Spotlight: Internal Audit and Risk Assessment Strategies

  • by Gary Byrne, Managing Editor, Financials Expert and SCM Expert
  • February 28, 2014
Financials
An SAP executive answers a few questions about internal auditing and risk assessment in today’s enterprise business environment.
Learning Objectives

By reading this article, you will learn how to:

  • Assess emerging risks within your organization
  • Develop an effective risk assessment strategy
  • Ensure maximum protection of data moved to the cloud
  • Protect data on employees’ mobile devices
Key Concept

Emerging risks, according to Institute of Internal Auditors President Richard Chambers, are “newly developing risks that cannot yet be fully assessed but that could, in the near future, affect the viability of our organizations’ strategies and business models.”

There is no doubt that new risks emerge daily. I think there are two important things to consider here. First, I think all managers need to ask themselves two key questions: What risks might prevent me from meeting my objectives for the chief executive? How adequate is my current mitigation strategy?
– Bruce Carpenter, Vice President of Corporate Audit, SAP

In his blog on the Web site for the Institute of Internal Auditors (IIA), IIA President and CEO Richard Chambers commented about a challenge internal auditors face in assessing emerging risks:

“Internal auditors have become increasingly effective in assessing traditional risks; however, the ability to identify and assess emerging risks presents new challenges and requires even greater proficiency. Emerging risks are the newly developing risks that cannot yet be fully assessed but that could, in the near future, affect the viability of our organizations’ strategies and business models. These risks have no track record, so despite the fact that our risk assessment techniques are becoming more sophisticated each year, new and emerging risks are still the most difficult risks for us to identify and quantify.”

On the same site, Norman Marks, a former vice president at SAP, referred to the following findings from an AuditNet survey on the state of technology use by auditors:

  •  “While audit software tools have been available for almost 2 decades, auditors and audit departments are not making full use of the technology.
  • Auditors use audit software tools mostly on an ad hoc basis with some repetitive use, and departments do not have a strategy or plan to integrate technology in the audit process.
  • The main reason for limited use of audit technology tools is the cost of the software and training and management resistance to change.”

I asked Bruce Carpenter, vice president of corporate audit at SAP, to comment on these statements and to answer some questions about how organizations can meet challenges pertaining to internal auditing and risk assessment.

Richard Chambers sees challenges ahead for internal audit teams with regard to assessing emerging risks. Could you comment on what measures an organization can take to identify and mitigate new risks?

There is no doubt that new risks emerge daily. I think there are two important things to consider here. First, I think all managers need to ask themselves two key questions: What risks might prevent me from meeting my objectives for the chief executive? How adequate is my current mitigation strategy? This will immediately provide a key to the top strategic risks facing the organization. Second, the organization needs to have a defined process to update their risk assessment for regulatory changes and other emerging risks. Fortunately, there is a lot of industry benchmarking information available from the big four and other major advisory firms. Audit and compliance officers are generally well networked with their peers, and these knowledge-sharing platforms definitely help to develop best practice approaches to managing emerging risks. Another place to look for emerging risks is in capital budgets. In many cases capital spending is being driven by a perceived emerging risk or opportunity. The business case may not necessarily mention the risk, but it is clear that the spend is aimed at a risk of some sort, such as competition or climate change.

Gary Byrne

Gary is the managing editor of Financials Expert and SCM Expert. Before joining WIS in March 2011, Gary was an editor at Elsevier. In this role he managed the development of manuscripts for Elsevier’s imprint responsible for books on computer security. Gary also has held positions as a copy editor at Aberdeen Group, a Boston-based IT market research company, and as an editor at Internet.com, a publisher of content for the IT community. He also gleaned experience working as a copy editor for International Data Corp., a Framingham, MA-based IT market research company. He earned a bachelor of science degree in journalism from Suffolk University in Boston. He enjoys traveling, sailing as a passenger onboard schooners, and helping his wife, Valerie, with gardening during summer weekends. He’s a fan of all the Boston sports teams and once stood behind Robert Parish in a line at BayBank. He felt small and didn’t ask for an autograph. You can follow him on Twitter at @FI_SCM_Expert. His online footsteps can also be found in the SAP Experts group on LinkedIn.

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.