AUGUST 2 015 TERNALAUDITOR.ORG

The Auditor's Role in Protecting Customer Data

The People, Processes, and Technology of Data Analytics

A New Framework: Enhanced' Guidance for the Profession

HA Global Chairman Harrington: X

I, /

INTERNAL AUDITOR

Risk Watch BY ALYSSA G. MARTIN EDITED BY PAUL SOBEL

THE AUDIT COMMITTEE IN AN UNCERTAIN WORLD

Internal audit can help members manage emerging risks arising from constant change. U

ncertainty has always accompanied business opera-tions. It cannot be

avoided; it must be faced. Management and boards should openly recognize that the pace of change has increased and become more interconnected and global in nature, with the audit com-mittee playing an active role in risk oversight.

Every organization is unique, causing internal and external risk categories to manifest through differ-ent risk events. Knowing the relevant risk categories and drilling into the specific events that could occur and influence an organization's success is imperative. The CAE needs to be a consul-tant to the audit committee, helping it with its oversight role. In addition, the inter-nal audit function and the organization's senior lead-ers should work together to evaluate vulnerabilities linked to strategic objectives.

The Velocity of Change As business changes and emerging risk becomes more relevant, risk management becomes a shared, routine process. Increasing reliance on Internet technology makes cybersecurity a crucial risk. Businesses with global customers or vendors must pay attention to geopolitical factors abroad, while other organizations face exposures within their home nations.

The potential for a "black swan" event, a dev-astating event that no one could have foreseen, exists as well. For example, the earthquake and subsequent tsunami Japan experienced in 2011 wreaked havoc on global supply chains with-out warning. Attempting to identify such possibilities is unfeasible and beyond the scope of effective risk man-agement practices.

Such events illustrate the impact and velocity of change, as do disruptive innovative technologies.

While such disruption quickly makes some products and business models obso-lete, it also presents opportu-nities for organizations that acknowledge and embrace change. That's what makes the audit committee's risk oversight role so important.

No business can totally mitigate every risk it faces, but every business must focus on the vulnerabilities that present the greatest exposure. Risk management is a multifaceted function that manages acceptance and avoidance of risk against the necessary actions to operate the business for success and growth, and to meet strategic objectives. Every business needs to regard risk management as an ongoing conversation whose importance requires participation by an organi-zation's audit committee and other board members, with the CAE and internal audit function serving increasingly important roles.

SEND RISK WATCH ARTICLE IDEAS to Paul Sobel at paul.sobel@gapac.com

20 INTERNAL AUDITOR AUGUST 2015

RISK TOLERANCE

The current level of risks across the entity and across various categories,

The amount of risk that the entity is able to support in pursuit of its objectives.

Acceptable level of variation an entity is willing to accept regarding the pursuit of its objectives.

EXISTING RISK PROFILE

RISK CAPACITY

ATTITUDES TOWARD RISK

I TO COMMENT on this article,

I EMAIL the author at qa.rnartin®theila.org

rnmcincoM

rinmO AFFECTING RISK nRnrii

Enterprise Risk Frameworks

A variety of frameworks provide guidance for assessing and managing risk. The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Enterprise Risk Management—Integrated Framework is widely used by organi-zations in many industries. The International Organization for Standardization's ISO 31000—Risk Management Prin-ciples and Guidelines is recognized worldwide.

In addition to these frameworks, The Corporate Execu-tive Board monitors reported risks from the largest U.S. corporations. Such resources enable an organization to take a continual, systemic risk management approach. In turn, an organization can define its risk profile, which provides an understanding of the organization's approach toward risk (see "Considerations Affecting Risk Profile" on this page).

While the internal audit function may facilitate identi-fication of the risk profile and recognition of risk reduction activities, risk management should be owned by the organiza-tion's CEO and leadership team. The CAE can educate board members on risk management practices, relevant emerging risks, and alignment with the strategic business objectives. Understanding the risk profile can aid members in identifying expertise or skills gaps within the board that may impede its ability to provide guidance on managing emerging risks.

The Audit Committee's Risk Oversight Role

The audit committee exercises oversight for crucial corpo-rate governance matters, including financial and compliance issues. The importance of risk awareness highlights why audit committee members also need to make risk an ongoing topic of discussion at board meetings throughout the year.

Initially, audit committee members should meet with and question the CEO, chief financial officer, chief operating offi-cer, CAE, chief risk officer, controller, general counsel, direc-tor of financial reporting, IT director, and other key leaders. Insights gleaned from such interactions give committee mem-bers with risk oversight responsibilities firsthand knowledge of exposures facing the organization and help the committee engage other board members at the strategic and risk awareness levels. The knowledge gained from heightened risk awareness enables the audit committee, board, and management to more effectively address uncertainty and strategic objectives.

The internal audit function complements those efforts by assessing risks related to those strategic objectives. With industry-specific knowledge and understanding of analytics and other measurement or predictive tools, the internal audit function also can recommend and monitor controls that enhance efficiency, risk recognition, and responsiveness.

Building a Competitive Advantage

Monitoring the risks that emerge from change and uncer-tainty enables CAEs to advise the board and audit committee on exercising the risk oversight that is crucial to good corpo-rate governance. This enhanced risk awareness can more fully prepare the organization to recognize and respond to emerg-ing vulnerabilities before they become crises as well as to capitalize on opportunities that accompany change. In that sense, enhanced responsiveness to change can give an organi-zation a competitive advantage that enables it to thrive.

ALYSSA G. MARTIN, CPA, is the partner-in-charge of Risk

Advisory Services and executive partner for Weaver in Dallas.

AUGUST 2015 INTERNAL AUDITOR 21