For more than a year now, a weak economy has held many companies in self-described “survival” mode, as they look for micro- and macro-economic signs of sustained stability – something upon which they can base long-term planning. In these times, businesses have begun to adapt to sluggish customer demand, credit markets that continue to be unusually tight, declining asset values (and related accounting implications), as well as roller-coaster equity markets that have affected enterprise value and increased scrutiny of the risks associated with their investment portfolios. Business leaders also are increasingly focused on governmental fiscal and monetary policy, as they try to gauge the business impacts of new or proposed programs.

It has become clear that today’s economy has defined a “new reality” – not a short term shift. While companies strategize for growth, there remains a distinct and crucial focus on preservation of value. Virtually all enterprises have aggressively implemented cost containment programs, and employees at all levels are seeing the impacts of a stronger emphasis on budgeting and adherence to established spending levels.   

Internal audit is not exempt, and it is safe to say that most departments are feeling at least some pressure to justify their budget. For several years, leading companies have been stabilizing their Sarbanes-Oxley (SOX) efforts and looking to rationalize their investment in internal audit. Companies now are asking internal audit to deliver deep insights across a wider range of risks (e.g., IT, credit, operations), while utilizing less and less of internal audit’s time in support of the annual SOX report. Now management teams, with an eye on cost reduction, are also looking at all departments, including internal audit, to see whether resource and staffing allocations could withstand trimming even while their company remains risk adverse.

Along with challenges come opportunities for change that many companies are seizing – or at least sizing up. For example, companies are looking for opportunities to take advantage of weak labor markets. Some are upgrading talent – both internally and externally – by seeking expertise at relatively attractive cost levels. Other opportunities include locking in prices for future needs at current levels through forward price hedging; improving or adding core capabilities by focusing on training and investing internally only on the development of a core capabilities; exiting marginally profitable or money-losing businesses; and making selective acquisitions. It is a prevailing view that we will begin to see merger-and-acquisition activity in the next several years, especially if valuations stay relatively low and credit availability increases. Companies that are highly effective at “stabilization” may find themselves in an excellent position to capitalize on these opportunities as the economy rebounds.   

A Changed Landscape for Risk
The challenge to most internal auditors is clear:  If you have shifting expectations and fewer resources, how do you adequately cover risk, especially the emerging risks suggested by current economic conditions? Consider these areas:

1. Refine the risk-based approach. Many departments audit on a rotational cycle in what might be called a standard audit approach at different business units or locations. While this approach provides a lot of coverage, it is not usually aligned to the distribution of risk in an organization. Look for indications of risk, based on business unit or location size, prior results, reports of fraud, missed budgets or unusual levels of turnover. Involve your IT auditors and develop techniques to monitor changes, and adjust your audit schedule accordingly. A blend of a risk-based approach with good audit practices helps achieve the most desirable coverage – the best way to maximize resources when they are in short supply.
2. Communicate more with the audit committee. Typically the audit department is accountable to the audit committee of the board of directors, which might meet four to six times a year. Audit committee members are now asking for ideas that will help them effectively govern the organization. While direct and frequent communication with the audit committee chair has always been important, it is crucial now. Build an ongoing rapport that does not threaten executive management but provides the service the audit committee expects. 
3. Incorporate self-assessment to provide broader coverage. With fewer resources on the shelf, one way to get the most out of them would be to make use of surveys and self-assessment techniques to ask questions of process owners (across the organization) about controls that they are responsible for and whether those controls are still being executed. Leading internal audit departments automate this technique and often build self-assessment into all audit efforts.
4. Upgrade talent where needed. If there are some marginal performers, this might be an opportunity to assess the need for access to specific expertise not present in the department, such as a strong IT auditing capability. Internal audit is judged – formally or informally – by the content of its work. The chief audit executive (CAE) should always be asking if he or she has access to the skills necessary to evaluate risks and controls across the areas most relevant to the organization.
5. Use local resources to reduce travel and free up resources. The guest auditor approach offers a high potential of return. A company with multiple branches or locations might partner a store manager with the audit team to perform a three- or five-day audit. Allowing others to participate by executing procedures and compiling work papers also could open the door to knowledge sharing of best practices within the organization. Reducing travel expenses is another benefit.
6. Put diagnostic auditing to work. Companies often plan and budget an internal audit project at the beginning of the year and work within the set budget. It is not unusual to find that they underestimated the total resources necessary. One way to mitigate this risk is to require deep diagnostic work during the planning stage of any audit project, and then make a recommendation on options to meet the audit objective. Many times, this can lead to paring the size of some projects and allow reallocation of resources to where they are needed.
7. Leave room in the budget for supplemental subject matter expertise. Collaborating with experts – and not just bringing in generalists who are trying to understand an area for the first time – will maximize the value of individual audit projects.

The Year’s Top Risks
Admittedly, the list of top risks is bound to change, especially in uncertain economic times. As a snapshot, the following five major risks standout today.

1) Profitability/Liquidity. This is likely not an individual audit project; however internal audit should consider the effectiveness of controls governing these risk areas. They are simply too prevalent today not to understand. Internal audit should know what management is doing and be up to speed on stress testing. The question, “Where can we reduce costs or improve cash flow?” is top of mind with CFOs. Auditors also need to be attuned to cost saving opportunities.

Budgeting and forecasting – always important topics – command even more attention today than they did a year or two ago. In addition to understanding the reliability of underlying data, internal audit could participate in this area by providing independent validation of spreadsheets and models used to develop those forecasts.

