Embrace the challenge: IIA's new chairman of the board, Robert N. McDonald, CIA, CGAP, knows that today's internal auditors face trials and opportunities beyond any they've tackled in the past, but there's little doubt in his mind they're ready to deal with them - Institute of Internal Auditors

Internal Auditor, August, 2003 by Robert N. McDonald

IN THE UNITED STATES AS WELL AS MANY OTHER COUNTRIES, STAKEHOLDER SCRUTINY of corporate governance has been raised to new heights by an onslaught of legislative and regulatory changes. Consequently, executive-level managers around the world are being forced to evaluate--or reevaluate--their company's governance-related policies and controls and often are turning to their internal auditors for answers and guidance. Now more than ever, internal auditors are being asked to deal with questions of compliance, ethics, risk, and communication whether consulting or performing traditional audit work. The challenges are great--and they will continue to be for some time in but with planning, they can be met successfully with expertise and an eye toward company goals.

THE CHALLENGE OF RISK

It's important that as internal auditors, we do our jobs with the good of the organization in mind. We need to keep up with dramatic changes occurring in our profession and in our respective industries and help executive management understand that we are an essential part of the governance structure in a changing business environment. The corporate failures and public loss of confidence in stock markets worldwide have caused many companies to become more risk averse as they work toward getting back on the track of achieving their goals and objectives. As this happens, the possibility of internal auditing being left behind as a necessary part of corporate governance increases. We have worked hard over the past 50 years to raise management's level of awareness about our profession's importance, but have only recently started to achieve a profile of success. We must continue to be vigilant and continue seeking to make strides forward as our organizations change. It's our responsibility to ensure that our companies' structures and processes reflect the intent of those changes, not just the words used to define them.

As we consider appropriate risk management for our respective organizations, we need to examine our methodology and whether or not the right context--or scope--has been set for the risk-assessment process. Arguably the most important aspect of risk assessment, establishing the appropriate context means breaking the organization into manageable areas for assessment and includes the part, function, or level of the organization along with its environment, clients or customers, and competitors being evaluated. The three simple contexts that have worked well for me are strategic, business, and operations.

Although audit risk is related, it's separate. Every company's board of directors and audit committee should undertake a strategic risk assessment of themselves. As well, senior management should undertake strategic and business risk assessments. Operational risk assessments should be completed for the entire organization, and internal auditing should oversee that process and conduct its own audit risk assessment. Once the risks have been assessed and the controls and weaknesses have been identified, we have to ask ourselves whether or not an effective risk treatment plan has, indeed, been put in place.

THE CHALLENGE OF COMMUNICATION

Although communication has always been of utmost importance for internal auditors, it's now taking an even more prominent role. Auditors have to speak clearly and succinctly while conveying often sensitive issues and findings to appropriate parties, such as the audit committee. Lately, it's become even more apparent that audit committees must receive more information about the company's risk and controls--a responsibility that falls to the chief audit executive (CAE) and the internal audit function with input from the external auditors.

As perhaps the only area with a holistic view of the organization, internal auditing is not only in the best position to provide the audit committee with information assurance, but it also is in a prime position to facilitate some of the operational components of the committee's meetings such as assisting in setting the agenda and developing a sufficient annual meeting schedule with enough time allotted for each meeting to conduct the business required. We can encourage the chair of the audit committee to provide pertinent material--or as it is in the United States, provide the material ourselves--well in advance of each meeting and have the chairperson insist that members be prepared. We can also suggest that the audit committee undertake an annual self-review as well as a review of internal auditing. We can show audit committee members how maintaining an open dialogue with the CAE will help make their job easier and more successful. And finally, we can make them understand that time spent with the CAE without management present can help keep the company healthy and moving forward.

Not only because corporate governance will continue to be an issue for many years to come but also because it makes good sense, internal auditors must ensure adequate communication among the four cornerstones of solid business practice--the board, management, and external and internal auditing. As we work toward opening those lines of communication, it's important to remember that no one can make good and timely decisions unless the hard questions are addressed, such as how the bad news gets communicated to senior management, the audit committee, and the board of directors. Poor communication is a major risk. It keeps executive management from being able to assess bad news and severely hampers the decisions that are made when the news finally does become available. If the bad news is addressed promptly from the same base of knowledge, the information and decisions that flow from the process can be acted upon with confidence.