Holistic risk management: an expanded role for internal auditors.

Schneider, Gary P. ; Sheikh, Aamer ; Simione, Kathleen A. 等

EVOLUTION OF THE INTERNAL AUDIT FUNCTION

The internal audit function was introduced after World War II in a few large companies as a way to reduce the fees charged by their independent, external auditors by having some of the auditing work completed by staff of the auditee under the supervision and to the specifications provided by the independent auditor (McNamee and McNamee, 1995). Most of these internal audit departments were small and focused on testing controls and preparing workpapers to be used by the independent auditors. The independent auditors could thereby reduce the number of billable hours they worked and thus reduce the audit fee charged (Flesher, 1991).

The role of internal auditors expanded dramatically with the enactment of the Foreign Corrupt Practices Act (FCPA, 1977). That legislation provided, among other things, severe penalties for executive officers of companies found to have insufficient systems of internal control in place. The prospect of substantial fines and even prison motivated top managers to increase funding for their internal audit functions so they could be confident that their internal control systems were sufficient to defend against prosecution under the FCPA (Flesher, 1991).

Controls and Compliance

In response to the expanded role of internal auditors, the Institute of Internal Auditors (IIA), the professional organization that sets standards for the work of internal auditors, underwent its own evolution. Operating as the generally recognized international governing body for internal auditors, the IIA continues to establish guidelines and create training materials based on research that it funds through its foundation (Flesher, 1991). In the decade following the enactment of the FCPA, the role of internal auditors became well established as the review of controls and the assurance of compliance with internal organization policies and legal regulation emanating from the environment in which the organization operated. Albrecht, Stice, and Stocks (1992, 1) described the role of internal auditors to be "consultants to managers to ensure that controls are effective and efficient, operations are effective, assets are safeguarded, and organizational policies and appropriate laws are followed."

As the importance of internal audit departments grew, many organizations identified the benefits of having them act more independently. Increasingly, fewer internal audit departments were reporting to chief financial officers and more were reporting to the board of directors or the audit committee of the board of directors (Moeller, 2009).

Audit Risk vs. Business Risk

Internal auditors have always been concerned with managing audit risk, which is the risk that the auditor will fail to provide effective, timely, and efficient assurance and consulting support to company management and its board of directors (Albrecht, Stice, and Stocks, 1992). Audit risk (for actions undertaken by the internal audit department) is the responsibility of internal audit, not management. In contrast, business risk is a cost incurred by the company if it does not achieve its strategic plans and is the responsibility of management (Moeller, 2009).

Expanded Role for Internal Auditors

In the past decade, further developments such as the enactment of Sarbanes-Oxley (2002) and the creation of the Public Companies Accounting Oversight Board (PCAOB) have caused internal audit departments to expand their activities to include more structured approaches to business risk assessment and to integrate those approaches with their organizations' strategies for managing business risk (Hass and Burnaby, 2010; Tabuena, 2010). Today, internal audit departments provide assurance and consulting services to management regarding the achievement of business risk goals as often as they engage in their traditional roles as testers of internal controls and assessors of compliance with organizational policies and external regulations (Moeller, 2009).

In addition to this evolution in U.S. internal audit practice, other countries' regulatory environments have shifted as well. For example, Spira and Page (2003) note that a major shift in the role of internal control as an element of corporate governance occurred in the United Kingdom when the Turnbull Guidance (FRC, 1999, 2005) first included an explicit alignment of internal control with risk management.

EMERGENCE OF RISK MANAGEMENT

Risk management is the process an organization has for setting risk objectives (also called risk appetite) and for identifying, analyzing, assessing, and controlling those risks. One commonly used formal definition of risk management is as follows: "a process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives" (COSO, 2004, 2).

Risk has become one of the greatest concerns of senior management in recent years because shareholder activism and the high expectations of the financial markets demand that companies achieve optimal mixtures of risk. In response to this concern, a wide array of financial and business have issued white papers, guidance, and standards related to the growing importance of comprehensive, enterprise-wide risk management initiatives and monitoring systems (COSO, 2004, Deloitte, 2010; FRC, 2005; Frigo and Anderson, 2011; IIAAEC, 2009; KPMG, 2009; Moeller, 2009; PricewaterhouseCoopers, 2007

Risk Appetite

An optimal risk appetite accepts certain risks so that above-average returns can be generated and allows the company to engage in risky behavior to pursue opportunities that arise. An ideal risk appetite prevents the company from unnecessary exposure to unwarranted risks yet does not impair its ability to remain competitive (Deloitte, 2009). Bond rating agencies and equity analysts regularly assess the appropriateness of individual company's risk exposure as part of their analyses (Hespenheide, Pundmann, and Corcoran, 2007).

