anticipating the unexpected - The Institute of Internal Auditors

WWW.THEIIA.ORG/CAE
ANTICIPATING THE UNEXPECTED
Environmental disasters, customer data security breaches,
material fraud, and substantive product recalls are just
some of the myriad items that could disrupt an
organization’s focus on its day-to-day operations.
However, other seemingly innocuous events also could
alter routine business activities. And it is often these
unexpected, difficult-to-plan-for events that can have a
snow-balling, negative effect on an organization’s image.
TO BE BETTER POSITIONED TO
ANTICIPATE THE UNEXPECTED, CAES CAN:
1. Set aside time to brainstorm “what if”
scenarios with stakeholders.
2. Learn from the mistakes of others.
As business leaders, chief audit executives (CAEs) have to
stay abreast on the latest issues and trends impacting the
internal audit profession, their organization, and industry.
However, being in the know is sometimes not enough to
anticipate unexpected events that could disrupt the way a
company operates. This Quick Insights provides five steps
that can help CAEs be better prepared to anticipate the
unexpected and enhance their prescience1 or “sixth sense.”
Prescience is the ability to see around the corners, to anticipate events before they arise
(“The Relationship Advantage: Maximizing Chief Audit Executive Success” by The IIA and
Korn/Ferry Institute).
1
3. Update the risk assessment model to
include new and unexpected events.
4. Revise internal audit’s role as new or
unexpected events are identified.
5. Establish a contingency resource
strategy for the audit department.
KEY CONSIDERATIONS
STEP 1
Set aside time to
brainstorm “what
if” scenarios with
key business
leaders.
One of the best ways to identify events that could have an organizationwide impact is to
brainstorm “what if” scenarios with business stakeholders. As noted in The IIA Research
Foundation report Imperatives for Change: The IIA’s Global Internal Audit Survey in Action, it is
essential that CAEs determine specific stakeholder expectations and develop strategies and
tactics to address them. By setting aside time to brainstorm “what if” scenarios with key
stakeholders, CAEs are elevating the value of internal audit and helping the organization to
proactively identify mitigating solutions when the unexpected does occur.
In addition to management and the audit committee, CAEs should talk frequently with other
governance, risk, and compliance business leaders to identify events or activities that could
negatively impact the organization’s reputation. Another strategy that can help CAEs
identify unexpected events is to talk to “creative thinkers” in the organization, such as
marketing leads and product development staff, to discuss the different trends they see in the
industry and risk factors that could positively or negatively impact the company.
Ensuring internal audit has a seat at all the right tables can help CAEs not just identify, but
also address new and unexpected changes as they take place. Finally, CAEs need to keep in
mind that while identifying unexpected events is important, proactively communicating
potential gaps to management that warrant attention and offering solutions is part and parcel
of leveraging that “seat at the table.”
2
IN ESSENCE: PROACTIVELY CHALLENGE THE ORGANIZATION TO CONSIDER EVENTS THAT
COULD HINDER THE ACCOMPLISHMENT OF ITS STRATEGIC GOALS AND KEY INITIATIVES
AND HELP IDENTIFY WAYS TO CLOSE EXISTING GAPS. .
WWW.THEIIA.ORG/CAE
KEY CONSIDERATIONS
STEP 2
Learn from the
mistakes of
similar
organizations.
Brainstorming solutions with key business leaders helps CAEs to tap into internal business
resources. However, external sources of information are also fertile ground to assist CAEs in
identifying areas of potential trouble. For example, the news media are ripe with examples
of events that have both hindered and elevated an organization’s competitive advantage in
today’s market. Case studies and articles in trade journals also provide good “cause and
effect” reading material for CAEs to tap into in their quest to help the organization prepare
for the unexpected.
When reading material gathered from external sources, it is always a good idea to examine
the organization’s response to the situation. Although an external event can severely impact
an organization’s ability to deliver timely services or products to its customers, the
likelihood that the organization will “forever close its doors” is exacerbated by how
management responds to the situation and communicates with its stakeholders. Therefore,
CAEs should be on the lookout for examples of how similar organizations in the same
industry have coped with an unexpected event and the way information was disseminated to
all stakeholders. Intelligence gathered from this research can help to assess the adequacy of
crisis management and response efforts.
IN ESSENCE: SCOUR NEWS REPORTS AND MEDIA SOURCES FOR TIDBITS OF INFORMATION
ON OTHER ORGANIZATIONS’ “TROUBLES” AND EXAMINE THE UNDERLYING CAUSE OF THE
EVENT, THE COMPANY’S RESPONSE TO ITS STAKEHOLDERS, AND ASK: COULD THIS
HAPPEN TO US? IS IT ON OUR “RADAR”? ARE WE ADEQUATELY PREPARED TO RESPOND?
3
WWW.THEIIA.ORG/CAE
KEY CONSIDERATIONS
STEP 3
Update the risk
assessment model
to include new
and unexpected
events.
Once identified, previously unanticipated events should be incorporated as part of the
organization’s risk assessment model. This will help the organization be better equipped to
know who the business owner of the risk mitigation activities are and enhance management’s
ability to provide an effective response, if necessary. Feeding this information into internal
audit’s top-down, risk-based assessments can focus audit efforts on more of the tough issues
that could derail the organization. (For more information read the Audit Executive Center
Knowledge Briefing “A Top-down Focus on Risks.”)
