Since the late 1960s, social commentators have been concerned about the intensity and pace of technology-fueled change and the emerging risks this has posed to business and society. In 1970, for example, writer Alvin Toffler famously described the rapid arrival of new information and production technologies as "future shock," which he characterized as the experience of being suddenly immersed in a completely foreign country--disorienting, dizzying, and confusing.
"By violently expanding the scope of change, and, most crucially, by accelerating its pace," he wrote in Future Shock, "we have broken irretrievably with the past. We have cut ourselves off from the old ways of thinking, of feeling and adapting."
Fast-forward to today and, hyperbole aside, those same fears and challenges remain. CAEs, for example, responding to the Corporate Executive Board (CEB) Audit Leadership Council's 2014 Audit Plan Hotspots survey said that the two key macro-level risks facing departments this year are the accelerating pace of change and intensifying regulatory scrutiny. One of the key drivers? IT.
The way business is now conducted--through complex interconnected networks--has made the true nature of emerging risk difficult to assess. Boards and executive management have turned to their internal audit departments to help them in this task, and CAEs increasingly are judged and valued for their ability to be more forward looking. This is forcing auditors to think, feel, and adapt differently to the emerging risk landscape.
A NEW OUTLOOK
Taking a fresh perspective is not easy, especially without a clear grasp of what is required of internal audit in this area of emerging risks. PricewaterhouseCoopers' (PwC's) 2014 State of the Internal Audit Profession study found that 85 percent of managers surveyed expected internal audit to address the organization's business-critical risks, including emerging risks. Only 65 percent said their audit functions did that well. More disturbingly, 81 percent of internal auditors said they were meeting those expectations, suggesting a gap in perceptions.
Michelle Hubble, a PwC partner and the reports co-author, says the maturity of enterprise risk management (ERM) processes in many organizations has helped boards get a better understanding of who is managing emerging risk and how well they are doing so. She says this presents internal audit with a great opportunity to lead, because its primary focus is on risk and control. But, she warns CAEs to get alignment from their stakeholders before jumping into the emerging risk area.
"By alignment, I don't mean everyone is going to have to agree on exactly what internal audit is doing, but instead, it allows for general agreement on the direction and areas of focus of the function," she says. In other words, there must be a fundamental understanding that the chief financial officer and audit committee chair want internal audit to tackle emerging risk, Agreement on what is expected of the function provides the CAE with the support and remit to obtain the resources he or she may need.
Inevitably, some boards will want to retain focus on monitoring and control...