Dickhart (2008) notes that risk management has become an integral part of the governance process at most companies. He cites the increasingly frequent use of the phrase governance, risk, and compliance (GRC) as indicating the importance that effective risk management is now believed to play the achievement of effective corporate governance. He emphasizes that the quality of a firm's risk assessment processes and the internal coordination of those processes are as important to achieving effective governance as are the achieved degrees of compliance with internal guidelines and external regulations.

Political Risk

As companies become more dependent on the international elements of their business activities as sources of current profitability and future growth, the exposure to new risks becomes a key factor in their success. PricewaterhouseCoopers (2007) issued a research report that found increased audit committee and senior executive attention being focused on political risk in global markets. Companies operating in unfamiliar political environments can face new types of risks and complexities that can not only threaten business performance, but can hide or interfere with emerging opportunities.

Shifting political sands can lead to local regulatory changes, modifications in barriers to market entry by either local or other-country-based foreign competitors (Bartolucci and Chambers, 2007). Such political risks often require analysis that goes beyond the traditional economic forecasts and models that companies often use to evaluate ongoing investments in foreign markets (PricewaterhouseCoopers, 2007). Continual monitoring of business practices to identify any that might violate the FCPA is also necessary (Moeller, 2009).

DIVISION OF RESPONSIBILITY

Management's Responsibilities in Risk Management

Ulsch (2008) observes that many companies have developed effective individual policies for dealing with external threats such as corporate espionage, identity theft, hacking, and even terrorist attacks; however, these individual policies are seldom integrated with each other in an overall risk management plan that is thoughtfully developed, adequately budgeted, and continually monitored.

In an interview, former U.S. Secretary of Homeland Security Tom Ridge argued that the most important function of any leader is to develop a prioritized list of threats, evaluate those threats, and develop contingency plans for dealing with them in an integrated way (Lamoreaux, 2009).

The involvement of line and senior managers in establishing the parameters of the risk appetite is important, although costly. These costs are more than offset by the gains in collective organizational knowledge gained by the results of the risk management effort. The ability of the company to achieve its long-term strategic objectives is enhanced tremendously by such efforts (Burnaby and Hass, 2009).

Financial managers play key roles in setting risk appetite, promoting compliance with risk appetite levels, managing risks within their areas of responsibility, and reporting risks they identify (Bekefi, Epstein, and Yuthas; 2008). Once management determines the risk appetite, the company must assess identified risks and opportunities, then develop strategies that exploit the opportunities and minimize the exposure to unnecessary or avoidable risk (Frigo and Anderson, 2009).

Although managers can develop the risk appetite and formulate strategies for dealing with identified risks in consultation with the internal audit department, they must understand that they are responsible for the final decisions in these areas (Spira and Page, 2003). Internal audit cannot set risk appetite, nor can it finalize strategies for dealing with the outcomes of the risk management process. To do so would impair the independence of the internal audit function (Moeller, 2009).

To summarize, management's role in risk management is to set the risk appetite and create strategies that exploit opportunities for profit and growth that come with increased risk while protecting the company from irresponsible levels of risk and specific risks that are unnecessary to take. Each of these activities can be addressed with the help of the internal audit department, but management must accept responsibility for the final decisions in these areas.

Internal Audit's Responsibilities in Risk Management

It is well established that the role of the internal audit function is to provide assurance and consulting services related to evaluation of the effectiveness of their companies' governance, risk, and control processes (Moeller, 2009). Internal auditors are required to understand the interrelationship among all three as they operate together in an overall process (Dickhart, 2008).

Internal auditors can help financial managers to establish effective governance processes by providing advice and coordinating the management, assessment, and monitoring of risks. They can also assess control activities related to specific risks (KPMG, 2009). When performing control testing and evaluation of particular departments or processes, internal auditors can make inquiries of management regarding the quality of specific risk assessment procedures and the level of coordination undertaken with related departments (Dickhart, 2008).

Tabuena (2010) notes that a common criticism of internal auditor involvement in risk management activities is that the traditional internal audit findings related to compliance testing and controls assurance can lose some of their independence and authority if the work of the internal audit department is more closely integrated with traditional management functions and prerogatives. He argues that internal audit directors, chief ethics and compliance officers, and chief risk officers do not necessarily lose independence and authority simply because their staffs collaborate with each other and financial managers. He believes that effective people holding these positions should have the ability and the gravitas necessary to assert their positions with independence and authority when it is appropriate to do so.

In some cases, it is helpful for the internal audit director to serve as an advocate for risk management awareness within the organization. Although many companies have undertaken risk management initiatives, a significant number have either not undertaken them or have underfunded and understaffed them (IIAAEC, 2009; KPMG, 2009).

