The chart above has been a valuable aid in selling the importance of an ERM program when talking to executive management, and in convincing them that some risk areas are not being adequately addressed. This study was initially conducted by Corporate Executive Board when ERM was just starting to attract attention, and was updated fairly recently by Deloitte since ERM gained widespread acceptance. It was a study looking at companies whose market cap declined by more than 40% during a year, and examining what caused the market cap decline or bankruptcy. The study identified through public information that 80% of the risks that caused the market cap decline and/or bankruptcy were strategic-oriented, not compliance-oriented — and only 9% were operational, with very few financial and legal risks affecting the decline.
This is concerning if, as is common, your audit plan focuses on finance and compliance risks, with perhaps some operations and hardly any strategic risks. A compelling case can be developed if you use an actual case of bankruptcy within your specific industry and map the public information to this chart. This slide can help the Audit Committee, CFO, and CEO understand the importance of strategic coverage versus other risk coverage as being the type of risk that causes companies to fail. Using a chart like this can help to drive home the point that even if your company doesn’t have a formal ERM program in place, you should at least do an enterprise risk assessment (ERA) once a year to help determine audit coverage—and that risk assessment should include strategic risks.
No matter the budget situation, a smaller audit function will likely always need to get creative to obtain audit resources to help cover risks. There are many opportunities to increase your coverage without having to request a lot of additional budget and headcount.
Internal audit can gain budget by cross charging services for investigations to the department being investigated instead of taking the investigation cost out of your limited budget. You might consider outsourcing statutory or other specialty audits otherwise requiring travel.
Memberships like The Internal Audit Peer Group (IAPG) from The Neu Group can save time and costs by providing you with information so you don’t have to recreate the wheel for audit coverage.
There are several ways to gain budget with SOX, including outsourcing or co-sourcing with specialty firms to transfer the risk of resource peaks and valleys. If you negotiate multi-year fixed fee contracts, your company won’t need to worry about hourly rates. There’s also an opportunity to save big by donating a few of your lower-cost team members to reduce testing hours with the provider.
If you’re looking to gain access to additional subject matter expertise, consider pulling guest auditors from other departments for 2–3 week projects or IT specialty audits, or bringing in college interns with in-demand skill sets like computer science and data analytics. Internal audit can also team up with internal groups who already are using advanced analytics or AI to give internal auditors on-the-job experience in cutting-edge technology.
Finally, there is an additional opportunity to effectively strengthen broader risk coverage by assessing the Three Lines of Defense model within your company. You will likely find many “audit” type of functions buried within most organizations that contain significant resources. By definition, these resources will be working on very focused subject areas, which normally will not register in the top 25 risks of the company. There is an opportunity to sell the fact that the company is spending money and time addressing lower level risks, when with internal audit department collaboration, the spending could have a much higher return on investment. Leveraging these hidden resources can help cover global risks of importance.
Internal audit may continually struggle with low budget, but there are many opportunities for smaller audit functions to provide more and better coverage. No matter the size of the department, it’s the CAE’s responsibility to steer the Audit Committee and executive management in the right direction regarding their expectations for risk. When they understand the importance of global risk coverage and what is needed to provide it, internal audit will be in a stronger position to increase its budget. At the same time, a smaller audit department needs to stay innovative to obtain and stretch their resources. With these measures, a small internal audit function can break the stereotypes to provide comprehensive risk coverage while adding value to the organization.