The role that internal auditors have with regard to risk has come under scrutiny after several surveys and reports have been published this year. For example, Ernst and Young’s Insights on Risk study, “The future of internal audit is now,” published in July 2012 lists the top five improvement priorities for internal audit selected by respondents:

1. Improving the risk assessment process
2. Enhancing the ability to monitor emerging risks
3. Becoming more relevant to achieving the organization’s business objectives
4. Reducing overall internal audit function costs without compromising risk coverage
5. Identifying opportunities for cost savings in our business 

To learn more, I asked Steve Biskie, managing director at High Water Advisors, about internal audit strategies and best practices with regard to risk.

In one of his blogs, Norman Marks, an SAP vice president, paraphrased a presentation by Tim J. Leech, managing director, global services, at Risk Oversight, Inc., as follows: “Internal audit should focus, and report to its stakeholders, on whether risk is being managed at desired levels. Reporting on whether the controls are in place is not answering the right question. That question is ‘Do I have reasonable assurance that the right risks are being taken?’

When you report on controls, you are reporting on one way [that] risk can be treated if it is at undesirable levels (another way is to avoid the risk by, for example, exiting that aspect of the business or selecting another vendor). You are leaving it to the board and top management to take your report on controls and figure out what that means to what matters to them — and that is risk.”

Do you agree with Norman Marks’ comments about internal audit? Should an organization’s focus be on whether the right risks are being taken rather than on what controls have been put in place?

I do agree with Norman. However, I would add some additional clarity. Determining whether the right risks are being taken should also include an evaluation of related controls — the two are not independent. The internal auditor cannot choose to ignore controls. I think Norman’s point is that internal audit often spends too much time evaluating controls in isolation and loses sight over the larger issue of why those controls are there in the first place, and how those controls relate to the organization’s overall risk management process.

Norman’s example is correct in that risks are not always managed through controls — they can be either mitigated, accepted, avoided, or transferred (i.e., as in the case of insurance against the risk). At the highest level then, the organization will have a set of controls that governs how these decisions are made. (Do we accept the risk, mitigate, avoid, or transfer?) Internal audit, through testing procedures, should be evaluating the risk management process as a whole and determining before anything else whether that process is sufficient to ensure, as Norman puts it, that “the right risks are being taken.”

Organizations will also have a set of controls over those risks that they choose to mitigate. These controls would then reduce that risk from a level that was unacceptable to one that (hopefully) is acceptable. This is the other point in which internal audit needs to focus on controls — particularly over those risks that may be the most impactful to the organization. It’s in this level of testing that internal audit often uncovers a situation whereby  a control believed by management to reduce a risk to an acceptable level is actually either not in place, not designed in a way to reduce the risk as previously thought, or not working as intended. Going back to the concept of “are the right risks being taken,” that statement implies that the level of risk is known. In the case of mitigated risks, internal audit should still perform procedures to provide assurance that the controls management believes are reducing the identified risk are actually doing so — otherwise, a risk is being taken that management may not already be aware of.

The Ernst & Young survey states that 80 percent of respondents think their internal audit function has room for improvement. Based on your experience with clients, what do you consider key areas related to internal auditing on which an organization can improve?

I will vote alongside Norman that internal audit needs to better focus on providing assurance over their organization’s risk management processes.

In addition to that, I consistently see many internal audit departments struggle to provide optimal value to their organizations. From my perspective, internal audit’s value proposition is often diminished because of failure in what I term the four I’s: Insight, integration, innovation, and inspiration.

Insight: While audit standards require that internal audit departments have competence in the area they are tasked with auditing, I still see a lot of auditors responsible for either assessing the SAP system or reviewing reports from the system that lack a fundamental understanding of how the SAP system works. If an auditor doesn’t know where the more common or impactful risks are in the system, or how to interpret a report coming from SAP, they are bound to miss significant and material situations that management should be aware of. This to me represents a lack of insight into how the SAP system works, and is the exact reason that I wrote my book and that I teach a course for auditors and security administrators about the risks and control opportunities in SAP.