Of special consideration during the risk assessment process is documenting key dependencies
within the organization that might be taken for granted. For instance, is there a particular
business process that is currently being performed by a single employee without a
documented backup plan? Instances such as this one should prompt CAEs to ask “what if”
questions (i.e., “What would happen if the employee has an emergency and is unable to
perform this crucial task? How will the organization cope?”).
After the risk assessment model is updated, CAEs need to ensure the internal audit plan also
captures how audit resources will be devoted to previously unanticipated events that may be
deemed a significant risk to the organization.
IN ESSENCE: IDENTIFYING POTENTIAL, UNEXPECTED RISKS OR EVENTS IS HALF OF THE
EQUATION. CAES ALSO NEED TO ENSURE THE RISK ASSESSMENT PROCESS CAPTURES
THESE EVENTS MOVING FORWARD.
4
WWW.THEIIA.ORG/CAE
STEP 4
Revise internal
audit’s role as
new or
unexpected
events are
identified.
KEY CONSIDERATIONS
Progressive CAEs have learned that the audit plan (whether annual or on a differing cycle) is
merely that — a plan. Internal and external factors, such as new technological
developments, emerging industry trends, dynamically changing risk profiles, and supply
chain disruptions, among others, are constantly occurring and must be taken into account as
audit efforts continue throughout the year. As a result, CAEs might need to reassess internal
audit’s role as new or unexpected events are identified and incorporate these changes into the
audit plan, alter the plan, or even set the plan aside entirely. Answering the question, “What
do my key stakeholders need of internal audit now in light of this newly surfaced,
unexpected event?” can help CAEs identify whether audit efforts need to be refocused and, if
so, update the audit plan accordingly.
In addition, CAEs need to determine whether the unexpected event will require a discussion
with the audit committee and executive management to clarify internal audit’s role or scope.
While the internal audit charter should be flexible enough to not require modification as new
projects arise that may not be planned, an abrupt shift between assurance and advisory
services without adequate dialogue with key stakeholders may be unsettling or even
surprising to them.
IN ESSENCE: AS NEW, UNEXPECTED EVENTS ARE IDENTIFIED THAT COULD SHIFT THE
FOCUS OF INTERNAL AUDIT EFFORTS, CAES NEED TO ENSURE THE INTERNAL AUDIT PLAN IS
FLEXIBLE ENOUGH TO REACT ACCORDINGLY AND STAKEHOLDERS ARE UPDATED
APPROPRIATELY AS TO WHAT THE DEPARTMENT IS FOCUSING ON AND WHY.
5
WWW.THEIIA.ORG/CAE
KEY CONSIDERATIONS
STEP 5
Establish a
contingency
resource strategy
for the internal
audit department.
The Audit Executive Center’s March 2012 Pulse of the Profession Survey of 461 North
American CAEs and other senior internal audit professionals found that audit staff levels and
budgets have stabilized since the recession-induced downsizing that many audit functions
experienced from 2008 to 2011. Given the stabilization of audit resources, many CAEs are
once again able to be more flexible in how they resource their departments. While hiring and
training are under way, CAEs also should consider a contingency resource strategy to
supplement their planned internal audit efforts. Of special importance is setting aside
“reserve” resources for unexpected events. Therefore, just as the internal audit charter and
risk assessment must be flexible enough to address ongoing stakeholder expectations, so
must the annual audit work plan and staffing strategy. Questions CAEs can ask include:
 Assuming X occurs, do we have access to resources with the right expertise to help the
organization navigate through this uncharted territory? If not internally available, is my
sourcing strategy flexible enough to cosource audit efforts requiring this expertise?
 Have we invested enough time and energy so that organizational leadership sees internal
audit as a source of not only assurance work, but of advisory work as well? Is there a
demonstrated track record of adding value in such circumstances?
 Have we set aside time in the annual audit work plan to address new or unexpected risks
or is the internal audit work calendar 100 percent booked?
6
IN ESSENCE: CAES SHOULD ESTABLISH A PROACTIVE RESOURCE STRATEGY TODAY THAT
ENABLES THEM TO NIMBLY ADDRESS TOMORROW’S UNEXPECTED EVENTS.
WWW.THEIIA.ORG/CAE
ABOUT THE AUDIT EXECUTIVE CENTER™
The Institute of Internal Auditors’ (IIA’s) Audit Executive Center is the essential resource to
empower CAEs to be more successful. The Center’s suite of information, products, and services
enables CAEs to respond to the unique challenges and emerging risks of the profession.
ABOUT THIS DOCUMENT
Quick Insights provides easy, actionable information for CAEs on internal audit management issues.
The information included in this document is general in nature and is not intended to address any
particular individual, internal audit function, or organization. No individual, internal audit function,
or organization should act on the information provided in this document without appropriate
consultation or examination. The author of this report is Hal Garyn, CIA, CPA, vice president of
North American Services for The IIA.
DISCLAIMER
Copyright © 2012 by The IIA located at 247 Maitland Ave., Altamonte Springs, FL, 32701, U.S.A.
All rights reserved. Published in the United States of America. Except for the purposes intended by
this publication, readers of this document may not reproduce, redistribute, display, rent, lend, resell,
commercially exploit, or adapt the statistical and other data contained herein without the permission
of The IIA.
7
WWW.THEIIA.ORG/CAE