Some executive managers are reacting to the current downturn similarly to previous downturns. Management is focused on cutting costs rather than managing and reducing risk, and adopting a proactive response to the many messages being sent from Washington and other constituents. I believe that this reactive response behavior has the unintended consequence of increasing risk and will increase costs in the mid-term. Unfortunately, when management does decide it's time to develop a strategy for new regulatory and market requirements, there will be limited time to consider a well thought-out effort that will be efficient, effective and prove to be the least disruptive to an organization.
This situation represents an opportunity for internal audit professionals. Where possible, internal audit should provide an independent view by pointing out the potential consequences of inaction and delay, and then recommend potential proactive actions.
Consider the following:
- Current economic circumstances have led to more uncertainty and increased risk
- Corporate failures are largely the result of the impact of operational risks rather than financial reporting risks
- Additional regulations will be introduced to address what are perceived to be failures in existing processes, including: Board responsibilities, risk management, regulatory transparency and ratings companies. "˜Safety and Soundness' will be a strong regulatory driver.
- The costs associated with Sarbanes-Oxley compliance indicate that a reactive approach to regulation can be much more costly than a proactive approach to pending regulation.
The logical response to these statements would be to ensure that adequate resources are provided to monitor and manage risk, to strengthen the independent investigative and corporate governance arms of Boards, and to take into account a longer-term view when making business decisions.
In many cases the reality is:
- Organizations are adopting a "˜wait and see' approach to pending regulation
- Companies are focused on short-term impact rather than considering impact over the next year or so
- Internal audit budgets have been reduced or are flat
- Internal audit has retained most of its focus on financial reporting
- Internal audit planning remains focused on the "˜historic' role of internal audit rather than the changing role of internal audit.
This reality impacts the ability of internal audit to:
- Meet Board requirements
- Enhance Corporate Governance
- Address strategic and operational risks
- Meet the changing needs of stakeholders
- Implement continuous auditing
- Address increasing regulatory focus including; Board responsibilities, FCPA requirements, risk management and transparency.
Internal audit professionals are further constrained by their limited use of technology and GRC management systems. Risk management and compliance are continuing to become more and more complex "" and we can certainly anticipate even more complexity as the regulatory environment changes coming out of the economic crisis. The timing is right for the internal audit team to take a proactive stance, leveraging software solutions to help proactively manage this increasingly complex risk/compliance landscape as a part of a comprehensive approach to GRC (including auditing).
There are some barriers, including a lack of understanding of business processes and challenges (because many auditors have been solely focused on SOX compliance), flat or decreasing budgets, and the lack of specific skills related to GRC management systems "" including how to use existing systems, and knowing why data mining and exception reporting tools can be beneficial.
What will happen if internal audit professionals do not take this opportunity to broaden their GRC skill-set and/or help to proactively suggest new solutions? Corporate governance and risk management responsibilities may not be fulfilled, and emerging Board responsibilities and risk management requirements that will emerge from the current regulatory reassessment process may be difficult to achieve. A perceived failure could impact credit ratings, share price and result in regulatory action. There may also be limited independent assessment and monitoring of information submitted to the Board. The Board may not receive assurance that the GRC and risk management process is sound and that Board directions are being followed.
The costs of not proceeding are great, and if companies keep on a track of focusing on the near-term, they are increasing risk exposure in the long-term. Now is the time for internal audit professionals to act.