At the corner of 2017, I am writing down the following challenges and solutions for IA.
Understand and adapt to the emerging risk landscape
Most IAs perform risk assessment on an annual basis. While this approach serves the purpose well in the past, it fails to catch up with the ever increasing requirements from both regulators and market. As audit entities, scope, timeline and corresponding resources are pre-defined at the beginning of the year, IA may lack the flexibility to adapt their approaches to emerging risks which are identified during either the audit course or the business course. As a result, IA may not be able to switch gear to the high risks that affect the organization most even if such risks are identified. It is quite possible that IA is conducting a routine audit of a certain area according to its annual audit plan, while the auditee is putting significant effort into a different area. Naturally, the auditee will be reluctant to divert attention and resource to the routine audit, especially if the previous audit reports have a rating of “satisfactory”.
IA needs to keep vigilant to emerging risks by performing dynamic risk assessment. Quarterly, or even monthly risk assessment process should be in place to replace the annual risk assessment process. When necessary, IA should change audit plan in order to address high risks first. If the plan changes are communicated to business clients effectively, the clients will most likely appreciate IA’s risk-based approach which is aligned with the strategic initiatives they are involved.
Provide holistic opinion
The number of audits in the audit universe may not change much, but audit results may have to be reported for different purposes, particularly due to recent regulatory requirements to provide a holistic opinion, for example, on oversight functions. This will require so called “integrated reporting”. If treated as individual brand-new audit projects, such integrated reporting could be quite resource consuming and cause lots of stress.
The following step-by-step approach can help: first, an inventory of existing audits, typically in the form of 5-year audit plan, is maintained; secondly, existing audits are to be categorized by business unit, by risk type, or by any theme; thirdly, for each reporting purpose, a gap analysis is performed to identify if new audits need to be conducted or if any existing audits need to be broadened; finally, individual audit results are gathered and summarized in order to perform integrated reporting.
Collaborate with the Second Line of defence
The three-line of defence model has been operationalized in many companies, however, the second line and third line have to figure out better ways to work together. These two lines have different strategies and methodologies, while having overlapping in risk and control assessment and challenge. However, these two lines may work in silos, duplicating each other’s effort; in some cases, they may not be able to maintain a good business relationship due to different perspectives.
As always, communication is the key. The two lines have a common goal, which is to identify, monitor and manage the risks within the organization’s risk appetite. Each line should try to understand the other line’s roles and responsibilities as well as approaches, and recognize the benefit from having different perspectives and taking different approaches. As a result, potential risk and control gaps that may have been missed by a line could be covered through effective communication and collaboration.
With the heightened importance of IA, new challenges will keep coming up. There can be many detailed solutions, but I believe they can all be summarized into abstract new year solution:
Be vigilant. Be flexible. be adaptive.