Risk Chat: Internal Audit Tackles Emerging Risks


I asked Bob Hirth, executive vice president and head of global internal audit for Protiviti, for some help in hashing over the findings of his firm's 2011 Internal Audit Capabilities and Needs Survey (see my post on the research). I was also eager to ask him about the future supply of internal audit expertise, given the global talent shortage that some commentators claim is on the horizon (as I noted here and here).

Eric Krell: There are many striking results in this survey; please tell me one or two that you feel are among the most compelling or particularly surprising.

Bob Hirth: I was surprised and pleased by how “right on” the respondents were in the first section of our study, on risk management and governance. Their top choices for the things that need improvement — emerging risk, risk-appetite-related concepts and strategic risks (that is, risks embedded in a company's strategy, through various assumptions and biases) are exactly right and really current, based on our experience.

Other compelling results include the prominence of the Dodd-Frank legislation and the wholesale focus on using technology better in the audit process, with things like continuous auditing and monitoring, data analysis, and computer-assisted audit techniques. We see high interest in advancing capabilities in these areas.

I was also a little, but pleasantly, surprised to see IFRS at the very top of the list of technical areas that internal auditors want to improve. They clearly realize that a change is coming (an emerging risk), be it conversion to IFRS or convergence of U.S. GAAP and IFRS, and that change will impact the skill sets they bring to the table.

Finally, I liked, and maybe was somewhat surprised by, the choice of “dealing with confrontation” as the Number 1 soft skill that internal auditors wanted to improve the most. It goes with the territory. A great and honest response.

Krell: What are some examples of common emerging risks?

Hirth: Emerging risks are risks that are “yet to come.” They don't really exist yet at an organization, but they could come about or be created, depending on various circumstances. And they may actually exist at other companies presently.

Emerging risks are threats that manifest as a result of changes in the environment, or are dependent upon the future strategy, plans, and business model of the company. New industry legislation, for example, is a common type of emerging risk. Or take the new Dodd-Frank legislation – there are many emerging risks here as this legislation comes to fruition.

Then there's the impact of new technology, such as competitive risks stemming from mobile computing devices that are coming out, or about to come out.

Another example would be the results of a catastrophic event, such as the supply disruption emerging from the earthquake and tsunami in Japan.

A company also might be thinking about entering a new business or introducing a new product -- emerging risks come with that. Or it might be planning to enter new countries -- there are emerging risks (geo-political) associated with such plans.

Krell: Can you describe how an internal audit team can help its company address an emerging risk?

Hirth: An internal audit group might help to facilitate or introduce a process within an organization's business units that would identify potential emerging risks each quarter using some consistent form of dialogue, capturing, discussion, etc., based on the plans of each of the business units. These risks would then be summarized and reported up to senior management and the board for review, discussion, and potential early resolution. I know of a major global company that has developed such a process facilitated by the internal audit group.

Let's say a business unit is planning to develop a product that could have environmental ramifications (for example, an increase in carbon emissions) in the form of a byproduct of the manufacturing process. If senior management and the board know about the plan and the emerging risk that goes with it, they can take the necessary steps to mitigate the risk, such as exploring alternative manufacturing processes, or perhaps even changing the strategy and deciding not to make this product.

A group in a financial institution might be planning to expand into a new area of lending, such as sub-prime loans, low documentation loans, or less secured lending. The board and senior management might determine that this is not consistent with the overall goals and risk appetite of the organization and decide that the group should not to pursue such a strategy.

On the other hand, the board and management might determine that the group's plans are not aggressive enough and that this new area represents a substantial opportunity that can be managed appropriately and could significantly enhance the organization's value, consistent with its risk appetite. Remember, risk is a two-sided coin -- one negative (danger) and one positive (opportunity).

All told, this process of focusing on emerging risks helps to keep the board's risk oversight process robust as things change.

Krell: Where are survey respondents, on a scale of one to 10, in their adoption of continuous auditing/monitoring capabilities (in terms of the processes as well as the supporting technology)?

Hirth: I would say overall, on average they are a 3 on a scale of 10. My opinion. The rate of adoption continues to increase, but there's substantial room for growth and improvement.

Krell: Stepping back from the survey, how significant is talent risk -- that is, the future supply of internal audit talent -- within IA departments in North America? I ask because the war for finance and accounting talent is heating up, and several new studies suggest that there will be serious constraints on the supply of finance and accounting (and risk) professionals by 2020.

Hirth: Our report does say that “internal audit is still about people.” So, yes, this is a very important area and issue. The best team does win, and the better the talent, the better the internal audit function can perform and the more value it can add. However good that talent, though, it needs to be continuously updated and educated to stay current in our fast paced, fast-changing world and competitive global industries.

As the U.S. and global economies heat up, the talent war will, too. Also, as new types of jobs are created, people will have more choices, and so the supply of good people in areas like finance and internal audit will be lower. Think about new job categories like social networking and sustainability. These create competition for older, more traditional career choices.

And of course, there's the retirement of the baby boomer generation employees, many of whom are employed in traditional areas like finance and accounting. Our parent company, Robert Half International, has done some research around this trend.

So we would agree that there is potential for a serious talent shortage in areas like finance, accounting, risk, and internal audit. Yes, there is an emerging risk called talent risk out there. It's already an actual risk in certain industries, job categories, and countries. We say that internal audit is likely to feel the impact of this shortage, even though many finance and accounting majors are good internal audit candidates, along with a small number of graduates from colleges and universities that have specific internal audit programs and even degrees.

Discuss this Blog Entry 0

Post new comment
or to use your Business Finance ID
What's Full Disclosure?

GRC expert Eric Krell supplies the Business Finance community in-depth articles and commentary examining governance, risk, and compliance.

Blog Archive