Focusing on What Matters
Lessons from a Former Auditor, Part 2
By Jason Rohlf
One of my favorite things about working at Onspring is that we are first and foremost a client-focused company. I’ve written before about our annual Onspring Connect conference—this has become my favorite event of the year for a variety of reasons, not least of which is having a chance to hear directly from our clients how Onspring has helped do the great things they do. We also have recently embarked on a series of regional events that are similar to Connect but slightly more intimate in terms of setting and attendance numbers. I’ve already had the chance to visit Minneapolis and Atlanta, and I am excited to head to Chicago in a couple of weeks for some more client face time.
In preparing for the Chicago event, I reached out to one particular Chicago-based client to make sure she could attend. This particular individual is not only a two-time Onspring client, but also someone I’ve known and respected professionally and personally for over 15 years. She is one of the crown jewels of my professional network, so when she told me that she attended the webinar that I delivered with MISTI titled, “Risk Based Internal Audit: Focusing on What Matters,” I couldn’t help but beg for her feedback. And true to form, she did not disappoint. One piece of feedback in particular stood out:
“You should try weaving in more of your stories, experiences and specific examples next time. They are always so interesting and not only will it help people grasp the concepts more quickly, it will help the knowledge stick and best of all, they’ll remember you for it!”
Naturally, she was right. In the final analysis, I realized that while I believe I did a good job delivering the fundamental concepts of how internal auditors can better focus on implementing a risk based audit approach, it was perhaps a bit generic and impersonal. With this in mind, I’d like to revisit a few of the key concepts that I discussed, while also weaving in some of my own experiences, trials and tribulations to help make those points a bit stickier.
Concept 1: The IIA Standards are Packed with Risk Guidance
Every internal auditor (hopefully) is quite familiar with the IIA Standards, more formally known as the International Standards for the Professional Practice of Internal Audit. These are the guide points for the profession and anyone who practices should know them and strive to live them. In developing the webinar content, I went to the primary IIA Standards document and searched the term “Risk” and my search returned 60 results, with 13 more in the glossary. What I also found was that the concept of “risk” is placed in multiple contexts. Combing through the Standards reminded me of my time studying for the Certified Internal Auditor (CIA) certification exam. I was a few years into my career and knew that this would be a good way to strengthen the capabilities I was developing.
Back in college (and shortly thereafter) I sat for the CPA exam, and that muscle memory served me quite well in this instance. While the exam requires a pretty broad knowledge base, a big part of it is rooted in understanding the IIA Standards. So as you can imagine I read them, read them again, studied them, read them backwards, fell asleep on them and then studied them some more. I figured that knowing the foundation on which everything else was based would set me up for success, and wouldn’t you know it, I was right! What I learned in the process is that the IIA Standards are chock-full of valuable information, particularly about how auditors should consider and evaluate risk. From my search, I noted the following items of particular interest:
- 1220.A3 Due Professional Care states that auditors must remain alert to Risks impacting the organization’s objectives
- 2010 Planning requires that the CAE establish a risk-based audit plan to determine the audit department’s priorities
- 2100 Nature of Work instructs IA to evaluate and contribute to the improvement of the risk management program using a risk-based approach
- 2120 is actually called RISK MANAGEMENT and it stipulates that IA must evaluate the effectiveness and contribute to the improvement of risk management processes
- 2400/2500/2600 Series focuses on how you communicate the overall risk posture, including situations where management chooses to accept identified risks.
Like I said, understanding the foundation helped me translate what I was doing from an abstract concept to something more meaningful. Which leads me to my next concept…
Concept 2: Internal Audit Is Well Positioned to Lead by Example
I am what you might call a late bloomer. It took a while but I finally feel like I’m coming into my own with this whole “being a professional” thing. I share this because in my early days as an internal auditor I didn’t really grasp the concept of why we were doing what we did, let alone how we were helping drive a risk-focused culture in our organization. I realize that some of this comes with age and experience, but this is one of those classic cases of, “I wish I knew then what I know now”—oh, the audit reports I could have written!
Kidding aside, I do think it’s important for every person to find meaning and purpose in what they do. This doesn’t just apply to internal auditors or business professionals. Everyone should be able to understand why what they do is important, no matter how small their part may seem. Everything is contextual, and when placed in the proper context everyone’s contributions are vital.
Even though I didn’t realize it at the time, I was a key member of teams that were key components of organizations striving to meet their goals. In hindsight, I realize that there were things I was doing that were helping us accomplish those goals.
- We started by working with the Board and management to understand from their perspective the risks and opportunities that mattered to them. Their perspective served as a foundation for understanding how we could best assist them in measuring and managing risk.
- We then had our Audit Universe against which we performed regular risk assessments, allowing us to lend an independent yet informed perspective regarding what mattered to the organization and where our time was best spent.
- Finally, we would go deep by performing project-level risk assessments so we could define the specific risk areas that were present within those areas that we were responsible for evaluating. This ensured that every sample tested, every conclusion reached and every issue noted was aligned with something that was meaningful to our stakeholders.
Now that I’ve used hindsight to see that I was playing my part to drive a risk-focused culture, I can apply foresight to determine where internal audit is headed in terms of contributing to the overall effectiveness of Risk Management in their organizations.
Concept 3: Internal Audit Evaluates the Effectiveness of Risk Management Programs
One thing the IIA has been pretty clear on in recent times is that internal audit is expected to not only consider the risks impacting the organization but also to evaluate the overall effectiveness of the organization’s own risk management program and processes. While this guidance is relatively new and still open to interpretation, internal audit is well positioned to provide this oversight and they can do this most effectively by following the same approach that they follow in any other situation:
- Understand the underlying methodology that drives the risk management program. If there is no underlying model supporting their efforts, internal audit can direct management to an approved approach such as ISO 31000 or COSO ERM.
- When risks are identified and measured, there should also be a clear set of actions being taken to respond to those risks. Internal audit can evaluate the appropriateness of these response procedures.
- As with any audit or evaluation, communicating results to leadership is key. It is important that they understand the value of these practices, including the critical nature of any gaps or exposures in the program
From a personal standpoint, since working in the GRC software world, I have come to appreciate how seemingly disparate units within any organization are inextricably linked. There is no “black box” that your process feeds into and disappears. Helping everyone see how what they do impacts those around them is a key step in instilling a risk-focused culture in an organization, and internal auditors can help drive this point home in their daily work.