Integration: Back when I first started as an auditor, internal audit was the primary assessor of processes and controls in an organization. These days, organizations have entire internal control departments (separate from audit), IT security teams, legal compliance functions, and a host of other employees all responsible for assessing processes and controls (and in some cases, the same processes and controls). In some organizations, these functions operate in silos, resulting in considerable overlap and costly repetition. While internal auditors do have a mandate to provide independent assurance, they need to improve their recognition of complementary functions, and (where appropriate) their integration to minimize duplicative effort.

Innovation: A lot of internal audit departments are still using outdated audit techniques and relying too heavily on checklists that have been around for decades, resulting in tremendous inefficiencies. Audit needs to be more innovative in their own processes — applying both process reengineering principles and new technologies to increase efficiencies and effectiveness. This is a huge opportunity for internal audit departments, but also represents an area that is highly lacking. As one small example, many internal audit departments still test samples of transactions, despite the fact that technology has progressed to the point that data analysis techniques can allow for examination of every transaction in less time than required for manual examination (and that’s even before factoring in the potential real-time identification and prevention processes that technology like HANA can support).

Inspiration: Internal audit should be a cheerleader and motivator for risk management and control processes, and yet in some organizations, auditors are viewed merely as the enforcers. If an organization doesn’t see value in its risk management or internal control functions, in my mind, it’s because of one of two reasons: 1. Because they don’t provide value (in which case these processes need to be reconsidered), or 2. Because employees aren’t aware. Both of these are areas that internal audit can directly influence. Management is ultimately responsible for these areas, but internal audit needs to play a greater part in providing effective inspiration so that employees want to do the right things.

In your article for SAPexperts published in 2008, “Configure and Implement the Proper Internal Controls Up Front for an Easier Audit,” you defined internal controls as “processes that management puts into place either to prevent ‘bad’ things from happening or to detect and deal with these ‘bad’ things in a timely manner if they occur.” When you are asked to define internal controls today, would you use the same definition, or would you update it?

I do still use this definition today, and for a reason. The textbook definition of internal controls I find to be unwieldy and difficult to explain to someone who may not already be familiar with the concept. I like the simplicity of the definition above, which in my mind really gets to the heart of what internal controls are intended to do. Many people erroneously think that controls are something auditors require and make processes less efficient. In reality, however, controls are actually intended to make processes work better (the overall process, not necessarily the task). I think the phrasing of “bad things” opens people’s minds to other control possibilities, as bad things could be not only errors or omissions, but also quality issues, poor decisions, natural disasters, or even inefficiencies.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) released in September 2012 an exposure draft for public comment, titled “Internal Control over External Financial Reporting (ICEFR): Compendium of Approaches and Examples,” as part of an effort to help users apply this framework to external financial reporting objectives. How could an application such as SAP Process Control or another SAP application help finance teams apply this framework to their external financial reporting processes?  

SAP has provided a great starting point for organizations with the SAP GRC suite of products. I’m going to go all the way back to the first question and suggest, as Norman does, that the starting point is the risk management process. In this case, SAP Risk Management can standardize, centralize, and streamline overall risk management processes, which should include as a subset risks over external financial reporting. To me, this is an essential component to keep the spotlight on “the right risks.”

SAP Process Control can then pick up and help manage and monitor the risks and controls specific to financial reporting. SAP contains some configurable controls that have a direct impact on the financial reporting process, such as restrictions over the opening and closing of posting periods, which SAP Process Control can monitor as part of its standard rule set. SAP Process Control can also monitor specific transactions that directly affect the financial statements to look for abnormal activity. Best of all, SAP Process Control can streamline many of the manual processes critical for proving compliance with various financial reporting regulations — not only automating the generation and distribution of key reports that must be reviewed before financial close, but also tracking individual self-certifications for items such as an organization’s code of ethics. On top of all of this, the SAP GRC 10.0 suite allows controls and processes to be tagged across a multi-compliance framework, which means that those processes and controls critical to external financial reporting can be easily separated and reported from those processes specific to other regulations.  And that makes the external audit process quicker, cleaner, and less painful.

What recommendations would you make to a finance team member at an organization that is just starting to improve its internal audit function?

