IIA Canada recap: Non-financial risks are a top focus for Internal Audit
I was fortunate to attend IIA Canada’s National Conference in Montreal earlier this month. This was our second year as a sponsor of the event and once again it was an excellent opportunity to hear what’s top of mind for audit professionals.
Richard Chambers, IIA President & CEO, delivered the opening keynote titled “Internal Audit: Imperatives for 2018 and Beyond” and so much of what he said about risk management aligns with what we’ve been hearing from our customers and leaders across every industry.
Here’s what stood out for me from Chambers’ presentation:
- Internal Audit must understand and align the needs of three key stakeholder groups: Management (board and executives); Regulators; and the Audit Committee.
- Audit’s role has evolved from “hindsight” to “insight”; the next evolution is to “foresight”. Assurance is a critical focus to the stakeholders above, so looking forward (“what might happen”) is just as important as understanding what has already happened.
- Management wants IA teams to take a risk-based approach, and he says that all audit plans should begin with a risk assessment.
- What information are boards and executives looking for? There are four key risks that management wants to understand: 1) regulatory assurance; 2) cyber security; 3) operational risk; 4) technology risk. (These are all areas of non-financial risk, and perhaps not surprisingly, they align exactly with what I heard during a keynote talk at an operational risk conference last spring, delivered by a Chief Risk Officer.)
- Regulators are very focused on the rigor, consistency and assurance data, and having visibility into the audit process.
- Audit committees are very focused on IA’s risk management work. He says that IA should be continuously assessing risks, including not only identification of existing risks, but also timely and transparent reporting of emerging risks. (Chambers’ analogy was that IA should deploy a “Doppler Radar” for identifying approaching storms. For example, has IA evaluated risks to the organization due to the #MeToo movement?)
- The #1 gap in audit skills/training is around cyber security. This is a big problem – especially when studies show that 28% of organizations will ignore auditing areas in which they lack skills. This really illustrates how vulnerable companies are to emerging cyber threats. Perhaps not coincidentally, Chambers says that the number one reason CAE’s get fired is after a cyber incident!
- A great question that the Audit Committee can ask IA: “What are the top 5 risks that IA will not be able to assess this year?” The answer to that question can be very revealing as to where IA has a resource or skills shortage.
This year’s conference theme was “The agile auditor in the age of disruption”. It’s clear that the best way for auditors to achieve the agility that stakeholders are demanding is to have access to trusted, transparent and aggregated non-financial risk data, to allow for more informed and effective business decisions. And that’s exactly what Iceberg helps customers do each and every day.