A HOLISTIC APPROACH FOR INTERNAL AUDITORS

While remaining mindful of the need to maintain independence, internal auditors can develop a holistic approach to their roles in enterprise risk management initiatives. The goal is to maintain their effectiveness in the traditional internal audit activities of compliance, control testing, and providing independent assurances with a degree of consultation with management that is appropriate. In so doing, however, internal auditors can provide substantial support and advocacy for all elements of risk management, including those that are the responsibility of management.

Hespenheide, Pundmann, and Corcoran (2007) specifically argue that internal auditors should expand their focus on and proficiency in risk management by adopting a holistic view of their role in the process. This section outlines some elements of such a holistic approach.

Key Risk Indicators

Risk management implies risk monitoring, and many companies have launched initiatives to provide senior managers and boards of directors with information about anticipated events that could pose serious risk exposure (Burnaby and Hass, 2009).

Organizations should identify such events and monitor their development and occurrence according to Beasley, Branson and Hancock (2010). They note that most companies have developed a number of key performance indicators (KPIs) and often have sophisticated systems for monitoring those KPIs. Similarly, they argue, it is logical to extend that concept to the development of key risk indicators (KRIs).

KRIs are metrics that help the company's senior management and board of directors monitor important shifts in future risk conditions. This allows top management to identify new risks and evaluate how well the portfolio of current and future risks matches the company's established risk appetite.

Internal auditors are especially well qualified to participate in the development of KRIs and in designing systems to monitor them (Steinberg, 2011). Many internal audit staffs have information technology specialists who can play key roles in the system development initiatives (Deloitte, 2011) and internal auditors' training in assurance reporting can help them frame the output in ways that are especially useful for senior management and the board of directors (Moeller, 2009).

Technology: Source of Risks and Contributor to their Management

Technology has been, and will continue to be, the source of major risk exposures for companies (Rai and Chukwuma, 2009; Ulsch, 2008); however, technology is increasingly becoming a part of the solution in risk management. As information technology permeates the enterprise, managers can use technology to aggregate, parse, and integrate a wide variety of risk monitoring measurements (Deloitte, 2011) and use them to monitor continuously key elements of those measurement outcomes as part of sophisticated risk management models (Deloitte, 2010).

In a recent PricewaterhouseCoopers (2007) survey, almost 80 percent of the senior executives and internal audit managers responding believed that technology risks will be significantly greater in the near future. To monitor and address these increased risks, some internal audit managers intend to employ more complex technological tools, while others expect to increase the integration of information technology audit staff members and their specific technology skills into the core internal audit function (Bartolucci and Chambers, 2007).

Technology is a double-edged sword. It increases the overall level of risk, but it simultaneously provides tools for monitoring and managing that risk. For example, using technology to maintain a continuous audit environment can provide a control of overall risk that far exceeds the increased level of risk in the operations environment that is engendered by the existence of the technology that allows a continuous audit to exist. Continuous auditing in computerized environments is regularly undertaken today by internal audit departments and is an important part of their contribution to risk management (Kuhn and Sutton, 2010).

Scenario Planning

A tool that can be used by internal auditors in their risk management consulting role is scenario planning (Axson, 2011). Scenario planning can help managers formulate an appropriate risk appetite. Since internal auditors will work with multiple financial managers in various departments of the company, they can develop expertise in the mechanics of scenario planning and provide consultation with managers as they apply it to their domains (Burnaby and Hass, 2009).

Scenario planning can help internal auditors analyze the financial implications of alternative strategies under future conditions that are expected to vary with different levels of risk. Scenario planning can also help internal auditors define performance measure indicators that can be monitored as proxies for various levels of risk (Axson, 2011). By evaluating different scenarios using probabilistic weightings, internal auditors can provide valuable input to managers as they weigh alternative courses of action (Cheney, 2009). The performance measure indicators can also become elements in continuous auditing systems that provide a monitoring function after the strategy decision has been made (Kuhn and Sutton, 2010).

SUMMARY AND CONCLUSIONS

The holistic approach outlined in this paper, including the integration of KRIs with technology and the use tools such as scenario planning, can help internal auditors provide highly useful input to the enterprise risk management process. Internal auditors have particular skills that they bring to the task of risk management, including their experience with information technology and summarizing findings into meaningful assurance reports for top management and boards of directors. By integrating their efforts with those of line and financial managers in the organization, internal auditors can contribute in important ways to the evolution of an effective risk monitoring and management process in their organizations.

REFERENCES

Albrecht, W. J. Stice, and K. Stocks. (1992). A common body of knowledge for the practice of internal auditing.

Altamonte Springs, FL: Institute of Internal Auditors Research Foundation. Axson, D. (2011). Scenario planning: Navigating through today's uncertain world. Journal of Accountancy, March, 22-27.

Bartolucci, D. and R. Chambers. (2007). Five trends reshaping internal audit. Directorship, 33(6), December, 64-67.