What would it take to impair a company’s liquidity? Defaulting on covenants could create a major challenge. If internal audit has not looked at this area in the past, it is important they do so now because banks will seize any opportunity to act. Does internal audit truly understand the organization’s approach to ensuring access to short-term capital? Many companies have been surprised at the cost of gaining access to cash depending on how (and where) it is held. “Liquid” assets often lost their liquidity – ask anyone with holdings in real estate. Also, ask the investment officer what percentage of investments are in equities of companies for whom the company has not performed a credit evaluation – not simply researching the results of a rating agency’s report, but actually examined the company, market, results, etc. to arrive at a risk rating decision. Internal audit should challenge the risk management function and understand the reliability cash forecasting and the impact of stress tests. 

2) Managing around organizational change. Has the organization experienced layoffs? Decreases in the workforce bring more risk into a company’s ability to service existing customers and to conform to quality standards. To help manage that type of risk, internal audit might assign someone to review the compilation of surveys a company uses to monitor customer satisfaction. Of course, the impact on some of the basics always matters. Segregation of duties (e.g., authorizations), access to systems (e.g., bank accounts, wire transfers, etc.), and basic physical access/security controls all can be compromised by deep cuts in personnel.

Losing key leadership is also a risk as the value – real or perceived – of stock-based compensation plans loses its luster. There is a concern that a company’s high performers might be more susceptible to offers from competitors. If this is perceived as a risk, it is not unreasonable for internal audit to understand how it is mitigated. The emerging risk related to executive compensation is of particular interest in the US. Organizations that are recipients of funds from the US government (e.g., TARP – the Troubled Asset Relief Program), or even involved in industries that are highly scrutinized (e.g., health insurance) should examine their executive compensation structure very carefully.  

Active monitoring around bonus structures and how executives are compensated is important.  Even if audit is unaware of certain matters, the media might become aware, and a question could be asked of the internal auditor: ‘Why were you not looking at that?’ There is certainly a political risk, and the auditor might be expected by the board to report back to them on such items. Generally, executive compensation matters are handled by the board; but sometimes, when it comes to those below the highest rungs, there might not be as much visibility by the board as to what is happening. Internal audit should be knowledgeable of the compensation plans in place, payments being made, and what is being reported to the board so they are aware of situations before they become issues with the media.

3) Reliance on third parties. Similar to the counter-party risk in connection with banks, reliance on significant suppliers has become a huge risk for companies, especially those that operate on a just-in-time delivery system. If they lose a key supplier and there is no alternate source for a particular part, the entire production/delivery process might come to a halt. To mitigate such risks, companies might look at key suppliers and their financial health as well as put in place backup strategies (e.g., having a little more inventory on hand in case a supplier suddenly goes under or being familiar with alternatives should a replacement be required).

Given that all companies are looking to save money, a review of key supply contracts can be a good place for an internal audit to focus its resources, making sure existing agreements have not become disadvantageous. Political and continuity risks come into play particularly when companies rely on third-party vendors in remote areas where oversight may be negligible. Auditors should take a look at how well these offshore companies are performing and assess their financial viability.

4) Fraud. This is one risk whose incidence inevitably increases during times when people are out of work or being laid off. As internal audit is aware, it is a fact that there will be more fraud investigations and that companies ought to be instituting better programs to protect themselves against unscrupulous activities by both current and former employees.

The time is right to take another look at fraud risk assessments. While SOX can be a starting point, these projects are typically focused more on financial reporting fraud scenarios. It is important for internal audit to understand the current fraud risk associated with a shifting risk profile. Far too many companies who have experienced fraud believed that they were not susceptible because “we watch every transaction carefully.” The discovery of fraud is a red flag to external auditors, banks and other providers of capital, and regulators. A current, rigorous fraud risk assessment – completed by leveraging expertise in fraud detection and prevention – is extremely important today. There are simply too many recent examples of the dire consequences that occur when fraud risk is overlooked (e.g., private health plans hit by Medicare fraud to the tune of hundreds of millions of dollars).

5) Information security. The risk of unauthorized disclosure, access to trade secrets, and even sabotage has always existed. However, employees feel overwhelmed threatened and, as the organization shrinks, over-worked. These lead to failure of controls and can be the roots of rationalization. Can internal audit confidently state that workers who left the company no longer have access to sensitive areas of the organization, or remaining employees do not have incompatible duties (e.g., they have been assigned new responsibilities and in doing so their managers might not realize that such activity could facilitate the risk of an employee taking a harmful action or circumventing controls)? The reality is that IT often holds the most valuable assets of the organization. There have been recent incidents where companies have caught major “logic bombs” put into their systems by disgruntled employees whose intent is to sabotage the company. IT’s physical assets can literally walk out the door if proper safeguards are not in place. Incidents of failure to adequately protect sensitive data (e.g., customer financial information, employee health information, etc.) are costly, embarrassing and can lead to significant regulatory action.

While most internal audit departments include some aspects of IT security, this is a good time to dig a bit deeper. Look at IT asset management and focus on tracking and disposal. Include technical audits related to access to sensitive data in the audit plan, and consider the inherent limitations that SOX, PCI, ISO or SAS-70 audits present. 

Summing it Up
The reality is that economic challenges will continue to drive changes in the risk profiles of all companies.  This in turn will challenge internal audit to establish and maintain approaches that are both timely and relevant. A highly effective, objective internal auditing function can be especially critical at a time when there is so much uncertainty in the business plan. By leveraging leading practices, internal audit departments are contributing to the effectiveness of risk management in areas that, frankly, will define the organization’s ability to weather the storm and take advantage of opportunities in the future. Now, what internal auditor wouldn’t want to do that?