Predicting the biggest potential risks businesses face has become something of an industry. Consultancies, think tanks, and others produce surveys, reports, and ranked listings of what they consider to be the greatest threats to the success of governmental and corporate strategies. In 2017, geopolitical risk featured heavily, as did the threat from environmental disaster, terrorism, disruptive technologies, and demographic change--see, for example, the highly respected Global Risks Report 2017 published by the World Economic Forum.
But do these tectonic shifts of the global risk landscape, which threaten to derail an organization's strategic objectives, ever make it onto a chief audit executive's (CAE's) annual audit plan? And should they? Does the magnitude of the new challenges mean that the role of internal audit needs to evolve to address them? Opinions are split about internal audit's role in providing assurance around the risks affecting company strategy. Some boards want internal audit involved, some do not. Some internal auditors want to contribute to strategic assurance, others are led to prioritize compliance-related auditing.
"There is a sense today that in an innovative, disruptive, and fast-paced environment, someone needs to start providing assurance around risks affecting company strategy," Paul Walker, the Zurich Chair in Enterprise Risk Management at St. John's University in New York, says. "If the CAE is willing to step up and demonstrate that he or she can add value, that's a win for everybody."
Walker says some CAEs are well placed to execute this role. "Some CAEs I've met are brilliant people with amazing business acumen, and the executives and the board in their organizations want them involved," Walker says. "They recognize the value of having that person involved and may not even see them as an audit executive--but instead as a trusted business advisor."
AN AUDIT DISCONNECT
It is unclear how many auditors are already fulfilling this role. In 2015, The IIA's Global Internal Audit Common Body of Knowledge (CBOK) survey found that 57 percent of practitioners say internal audit is fully, or almost fully, aligned to their organization's strategic plans. Another 35 percent answered that they were somewhat aligned, underscoring the subjective nature of such assessments. In addition, being aligned with strategic plans and objectives does not necessarily mean that internal auditors are involved in auditing them. Anecdotally, most CAEs admit that there can be a disconnect between what auditors report and what their clients are most interested in.
"When I go to managers' association meetings, they tend to he engaged and passionate about new digital developments, business transformation programs, and research and development projects," Polona Pergar Gujaz, internal audit consultant at 4E and president of IIA-Slovenia, says. "Internal auditors seldom talk about auditing these areas, which suggests we are not actually aligned with the kinds of managerial interests that work themselves into the business strategy."
Pergar agrees that auditors often prefer to audit the areas they know well...