Renaming internal audit to better represent its stature

Internal audit. The name leaves something to be desired, in my opinion, and unless you’re familiar with IA, it could be a bit confusing.

It also creates this false dichotomy with external audit that really doesn’t exist. Within the IA context, the audit of financial statements is supplemental and focused on only one risk: reporting risk. Granted, reporting risk holds a special place in the pantheon of enterprise risks, critical to obtaining and maintaining financing, but still.

Why is internal audit content with naming itself only in terms of where its practitioners reside in relation to the organization under audit? Seems quite narrow and vague. Given that IA concerns itself with all enterprise risks, it makes more sense to me to called it Enterprise Audit. This would also dovetail nicely with Enterprise Risk Management. ERM and EA, two sides of the governance coin.

Better branding in this manner would attract more and higher quality people to the profession as well. It sounds far more interesting and rewarding to be in the business of enterprise auditing than internal auditing.

What do you think? Is it too late in the game to make a change like this? Does it matter, so long as those in business understand the role and responsibilities of the auditors?


Enterprise risk audit planning

Earlier this week I watched a webinar put on by the Audit Director Roundtable, a great resource for internal auditors, titled Enterprise Risk Audit Planning.

If you follow me on Twitter, you might have seen this:

@neilmcintyre: IT problems for Audit Director Roundtable delay the start of the Enterprise Risk Audit Planning webinar

The problem was that the large group attempting to log in to the presentation were jamming the conferencing phone system. It was sorted out within 10 minutes of the scheduled start time. Good problem to have, really.

I was introduced to ADR when I joined the world of internal audit in May 2008 and have been taking advantage of the site’s features ever since, such as case studies, internal control questionnaire (ICQ) templates, audit department benchmarking tools and example audit work plans.

Today’s webinar was valuable to me because it focused on how five companies’ internal audit groups are dealing with the challenge of providing assurance over strategic risk. This is a topic that I have championed in my capacity as an internal auditor, and the companies in the webinar were actually walking the walk.

Some of the highlights:

  • One group enabled management to better identify and assess complete risk information by developing a tool that required them to drill down from higher level risks to their lower level components. What I liked in particular about the tool was that it discouraged the tendency to choose medium likelihood and medium impact (what they called “midpointing” although I’d never heard the term) by making those assessments lead to a “signficant” rating.
  • Another group credited management for its efforts in identifying processes which were well-controlled versus those that were less well-controlled, by tailoring the assurance strategy to the former. Simply the act of identifying a poorly-controlled process would spur management to implement the necessary controls, at which point the process would migrate to the well-controlled side.
  • Yet another group maps the principal risks identified at a high level to each applicable business process to ensure adequate coverage. Internal audit focuses on the processes involved in executing on the strategic priorities, to provide assurance that those risks are well-controlled.

I enjoyed the webinar because it took what can be a challenging theoretical problem and showed examples where leading internal audit groups are concretely addressing the concerns of management over the key risks driving the performance of the business.

How are you implementing practices like these to provide assurance over the risks that primarily drive enterprise value?

Risk Management

Survey says: ERM implementations maturing

A survey conducted in July and August of 2009 by Aon has revealed that companies are moving beyond “basic” ERM implementations:

62% of the survey respondents in the Global Enterprise Risk Management Survey 2010 reported going beyond basic ERM, compared with only 38% in Aon’s inaugural ERM survey in 2007.

I wonder what happened between now and 2007 that would’ve affected companies’ willingness to ramp up their risk management practices…

The survey asked respondents (of which there were 201) to rate the maturity of their ERM implementation, from “initial/lacking” through “basic”, “defined”, “operational” and “advanced”.

My take is that respondents are more likely to overestimate the maturity of their implementation and generally more likely to respond the more advanced they (feel they) are in the process. Still, the survey is a welcome indicator that ERM efforts are on the rise.

I also think the fact that ratings firms are taking ERM into account when they determine their grading is helping executives point to a tangible financial benefit and obtain buy-in from all stakeholders, which is critical. In my mind the primary indicator of maturity in a company’s risk management program is how comprehensive it is across all departments and divisions, as the “initial/lacking” stage is exhibited by a rigid, siloed approach.

The survey is available on Aon’s website (if you give them some personal information first).