by Norman D. Marks, CPA, CRMA

Businesspeople in a MeetingIn the past, auditors were famous for finding problems. They audited a process, business unit, or location and found “weaknesses” in internal control. These were then prioritized based on the auditors’ assessment of the risk they represented.

These days, leading internal audit teams are moving from this idea of auditing controls, sometimes called controls assurance, to auditing whether management’s processes, systems, and organization (which include controls) provide reasonable assurance that risks are at acceptable levels.

They are moving from controls assurance to risk assurance.

They are also moving from auditing the past (hindsight) to providing insight on current activities and even, because they are looking at emerging risks, a degree of foresight into the continuing and future management of risks.

Providing insight and foresight is far more valuable to the board and management than hindsight.

But What Risks Should They Audit?

In the past, an audit universe was created that included all “auditable entities” within the enterprise. Then internal audit audited the more significant risks to the more significant entities. But this sometimes led to auditing activities that might be important to management of those entities but would never be critical to the board or top management.

Today, leading audit teams are using a “risk universe” on which to base their audit plan. The risk universe includes the risks that matter to the board and to management because they are risks to the strategies and objectives of the enterprise.

All risks that could affect the achievement of corporate goals, including unstated objectives such as compliance and safety, are prioritized and the top ones considered for inclusion in the audit plan.

I call these the risks that matter.

When internal auditors provide insight and even foresight on the risks that matter, their work matters to the board and top management. Instead of finding problems and being perceived as an overhead activity that adds to management’s task list, they are helping the board and management deliver value to stakeholders.

This is the path to success for internal auditor – moving from finding problems to enabling solutions.

In my next post, I will discuss how to prioritize the risks that matter and which should be addressed in the audit plan