Yeah, auditors see risk (red if you may!) We are asked questions about risk. We have been taught to understand it and plan accordingly. We are told to think and talk risk. That’s what we do, but what about the management? Are they supposed to understand risk only to ask questions of the auditors about their audit strategies, planning and approach?
Or are they supposed to have their own understanding of the risk? And not just understanding it but actually managing it? Exactly! Whose responsibility it is to manage risk? And is this responsibility fulfilled merely by asking questions from the auditors? I agree, asking the right questions when understanding risk is pivotal, but is that all?
Is it the auditors whose understanding matters the most when it comes to manage risk or is it the management’s understanding that needs to be the guidance auditors are required to follow, understand and then evaluate? And thus, is it the auditors who are required to take the lead on risk or is it the management’s job to do it?
Let me put it in another way. Is it the auditor’s job to understand how the business objectives could be impacted, or the management’s job to guide not just their employees but also their auditors on how they perceive their business objectives to be impacted upon owing to risks materializing?
For some even the derivation of business objectives might as well be the auditor’s job! Because managements know why they’re in business. But auditors need to find out why their clients are in business. But why debate objectives, some might ask, when we were discussing risk? Indeed, we were.
Since, risk is the effect of uncertainty on objectives under ISO 31000 definition of risk. Hence objectives and risk are inseparable. But managements comprehend objectives far easier than they could understand risk. And when auditors try to talk some risk sense in them, they’re like “that’s our job, we’re doing it”.
By identifying, understanding and at times documenting the applicable risks, auditors are certainly not assuming the role of the management. Our role is evaluating and improving the risk management process. Though we usually end up establishing the risk management process. Since managements just know, but don’t document their understanding.
And when it’s not documented it can’t be assessed and evaluated and thus managed. So, it all begins from auditors somehow, because that’s where the process starts shaping up as a process! A well-defined / systematic process. And though we were actually responsible for developing a systematic, disciplined approach towards assessing and evaluating the effectiveness of risk management process.
Instead, we usually end up introducing a systematic and disciplined approach towards identification, assessment and documentation of risk and also finding ways and means to manage it often issuing advisory for controls when there are none. Even though it’s not a responsibility we should assume being independent auditors, yet this core intervention from our side is set to benefit the entity we serve.
But the management is hardly in awe of it. Meaning thereby, that they don’t do what’s rightfully for them to do, and they’re also not convinced when the auditors push them to do it by taking the lead on it. And since they are hardly convinced on any such initiative, they hardly understand it.
And it comes down to the auditors to sell their efforts on risk management, when it should have been the other way around; management selling the accuracy and completeness of their process. Sometimes however, compliance, reporting and operational risks inventory do get a nod of acceptance. But strategic? Never!
Because that’s the executive management’s domain. And auditors are traditionally looked down upon by executive managements, because ‘down there’ are where the compliance, reporting and operational risks lie. And as per the management’s perspective, there’s nothing strategic about auditors or audit. Because let’s face it, even though courtesy The Institute of Internal Auditors’ efforts, the C-Suite designation for internal auditors is beginning to pick up pace, yet it stops right there.
A spot at the executive table has been earned, but no one knows what it means, surprisingly not even the auditors! Because the auditors have only ever learnt to intervene when the strategy is at work. And auditors have never been thought to have business acumen to talk strategy. Maybe because businesses hire auditors to aid them in areas they want, not the areas the auditors think are important.
Plus, strategy is a foreword, auditors task ‘must’ come afterwards. So, isn’t it right to have strategy at work first and then let the auditors do their hunting? Well, the way I see it, it’s also a strategy. Management’s strategy. To have the auditors bogged down at the operational level and assure and advise on operational or maybe compliance and reporting risks. But nothing strategic!
Every typical auditor falls for this management’s strategy. We’re asked to be mindful of audit objectives, not business objectives. Only the competent and the careful ones ensure business objectives are their audit objectives. But these are a rarity. And even when their efforts to evaluate strategy and risks to strategic objectives, they’re hardly paid any heed.
Because a seat at the executive table discussing strategy doesn’t automatically earn us an audience. And because auditors might not even be the last ones to come to mind to discuss strategy with! It’s our work, we’re doing it, we’re there already, been there done that, let us take care of that, that’s what we do, etc. are the most typical management ‘arguments’, if these are to be called arguments.
And mind you, only the luckiest amongst us, get to hear these! Most of us do not get to be heard if its strategy that’s on our mind, we’re simply ignored. And that’s exactly what is most ironical about it. Managements want risk management. They want auditors to assess risk and provide risk assurance and risk advisory.
But only about operations, compliances, or reporting, but not strategy! Operations, Compliances and Reporting that are put in place to work the strategy! They expect us to be detail oriented and systematic working through a framework, but do not desire us to evaluate their own strategic framework. If the strategic objectives and risks to those objectives are not evaluated, what is the point in having the subsidiary ones evaluated? And what is the point of having the subsidiary ones evaluated when it is not even known if these are in alignment with the overarching ones?
The risk that those charged with governance should be concerned about is the risk auditors are not invited to assess and evaluate. These are the very risks that those charged with governance and executive managements alike use to sell their performance for the sake of financial and other incentives.
Just recently at a professional gathering, my risk management expertise was queried. I was asked if I was able to identify and forewarn about something that had already materialized and concerned the very existence and viability of the entity’s business.
I was also asked if I did, what did the entity do about it?
I said, it was my job to diligently identify, evaluate and help improve the whole spectrum of risks that were applicable to the entity’s business, which I did. I added, I did more. It was me who identified, documented and developed the entity’s first and only risk management framework.
But if the management chose to ignore the strategy part out of it, the risk that meant anything at all was the risk in their eyes!