GUEST BLOG POST
As internal auditors, we provide assurance, advice, and insight on the system of internal controls over the more significant risks to enterprise objectives.
Internal controls provide the basis, the foundation, on which management and the board rely as they manage and direct the organization to success.
The typical internal audit assesses and tests the controls over transactions and how they are originated and processed: their completeness, validity, accuracy, and recording. We may also audit risk and governance practices, and how information and systems are protected.
But is that missing the boat on what’s most important? Are we (and risk practitioners) failing to provide valuable assurance, advice, and insight on what may be even more important to successfully achieving objectives?
Organizations succeed or fail as the results of the decisions they make. Those decisions include:
- Defining the purpose of the organization, what it desires to accomplish over the longer-term
- Deciding what strategic goals and objectives should be set for the period, including how each member of the management team will be compensated
- Identifying the strategies that will enable them to achieve their objectives
- Managing the organization every day, making tactical decisions such as:
- Who to hire
- Who to fire
- Sales prices for the organization’s products and services
- Which vendor to select
- When to purchase what, for delivery when, in what quantity
- When to release a new product
- How and when to implement new or updated technologies
- Where to invest funds
- At what level to set credit limits, derivative position limits, etc.
- … and so on
Grant Purdy is an individual for whom I have great respect. After he left his position as chief risk officer at BHP Billiton, he entered the world of consulting. He told me that he was frequently engaged to help an organization upgrade its risk management program.
But… when he met with management, he didn’t ask them about “risk.” No, instead he asked them how they made decisions. Very wise!
Internal auditors may identify, test, and assess the internal controls around the information management might have (such as performance and risk reports) when they make decisions. But we don’t usually ask how they use that information—if they use it at all!
I have seen surveys that say that most decision-makers not only don’t use all the valuable and relevant information that is available, they don’t even know it exists!
Internal Audit and Decision-Making
This is what I suggest:
- When you are conducting an audit, ask the manager how they make their decisions—such as: which vendor to use? which staff to assign to a project? or which price and contract terms to negotiate?
- Ask them whether they have all the information they need to make an informed and intelligent decision. Do they involve others who might be affected by their decision or have useful information that should be considered?
- Review that information and consider whether there are adequate controls over its:
- Completeness
- Accuracy
- Currency
- See whether management is actually using the available useful information to make their decisions.
- Are the decision-makers affected by bias, adversely affecting their decisions?
Decision-Making Controls
While I don’t recommend second-guessing what the manager decided, consider whether their decision was reasonable given the circumstances (for example, the business need, the time available to make the decision, who is available to provide additional perspectives, whether the manager has the authority to make the decision, etc.) and the relevant information.
In other words, assess the controls around the process for making important decisions. Do they provide reasonable assurance that informed and intelligent decisions are made, taking the right level of the right risks to achieve enterprise objectives?
It’s still risk-based auditing, but instead of only auditing the controls over transactions, you audit the controls over major decision-making. You audit the controls over the risk of poor decisions.
If we only audit controls over transactions and processes (including their protection), we may be missing the boat!
What do you think? Please leave your views in the “comments” section below!
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.
New insights, new focus area – I think some of us do cover risks outside of the transactions and processes, to include Management Plans, though not interrogating how those plans are derived – the nature of the information used in crafting them!