At the recent Institute of Internal Auditors (IIA) event “2007 Risk and Control Conference Featuring Governance, Risk, and Compliance” one of four tracks was dedicated to Enterprise Risk Management (ERM). The role of internal audit has gained in stature as a result of the financial reporting scandals in the past five years. However, internal audit has seen their time become overly focused on the risks of misstatement of financial reporting. The message at the conference “Back to Operational Audits” resounded loud and clear. ERM provides the path to return to operational audits while maintaining the financial reporting compliance achievements without adding resources or work. The Internal Audit function is increasingly championing ERM as one of their priorities.
Conference attendees could be frequently heard discussing the new Sarbanes-Oxley guidance pertaining to section 404, called Auditing Standard 5 (AS5). AS5 prescribes ERM, a top-down and risk based approach, as the recommended way by the Public Company Accounting Oversight Board (PCAOB) and the Securities and Exchange Commission (SEC) to increase efficiency and effectiveness of financial reporting compliance. External Auditor fees have risen dramatically since 2002 and conference attendees are recognizing that much work needs to be done to apply this new guidance and ERM to reduce the burden to their businesses. In the session “SOX Controls Rationalization – Better Coverage, Less Effort” Beth Kaplan at Deloitte & Touche, remarked that companies up until now have not done risk assessments well and that in the past controls and risk were not linked as they should be. Her client, “PETCO Animal Supplies, Vice President of Internal Audit and Asset Protection, James Brigham in that same session commented that the risk owners, which are in the operational areas, are critical to get involved. Jim lamented that SOX software today “is weak on assessment capabilities that are both graphical and intuitive to make it easy to engage and involve front line management. Assessments quality is all about asking the right questions and focusing on the process directly with the process owners.” When asked how did PETCO become committed to ERM while so many other companies have not yet made progress. Jim mentions that PETCO recently pulled product off the shelf from 900 stores for contaminated pet food. This was a wake-up call for ERM and he was hired to initiate ERM at PETCO. Jim further remarked that “it is sad that companies have to get burned before they appreciate the significant of what ERM has to offer. This can also be seen with the recent embargo of Chinese products with pollutants. Retailers are in tough shape sourcing a lot of the products and not dealing with the problem until it already happens. ERM is about getting ahead of the problem and preventing it from happening.”
It seems sometimes that compliance gets people’s attention because it is perceived as doing what is required. However, this view has been getting corporation America into trouble. According to keynote speaker, Rushworth Kidder, the President, Institute for Global Ethics, 15% of the population is dedicated to compliance which is destroying our economy. Rushworth made the case that better corporate governance is a key to reducing the compliance burden. Rushworth presented his research on how lapses in ethics may be the canary in the coal mine and a key indicator of more insidious and material weaknesses throughout the enterprise. The Rushworth message was that a strong governance based approach is a more effective and efficient way to achieve results versus a compliance approach that focuses primarily on controls.
If you are an Internal Auditor focused on business value, the risk manager is your new best friend as ERM solves the following Internal Audit headaches:
- Independence: Many Internal Audit teams are burdened with doing risk assessments in order to gather the information they need to perform their duties. ERM facilitates accountability and helps identify the owner of risks and prescribes an infrastructure and process for them to do their own risk assessment.
- Audit Plan Coverage: Internal Audit teams are resource constrained and their discretionary internal audit time typically covers only 5 to 10% of the enterprise in any given year. Management input often consists of hallway conversations or emails leaving the Internal Auditor with insufficient information to prioritize resources. ERM provides common enterprise-wide evaluation criteria, an information gathering process and standardized scoring criteria so that any and all risks from any business area can be compared objectively and resources can be matched accordingly.
- Communications: ERM eliminates the redundancy due to overlap of multiple functionally specific risk assessments by reaching across silos with a common risk assessment framework to collect information once providing a comprehensive view of risk in the enterprise. This provides a foundation for an integrated mitigation planning capability to facilitate collaboration between internal audit and business areas.
“After fully implementing an ERM program into our Internal Audit planning process we now have more timely assessments of risk, prioritized management requests and the ability to measure residual risks not currently in our audit plan.” Jay Alligood, Head of Internal Audit Blue Cross Blue Shield of Florida.