are they likely to attack?
- Where are the enterprise’s biggest vulnerabilities, and why?
- How effective is the entity’s current cybersecurity control structure?
- Is penetration testing conducted, and if so, how often, and what are the results?
Answers to these and other questions help clarify the changing threat landscape.
Finally, internal audit can assess the organization’s response readiness to a cyber incident. The question here is whether an effective incident response plan is in place. The underlying assumption that a cyberattack is not only a high-likelihood incident, but also an inevitable one is outdated. Today’s reality is that companies fall into two groups: those who know they have been breached, and those who have been breached but don’t know about it. Therefore, effective incident response processes are critical to a company’s preparedness to reduce an attack’s impact and proliferation. Internal audit can assist with evaluating incident response plans to ascertain whether strategies for reducing the risk of security incidents to an acceptable level are proportionate and targeted, the organization is being proactive in periodically testing the incident response plan to determine its effectiveness and the plan is complemented by procedures that provide direction as to the actions to take in response to specific types of incidents.
In summary, by focusing more broadly on the implications of audit findings and by thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical and harder-hitting recommendations aligned with what directors are seeking. The four C’s provide a perspective as to areas boards should be looking at and CAEs should be delivering to.
Questions for Executives and Boards
The following are suggested questions that senior executives and boards of directors may consider in the context of the nature of the entity’s risks inherent in its operations:
- Are we satisfied with the scope of internal audit’s activities in view of changes in the business environment and the company’s operations? Are we getting the assurances we need from internal audit in the appropriate areas?
- Does the CAE provide insight to the board and executive management on potential blind spots and other issues with respect to the organization’s culture?
- Does the internal audit plan allocate sufficient resources to address key areas of emphasis in competitiveness, compliance and cyber?
 Executives Perspectives on Top Risks for 2018, Protiviti and North Carolina State University’s ERM Initiative, available at www.protiviti.com/US-en/insights/protiviti-top-risks-survey.