Firms worried that their internal audit function is not doing a good enough job of identifying risk may want to consider instituting a quality assurance program.
QA in manufacturing has been around for decades. It was designed from the customer's point of view to ensure that the manufactured product met the expectations of the buyer.
Audit QA can perform a similar function, assuring that the audit output comports with the expectations of the firm's senior managers.
The expectations should be that the audit resources would be economically deployed to identify critical risks in a timely manner.
The first step in the QA analysis is to review the audit methodology. Risk is part of most business models; audit can help manage the risk, not eliminate it. This requires a well-defined process based on a comprehensive understanding of the business. The results of that process over time must be understood. How well did the process identify unwanted events before they materialized? What was the cost of audit methodology?
The analysis should address several other questions, including:
Are the critical building blocks in place? It is impossible to have an effective audit program without certain building blocks. One is a set of dynamic standards agreed upon by all stakeholders. The absence of standards creates inefficiency and risk, as well as a dysfunctional climate where the focus is on self-survival instead of organizational goals.
Also important is a philosophy that risk management is part of everyone's job. This is not simply a case of risk economics; it also guides human behavior.
And there must be a formal process to prioritize risks. Not every risk has equal weight.
Is the audit strategy balanced? There is a bias toward quantitative analysis in assessing risk. Since the future cannot be foretold, any risk management strategy should also have a qualitative component. Qualitative implies several things.
One is that factors that can't be easily quantified — rare events, for instance — are part of the analysis. Two is that individual and group human behavior is also considered, because people's behavior can affect organizations in surprising ways. Three, some events are not foreseeable but may be cataclysmic. They need to be conceptually embraced, not ignored.
Are the audit resources economically deployed? In deploying the firm's resources several guidelines are essential. First and foremost is don't overspend to identify risks. Someone in the firm knows most risks. Encourage self-identification of risks. Some risks won't be self-identified, so a thoughtful program of surprise audits is needed.
Aligning resources with risk is important. Not every risk has the same potential impact, so don't treat them identically — prioritize resources.
It also helps to build a partnership with all stakeholders in the firm. This is essential to the economic deployment of resources and is characterized by candor, transparency, and proactivity on each stockholder's part.
Is a supportive culture in place? Risk management cannot be effective without the right corporate culture. This starts at the top and percolates down; the walk and the talk must be in sync. Every manager needs to do several things vis-a-vis their direct reports. One is to convey in words and deeds how value is created for both the individual and the firm. If there is a disconnect here, neither the firm or the individual will prosper. Another is to ensure the manager demonstrates the behavioral norms.
The right thing to do is usually obvious; doing it is often hard. The manager can influence the doing.
And finally, ensure that the individual's goals are clear and consistent with the value creation.
Are the metrics relevant? The metrics must be timely and must accurately reflect the risk profile and support risk management. If they are linked to compensation, they support the desired behavioral result: managing, not gaming, risk. The true test of the metrics is that they actually reflect the risk.
One approach is to learn from historical unwanted events, and analyze how the audit process identified them before they materialized. Another is to ensure that cataclysmic events will be identified as soon as possible. Another still is to utilize peer comparisons; where possible, compare your firm's QA metrics with your peers'.
Is cumulative risk captured? An unwanted event is often preceded by a series of actions that individually may be relatively insignificant but cumulatively can be disastrous. The QA analysis should determine if the audit methodology has the ability to detect such risk.