When I tell people that I am an internal audit, three things happen: first I must explain that I am not from the IRS and will not be auditing their taxes. The second, I must tell them that I do not just focus on financial statements, or fraud, but conduct many types of audits. This often leads to the third comment, perhaps in jest, “So, you are just interested in controls not risk.” To me, the three statements all illustrate a misconception of what internal audit is about and does (perhaps justified in some audit organizations). Perhaps, more importantly, it means that I have not explained internal audit very well in any of our prior discussions (my bad), particularly the linkage between controls and risk. So, let me get back to basics.
- Risk is a function of Probability and Impact. Risk increases as probability or impact increase and decreases when they decrease.
- Impact, often seen as financial, can be other things, like goodwill, reputation, legal, environmental, strategic, HR, compliance, operations, etc.
- Probability, while it sounds easy to comprehend, requires an understanding of what influences probability. This includes opportunity, motive, and rationalization. As opportunity, motive or rationalization increases so does the probability of an event occurring and, consequently, the risk.
I want to throw in another wrinkle, risk can be positive or negative. Risk affects the achievement of organizational goals and objectives. Capitalizing on positive risks will increase the achievement of these objectives. Failing to address negative risks will decrease the achievement of organizational objectives.
At the company where I currently work, CTRLmatters, we look at both positive and negative risks; we assess factors that increase the probability; and we quantify the impact. We also identify specific actions that should be taken to address the root cause of the risk. Take for example a series of analytics that examine a business process such as accounts payable. Our analytics can find areas where improvements would increase the efficiency and effectiveness of the process, reducing cost (a positive risk). The analytics can also identify a lack of separation of duties, poor internal controls or poor business process policies and procedures, etc. (negative risks). Sure, some of these are directly tied to control weaknesses. But these weaknesses create opportunities that increase the probability of an event happening, and, consequently, the risk. A control weakness is ‘why’ the risk occurring, not the ‘risk’ itself, but it is still important to identify.
A final thought is the notion of predicting risk. While organizations should pursue this goal, it is not sufficient. Companies must quickly react when risk does occur. If you predict a risk and do not know how to mitigate it, what have you gained? You need to have processes in place to quickly highlight and assess the potential impact of a new or increasing risk when they occur; to understand the root cause; and to identify the actions you need to take to mitigate the risk. This is where CTRLmatters continuous monitoring, through a series of scheduled analytics, can help protect you from both known and unknown risks (predicted and not predicted). By running analytics on a regular basis, flagging positive and negative risks, and identifying the underlying cause, our analytics allow management can act quickly: to capitalize on positive risks and to mitigate negative risks.
Dave Coderre
Co-Founder and Senior data Analyst
CTRLmatters (www.ctrlmatters.com)