By Jon Long
On some level, risk management is partially about avoiding audit surprises. Dollars are invested, individuals are trained, and departments created to make sure organizations are safe, efficient, and compliant with all applicable regulations. Why? There is reputational risk associated with unfavorable audit findings which can translate to revenue loss.
Despite the best efforts of risk professionals, many risk management programs fall apart over missed infractions or clear operational misalignment with a given standard or control. These oversights are not uncovered until they are pointed out during an external audit. Surprise!
How is this possible?
In most organizations, audit surprises can be traced back to one (or more) of three key mistakes:
Mistake #1 – Auditor Misalignment: Relying exclusively on in-house interpretations of prescribed industry or regulatory control requirements. Provide your external auditors with your organization’s interpretation and response to a given control requirement, and ask them to benchmark it against their own interpretations before you are audited. Formally I call it a benchmarking exercise, but informally, I like to call it “Putting your auditor in a box.” If there is a less experienced auditor assigned to your eventual audit who challenges your interpretation, you will be able to reference the response you received from their firm. It is advisable to do this for each control in your control framework to ensure that you have covered all control requirements, and to avoid audit findings associated with unaddressed or inadequately addressed requirements.
Mistake #2 – Operational Misalignment: Failure to adopt an organization-wide approach to risk management. In many ways, this is the mistake that leads to the two listed above. All too often, senior management delegates, segregates and essentially forgets about risk mitigation. Having placed the responsibility on a team – or, in some cases, a single individual – the organization ignores the necessary protocols and controls needed to maintain compliance. In reality, organizations should empower their risk managers with unified policies and procedures that are implemented at the control owner level.
Mistake #3 – Missed Infractions: Taking a passive approach to risk management technology, organizations miss it when policies and procedures are not followed. Too many organizations create an environment where proactive investment in risk management technology is discouraged, leading to audit findings associated with controls that were designed correctly, but were not effective enough to prevent non-compliance. When the audit uncovers a fatal flaw in the control framework, a quick (and costly) solution must be found right away. Utilizing technology to continuous monitor compliance will provide assurance that your organization is following its policies and procedures.
When you consider these common mistakes, audit surprises become a lot less surprising. Companies with rigorous compliance responsibilities must leverage outside expertise to predict and diagnose issues, must proactively invest in the technology tools they need to remain compliant and finally, they must adopt a company-wide approach to the issue. Without those measures in place, risk management will continue to be full of surprises.