Last week I had the privilege of speaking before a group of chief audit executives in Atlanta, talking with them about the state of the profession today and the role the CAE does fill—and more importantly, the role he or she should fill—at a large global enterprise. That has been a hot question lately, as you might remember from Compliance Week's previous articles about the future of internal auditing. Let me venture back into that somewhat risky terrain again.
Our conversation (a private event sponsored by software firm BWise) circled around two themes. First, we discussed internal auditing's shift away from inspecting a company's controls, toward scrutinizing the company's risks. Then we pondered whether that shift changes the CAE's role in helping senior management make strategic decisions about the company.
The shift toward risk-based auditing is not exactly news. Through most of the 2000s, internal audit departments were overwhelmed with the Sarbanes-Oxley Act, where they had no time for anything but testing controls over the company's financial reporting. We don't need to recount all the lurid details here, but in the mid-2000s as Corporate America first grappled with SOX compliance, internal audit departments found scads of poor controls and spent several years fixing them. Only by the late 2000s did we see real improvement, with companies disclosing fewer material weaknesses and filing fewer financial restatements.
A funny thing happened, however, on the way to reliable financial reporting: risks proliferated around your company anyway. The financial crisis exposed the threat of counter-party risk, where you might not even know who all your counter-parties are, let alone whether they'll make good on whatever transactions they promised to your company. Earthquakes, nuclear meltdowns, and political upheavals all demonstrated the threat of business continuity risk. Above all, new technology—particularly the rise of wireless devices and cloud computing—drove a huge increase in data security and personnel risk.
For all of those problems (and more), internal auditing's traditional job of testing controls designed to prevent those risks is no longer enough; even a single incident of a control failing to work can devastate your business. As one person in Atlanta said, “You might have a great surveillance program monitoring improper trades at your bank, but it takes only one rogue trader making $2 billion in bad bets to ruin your day.”
The answer, then, isn't to design ever-more elaborate systems of internal control to prevent those risks, because sooner or later your controls are going fail. Frankly, the more complicated those systems are, the greater the chance that they will fail. Instead, the internal auditing department's job should be about (1) identifying the company's risks; (2) helping to reduce the likelihood of those risks; and (3) helping to ensure that when a risk does strike, it will cause the least disruption possible to the business. Remember that when you hear the consultants talking about “risk-based auditing” and “resilience” and all the related buzzwords, because this is what they mean. You worry about the risk, rather than the control to prevent the risk.
So how is a chief audit executive supposed to lead an internal auditing department in that risk-based context? This is where our Atlanta group grew a bit more uncertain. One speaker was Todd Warren, a senior manager at PwC's Atlanta office who presented some findings from PwC's latest “State of the Internal Audit Profession” study. Two particularly hair-raising statistics: 32 percent of the CAEs surveyed reported “no involvement” in discussions about mergers and acquisitions, and an astonishing 47 percent said the same for discussion about expansion into new geographic markets. Considering that most CEOs count M&A and emerging markets as the two primary sources of revenue growth in coming years, this is not good.
Warren launched into the usual argument that because of this disconnect—that internal auditing needs to play a greater role in risk management, but is consulted too little about the risks that big, strategic decisions may bring—the CAE needs to claim “a seat at the table.” The Institute of Internal Auditors makes this argument too, and there's a lot of sense to it.
Several of the CAEs in the room, however, weren't entirely comfortable with the idea that they should advise on a company's strategic direction. That puts you more in the role of counselor, far from the traditional internal auditing jobs of improving efficiency or assuring that employees follow company policy. For example, if you're going to advise senior managers and the board about risks of expansion into new markets, eventually you may need to tell the CEO that no, selling your best product in China is not a good idea, or that expansion into Russia will cause your anti-corruption risks to soar.
Nobody likes to have those conversations—especially with the boss, and very especially with the board after the boss overrules you. But at least when CAEs have those difficult conversations about sloppy SOX compliance or data security controls, the force of law is on your side. In contrast, difficult conversations about risk and strategy are freighted with ambiguity. Indeed, the objections from the CAEs I met last week were about whether chief audit executives really should act as risk advisers at all. “I'll offer my advice on what a process should be to implement a decision, sure,” one woman said. “But is it really my place as the internal auditor to participate in what the strategic decision is? I'm not sure about that.”
I sense a fundamental tension looming, that as internal auditing moves further and further to a risk-based approach—which is the smart thing to do—the role of the CAE becomes more diplomatic, and even more precarious. Participating in strategic decisions is not easy to do. Not every CAE will have the skill for it.