I did a video with Joe McCafferty of MISTI last month. I am interested in whether you share my views. I also have some questions for you—after you watch the video.
A new report from Deloitte has some interesting conclusions—plus predictable ones. 2016 Global Chief Audit Executive Survey: Internal Audit at a crossroads has some provocative content. Deloitte says there is a choice to be made: “Evolution or irrelevance”.
The news about the Wells Fargo staff ‘scam’ (the word used in this article in SC magazine) is mind-boggling. What I found mind-boggling is that (according to CNN Money) Wells Fargo had to fire about 5,300 workers (out of a total staff estimated at 265,000, or 2% of all employees). When 2% of employees were fired, you have to assume that more people knew or should have known. The prevailing Wells Fargo culture in reality was to do what was right for the staff, not the customers!
How should this be done? Some would say that the IIA’s quality assurance standards, which require both ongoing and periodic quality reviews, are the answer. I am not one of those people.
Clearly, the great majority base their audit plan on some combination of (macro) enterprise-level risks and (micro) risks at a lower level of the organization. Somewhat more have weighted their plan towards the micro level than the macro level. So what does this all mean?
Managing risk in today’s business environment has become a far more complex process than it ever has been. This can be attributed to a number of factors, such as increased government regulation and cyber-based issues. Other factors include uncertain political and economic situations that can arise, sustainable development and environmental concerns. These issues can have a substantial impact on small, medium and large organizations.
Who takes risk? The correct answer is ‘everybody’; everybody who makes a decision and everybody who acts. Every decision and action creates or modifies risk and has the potential to influence the achievement of objectives. Whether it is deciding to go through with an acquisition or to hire this candidate instead of an alternative, risk is being taken.
There are many voices urging people to act when it comes to the topics of risk management and the role of internal audit. Unfortunately, most of these voices are like sirens, tempting you to go the wrong way.
A “typical” business can lose five percent of its revenue to fraud according to a recent global fraud study. And organizations are lucky if they detect the fraud at all. Most businesses find out about fraud from a tip, not from strong internal controls.
Typically, the stewardship responsibilities of a board of directors include the identification of an organization’s principal risks, the implementation of systems to manage them, and the integrity of internal control and management information systems. Typically, an internal audit function plays a key role in assessing and reporting on these areas.