Beasley, M., B. Branson, and B. Hancock. (2010). Developing key risk indicators to strengthen enterprise risk management:-How key risk indicators can sharpen focus on emerging risk. New York: Committee of Sponsoring Organizations of the Treadway Commission.

Bekefi, T., M. Epstein, and K. Yuthas. (2008). Creating growth: Using opportunity risk management effectively. Journal of Accountancy, June, 72-78.

Burnaby, P. and S. Hass. (2009). Ten steps to enterprise-wide risk management. Corporate Governance, 9(5), 539-545

Cheney, G. (2009). Connecting the dots to the next crisis. Financial Executive. 25(3), April, 30-33.

Committee of Sponsoring Organizations of the Treadway Commission (COSO). (2004). Enterprise risk management: Integrated framework. New York: COSO.

Deloitte. (2009). Risk intelligence in a downturn: Balancing risk and reward in volatile times. London: Deloitte Touche Tohmatsu Limited.

Deloitte. (2010). Global risk management survey, seventh edition. London: Deloitte Touche Tohmatsu Limited.

Deloitte. (2011). Tech trends 2011: The natural convergence of business and IT. London: Deloitte Touche Tohmatsu Limited.

Dickhart, G. (2008). Risk: Key to governance. The Internal Auditor, 65(6), December, 27-34.

Flesher, D. (1991). The Institute of Internal Auditors: Fifty years of progress through sharing. Altamonte Springs, FL: Institute of Internal Auditors.

Financial Reporting Council (FRC). (1999). Internal Control: Guidance for Directors on the Combined Code. London: Financial Reporting Council.

Financial Reporting Council (FRC). (2005). Internal Control: Revised guidance for Directors on the Combined Code. London: Financial Reporting Council.

Foreign Corrupt Practices Act (FCPA). (1977) 15 USC 78.

Frigo, R. and J. Anderson. (2009). Strategic GRC: Ten steps to implementation. The Internal Auditor, 66(3), June, 33-38.

Frigo, R. and J. Anderson. (2011). Embracing enterprise risk management: Practical approaches for getting started. New York: Committee of Sponsoring Organizations of the Treadway Commission.

Hass, S. and P. Burnaby. (2010). The evolution of important competencies and knowledge for internal auditors in the United States. Internal Auditing, 25(6), November/December, 3-14.

Hespenheide, E., S. Pundmann, and M. Corcoran. (2007). Risk intelligence: Internal auditing in a world of risk. Internal Auditing, 22(4), July/August, 3-8.

Institute of Internal Auditors (IIA). (2004). Position statement: The role of internal audit in enterprise-wide risk management. Altamonte Springs, FL: IIA.

Institute of Internal Auditors Audit Executive Center (IIAAEC). (2009). Knowledge alert: Internal auditing and risk management. Altamonte Springs, FL: IIAAEC.

Institute of Internal Auditors Global Audit Information Network (IIAGAIN). (2009). A world in economic crisis: Key themes for refocusing internal audit strategy. Altamonte Springs, FL: IIAGAIN.

KPMG. (2009). KPMG Survey: Many enterprise risk management programs lack fundamentals. New York: KPMG, LLP.

Kuhn, J. and S. Sutton. (2010). Continuous auditing in ERP system environments: The current state and future directions. Journal of Information Systems, 24(1), Spring, 91-112.

Lamoreaux, M. (2009). Tom Ridge: Dive deep to anticipate enterprise risks. Journal of Accountancy, July, 46-47.

McNamee, D. and T. McNamee. (1995). The transformation of internal auditing. Managerial Auditing Journal, 10(2), 34-37.

Moeller, R. (2009). Brink's modern internal auditing: A common body of knowledge. New York: Wiley.

Pundmann, S. and J. Peirson. (2009). Achieving risk intelligence in volatile times. Internal Auditing, 24(4) July/August, 3-8.

PricewaterhouseCoopers. (2007). Internal audit 2012. New York: PricewaterhouseCoopers, LLP.

Rai, S. and P. Chukwuma. (2009). Security in a cloud. The Internal Auditor, 66(4), August, 21-24.

Sarbanes-Oxley Act (2002). PL 107-204, 116 Stat 745.

Spira, L. and M. Page. (2003) Risk management: The reinvention of internal control and the changing role of internal audit. Accounting, Auditing & Accountability Journal, 16(4), 640-661.

Steinberg, R. (2011). Using the new COSO risk-management guidance. Compliance Week, 8(86), March, 36-37.

Tabuena, J. (2010). Why GRC matters to the internal auditor. Compliance Week, 7(81), October, 48-49.

Ulsch, M. (2008). Threat! Managing risk in a hostile world. Altamonte Springs, FL: Institute of Internal Auditors Research Foundation.

Gary P. Schneider, Quinnipiac University

Aamer Sheikh, Quinnipiac University

Kathleen A. Simione, Quinnipiac University