In a prior blog, I talked about Internal Audit's (IA) need for independence and the balance to working with other Governance, Risk and Compliance (GRC) functions. In this new world, IA is no longer the only oversight function in an organization, and IA’s need for independence sometimes runs up against the requirement (per IIA Standard 2100) to coordinate activities of and communicate Governance, Risk and Compliance (GRC) information among the board, external and internal auditors, and management.
For example, two primary areas of concern to IA are the understanding of risks and testing of controls. Examples of other oversight functions monitoring and testing controls, in addition to IA, include internal control and compliance organizations. In addition to these internal control groups is the expansion of risk management functions, including enterprise risk management (ERM) and operations risk management (ORM). IA was historically the source of broad risk evaluation while other risk groups, such as credit and fraud, focused on their specialized areas of risk. However, similar to control oversight, risk oversight functions have also expanded, adding to the robustness of risk information but also to the confusion over coverage, scope, approaches and priorities. This hasn’t been an easy transition, with separate organizations, varying approaches and levels of maturity, different toolsets, and sometimes competing priorities.
A question in the minds of many IA groups has been, “what functions should IA perform versus what should other oversight groups do”? Gartner raises this dilemma in their September 13, 2013 research entitled, “How to Differentiate and Align the Roles of Security and Internal Audit”, stating that there is confusion regarding the potential overlap between the roles of information security and IA, which leads to conflict and dysfunctional information risk management.
In this equation, there is a related question that IA must ask, which is, “how can and should we leverage other GRC functions to help accomplish our mission more effectively and efficiently”? This has become a necessity in this day of cost cutting and having to prove
ongoing worth to the organization. This can be a positive factor as IA strives to expand their reach and influence without increasing staff count. Two areas that IA usually struggles with coverage and efficacy are around the need for dynamic risk assessment and continuous controls monitoring. For example, IA typically performs their audit universe risk assessment once per year, but the company and its risks continue to evolve, sometimes unbeknownst to IA. IA needs a better way to be alerted to changing risks and then adjust their audit plans to best use their resources in performing audit engagements against the highest risk areas. By working with an ORM or ERM function, IA can leverage their ongoing risk identification, measurement and monitoring activities to determine which risks they need to respond to by adjusting their audit plans. Another area IA can leverage are compliance groups who may have control monitoring measures in place that IA can rely on to ensure key controls are evaluated and continue to function effectively on an ongoing basis. Control failures found by internal controls groups may also alert IA to where they need to focus more attention. Regardless of an organization’s ability or readiness, the conversation has evolved to the point that IA and GRC will have to learn to work together to stay competitive, achieve their objectives, reduce costs and maximize results.
Alongside the need for independence is a competing priority for IA to be a “partner” with management. As directed by IIA standards, IA reports to the board of directors and senior management. To contrast the Standards quoted earlier, “Internal auditing is an independent, objective assurance and consulting activity…” The challenge for IA groups is how to strike the right balance between independence and partnership.
The formalization of GRC as an operating framework has begun to force the discussion around how IA and other oversight functions can work together toward common goals, and has increased the opportunities for IA to partner with management. The GRC Reference Architecture represents the alignment of organizational elements and processes under a GRC framework. The framework unifies the functional and topical elements of GRC with some tangible end results. By aligning approaches, programs, resources
and efforts of interrelated GRC processes, this can result in improvements in visibility, efficiency, accountability and collaboration, which are needed to optimize business outcomes. (See white paper on the RSA Archer GRC Architecture for more information.)
To illustrate, a prominent U.S. based insurance company was starting up a new IA function, “insourcing” the function after having used an external audit firm for several years. After staffing the IA function, one of the first steps was to align their risk methodologies and approaches with the company’s ORM function. During the process, some areas of their methodologies and approaches were modified with input from IA. This proved beneficial by having agreed upon approaches for identifying and evaluating risks and impacts; aligning resources to perform further analysis and related audit procedures; better communication and agreement on findings that resulted from ORM analysis and IA testing procedures; and resulting remediation activities. IA felt they could better rely on the ORM group and vice versa.
Alignment of these varied GRC functions, processes, approaches, methodologies, goals, objectives, programs and resources takes many forms. This could include adopting similar risk assessment approaches and methodologies, or combining control testing. Alignment is an important activity as its benefits include better resource utilization, improved coverage of risks and controls, and other synergies. Another important step in alignment includes identifying and assessing the differences and challenges between the aligning functions. The next installment of this blog series will talk about the the growing pains of alignment