The Evolving Role of Internal Auditors
Janet Clark, Executive Vice President and Chief Financial Officer at Marathon Oil, provided many great insights during her keynote speech: The Evolving Role of Internal Auditors. Ms. Clark. The following are the highlights I took from her presentation:
- Internal auditors must understand the need to strike a balance between good controls and perfect controls.
This ties back to the "value" discussions we cover in Risk Based Integrated AuditingTM (RBIA). Internal auditors frequently recommend controls that could prevent risks without consideration of the cost/benefit of the recommended control. For example does it make sense to implement a control to send back an expense report that is off by $1.50 when it costs $5.00 to rework it?
- Focus on how the company can be more resilient after devastating (black swan) events in order to survive.
By definition, a black swan event is beyond our realm of regular expectations1, such as the recent Japanese earthquake, tsunami and nuclear disaster; therefore it would be impossible for us to develop controls that could address the risks that we don't know that we don't know. Having discussions about black swan events with audit customers and identifying options that can make the company more flexible (e.g., addressing single points of failure) can make the difference in an organization's survival or collapse.
- Internal auditors must recognize and utilize the business owners' (i.e., executives and business/ process/project managers) knowledge of their business, their processes and where the weaknesses (risks) exist.
This is a basic tenet of RBIA and why we believe in the 2-Step Risk Assessment. Step 1, the Business Function Audit Executive does a high level risk assessment with their audit customer to identify key risks, and Step 2, a more detailed risk assessment is conducted with the audit team. Additionally, understanding and assessing how executives and managers know that their controls over these risks are working and if the controls stopped working is a key focus of RBIA.
- Internal auditors need to learn fundamentals of the business, like an owner. They should strive to understand the broader aspects of business and industry. Some ways to do this include reading trade journals and listening to quarterly earnings release meetings.
To truly add value to the business, internal auditors must understand their organization and industry. They must continue to educate themselves in areas that matter most to their organization.
1 The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb, 2007, defines a black swan event asone that is rare, has extreme impact, and retrospective (though not prospective) predictability.