To me this is pretty simple: Focus on those risks that matter most to the organization. A single finding or insightful observation that is tied to something that senior management and the board is concerned about not only provides immediate value, but also increases your credibility and builds momentum for other audit activities.

How would you try to convince an organization that is resistant to suggestions about improving its internal audit function to reconsider its position?

This one is tougher, as in my opinion the only reason an organization would be resistant to improving its internal audit function is because internal audit is either providing optimal value (in which case, congratulations are in order), or because the organization is not seeing sufficient value in the internal audit function. In the latter case, the best I can say is that, designed and operated well, internal audit should be providing consistent useful and valuable insight to the organization. Leading internal audit departments are seen as such a strategic asset in their organizations that management actually seeks them out for advice and guidance. I’m not suggesting that management will always agree with what internal audit has to contribute, but they should at least find value in the dialog. If that’s not the case in your organization, then that is the exact reason you should consider improving your internal audit function.

A June 2012 report by the International Federation of Accountants, “Evaluating and Improving Internal Control in Organizations,” includes the following statement: “Before the latest string of financial crises, many organizations were overly focused on financial reporting controls. These crises highlighted the fact that many, if not most, of the risks that affected organizations derived from areas other than financial reporting, including operations and external circumstances.” In your work do you see many organizations still focusing too much on controls for financial reporting? Can you cite other areas besides operations that organizations inadvertently neglect when implementing an internal controls initiative?

I absolutely agree. On one hand, the financial reporting crisis did a lot to increase visibility around the importance of controls and management oversight outside of the audit function. On the other hand, it left many organizations focused too heavily on financial reporting risks, which are only a small subset of the “real” risk in an organization. How many businesses can you cite that have gone out of business despite having reported their financial statements accurately? Probably a lot.

Beyond the operational risk category you cite above, the other area of focus should be around strategic risk. From an audit standpoint this is a difficult (and sometimes contentious) area to assess. An organization’s strategy is highly subjective. From a risk standpoint, however, it really boils down to the adequacy of the process that surrounds strategy determination. At the fundamental level, assessing strategic risk asks questions, such as: Are the right people involved in the decision-making process? Are pertinent facts underlying decisions accurately and fairly represented (i.e., objectively and without bias)? Do communication processes ensure consistency of application across business processes once decisions get made? As our actual situation changes over time, are we making timely and relevant adjustments to the strategy? This is a very interesting area for me right now, and one that I’m working on in relation to how these risks fit within SAP’s Enterprise Performance Management (EPM) suite. Expect an article in the near future just on this topic.

What do you see as next, not just for internal audit, but for the GRC market as a whole?

It’s interesting you ask, as this ties to why we started High Water Advisors in the first place.

When most people hear the words GRC or audit, they cringe. In my opinion, that is the direct result of organizations reacting to the current regulatory environment, without thought for longer-term value or sustainability. I truly believe that GRC and audit activities can and should provide enormous value to an organization, and I see the next wave of activity focused on optimizing these processes. I don’t think one can ever take away all of the pain involved with GRC and audit activities (just as someone can’t effectively exercise without being sore once in a while), but I do believe that current processes in most organizations can be significantly improved.

Gary Byrne

Gary is the managing editor of Financials Expert and SCM Expert. Before joining WIS in March 2011, Gary was an editor at Elsevier. In this role he managed the development of manuscripts for Elsevier’s imprint responsible for books on computer security. Gary also has held positions as a copy editor at Aberdeen Group, a Boston-based IT market research company, and as an editor at Internet.com, a publisher of content for the IT community. He also gleaned experience working as a copy editor for International Data Corp., a Framingham, MA-based IT market research company. He earned a bachelor of science degree in journalism from Suffolk University in Boston. He enjoys traveling, sailing as a passenger onboard schooners, and helping his wife, Valerie, with gardening during summer weekends. He’s a fan of all the Boston sports teams and once stood behind Robert Parish in a line at BayBank. He felt small and didn’t ask for an autograph. You can follow him on Twitter at @FI_SCM_Expert. His online footsteps can also be found in the SAP Experts group on LinkedIn.

You may contact the author at gary.byrne@wispubs.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.