No annual audit plan. No formal audit reports. Reporting findings as software "bugs." These ideas and more created considerable buzz among a capacity crowd of audit executives during a recent panel at The IIA's General Audit Management conference in Orlando.
Thinking outside the box amid constant change is business as usual at Silicon Valley's most innovative companies, where the mind-set is that they are transforming the world. Lisa Lee, Google's director of internal audit, says the company encourages employees to be "uncomfortably excited" about what they do. "You can only do that if you're challenging the status quo and looking at things differently," she says.
Lee and her internal audit peers at the world's top technology and Internet companies work in organizations that are perpetual change initiatives. For them, internal audit must adapt to the rapid pace and make new assumptions about how to treat risks and provide assurance. And auditors must come up with their own innovations, as well.
For Lee, leading the audit team at Google means working in an environment of "organized chaos." That was quite an adjustment for her following stints with KPMG, SAP Consulting, Cisco, and OpenTV where the pace of change and rate of growth were different. "When you first come in, you're not only learning Googles processes and products, but also adapting to the culture and the way we do business," says Lee, who joined the company in 2004. "That's like drinking from a fire hose."
To adapt, auditors must be as forward-looking as the rest of the company, she says. That sometimes requires members of her 40-person team to revise their assumptions about risk and their role in addressing it. "The biggest difference is how Google takes on risk," Lee explains. The company's drive to create world-changing products and services "doesn't really coincide very well with being risk averse."
At Google, risk management isn't about eliminating risk--it's about managing it and focusing on its upside. Google's risk universe involves the same financial, regulatory compliance, and operational risks that other companies face, but the company also faces risks arising from the disruptive technologies it develops. Those on Lee's team have to be aware that their risk recommendations can have huge opportunity costs for the company. "Most organizations tend to be more risk averse," and try to mitigate risk--rather than considering whether they can live with a risk if it conflicts with business objectives, she says. "Google being in the space of developing revolutionary products, there have to be risks that we're not going to know, and we have to be okay with that."
Working in an idea factory, Lee bases internal audit's work on Google's initiatives. Google is constantly developing new technologies: most recently Google Glass and a project to create self-driving cars. For each of these initiatives, the audit team asks the business unit about its objectives, the processes involved, and the risks to achieving success. As the initiative is being implemented, the team may become more of an adviser, suggesting options for managing risks. That requires more of a collaborative, problem-solving approach to audit, with an emphasis on "no surprises," Lee says. "If the house is burning, you're not helping anyone by standing on the sidelines and reporting that the house is burning," she asserts. "What...