In this special five-podcasts series, Matt Kelly and I are exploring the future of internal audit (IA), compliance and analytics. In Part IV, we consider the new relationships which can be created based upon the evolution of IA. These changes will allow IA to work more closely with 1stand 2nd lines of defense. However, how does your organization prepare for that empowered audit function? Finally, we will consider corporate culture and ask if analytics and monitoring can drive behavior even more forcefully than ethics?
Typically, IA is thought of a part of the Third Line of Defense. However, through the use greater use of analytics, IA can move closer to the second or first line of defense or at least work more closely with those who are traditionally seen as the first or second lines of defense. This speaks to one of Kelly’s key points, that the evolution of IA will change the relationship between audit and other functions. Kelly also said it raises in important question, “As internal audit moves towards better analytics and risk monitoring drives up the importance of strong control design, people really need to start thinking about how to detect, how to monitor the risks that are important to my business process.”
Consider internal financial controls and the review of its effectiveness by an external auditor. In most situations bribes are funded through marketing or similar internal budgetary items. An external auditor will only consider material costs so if your marketing budget is over $100,000,000,000 annually for a worldwide, multi-national, a bribe payment of even $1,000,000 hidden in marketing expenses might not be considered material. Therefore, under this IA evolution, the function would need to not only understand the company’s risk but work with the first line business process owners to “clarify what your risks really are and figure out how to manage more accurately, more closely and more effectively.”
This does not mean IA will become a new department of risk monitoring as it will always need to maintain independence and objectivity. It does mean that other corporate departments, such as compliance, should consider taking advantage of IA’s expertise to help create a control for compliance risk that can be monitored and the results quantified. By having that conversation between IA and compliance, both corporate functions can become aware of the types of controls they are using and how they can be made more efficient or even streamlined. Now imagine that conversation with other risk areas in a corporation; anti-harassment, anti-trust, anti-bidding rigging, IT security and data privacy. It is all about the operational risk for each corporate function. But the business process owner would continue to actively manage the risk.
CCOs and heads of other functional units need to be having those conversations now as Boards of Directors are starting to ask those same questions. But it comes with something along the lines of “If not, why not?” Boards see these types of conversations are improving the overall risk management process. I believe that compliance is uniquely suited to having those conversations now with IA to move the process down into the business unit to more fully operationalize the compliance function into an organization. This is certainly the approach advocated by the Department of Justice (DOJ).
Now consider a world where analytics is more prominent. If your organization is more analytics driven, how will it work in your corporate culture? Obviously, if abused or mis-used, a data driven analytics culture can also wind up being a negative place to work. In most organizations, we have seen that that which is managed or measured gets managed well. However, if you measure and manage everything, then you are micromanaging people. Everyone involved will need to consider how does this really impact the human beings who are in an organization? You should also realize that if you are managing and observing everything, what does that say about making your organization a nice place to work? Is it an interesting and challenging place to work or is it simply an organization which manages risk well? Finally, will analytics and monitoring drive behavior even more forcefully than ethics? Those are the types of conversations every company should be having now, not later.
Tomorrow we conclude with getting started and moving forward.