Richard Chambers has shared his valuable insights in another post.  In Europe’s Internal Auditors Are Already Identifying the Risks for 2021 he makes a number of excellent observations, especially his opening paragraph:

As we enter the fourth quarter of a historically difficult and disruptive year, internal audit leaders around the world are looking to next year with some degree of trepidation. If the COVID-19 pandemic has taught us anything, it is that new risks can emerge at lightning speed and have profound impacts on our organizations and lives.

I also like that he pointed out that internal auditors (at least in Europe, which is where the data is from) are spending their time addressing what were perceived as the top risks.

While he references a report from a consortium of European internal audit associations (ECIIA) that sought to understand what practitioners believed were the top five risks to address in 2021, he said:

As the COVID-19 marathon continues to reshape the risk landscape, internal auditors must be keen to the changing needs of the organization and pivot to address those quickly and effectively.

It’s not just COVID that could be “reshaping the risk landscape”. Organizations and practitioners should be thinking about an uncertain global and national economy, the potential for unrest…

Подробнее…

Today, the IIA released what I would call a replacement for its Three Lines of Defense Model. The old model was released in a Position Paper in 2003, The Three Lines Of Defense in Effective Risk Management and Control.

One of the more significant things to note is the change in name to The Three Lines Model.

Before you read and digest the new model, I suggest you read an excellent introduction by Richard Chambers, New IIA Three Lines Model Offers Timely Evolution of a Trusted Tool.

I disagree with Richard’s piece in one respect, when he says the new model (and it is almost entirely a new piece of work) will change the way many organizations look at risk and controls. I think that is hyperbolic optimism.

Before going further, I should reveal that I am one of the 30 members of the advisory group. But having said that I can also tell you that I was highly critical of each of the previous drafts I received for review and comment. I even made calls to Richard and others pleading for dramatic change, if not destruction of those drafts.

I am thrilled to tell you that I wholeheartedly endorse the new model. It’s not perfect, nothing can be, but it comes close. It has a great deal of value and merits a close read with careful attention to each phrase.

The only change I would have required to the final product would…

Подробнее…

It’s quite a few years[1] since I first started talking about “auditing at the speed of risk”. Sometimes I also referred to “auditing at the speed of the business”.

The idea is that the world within which we live and work is dynamic and turbulent – even more so now than when I first started using the term to describe the impact of new technology.

If we rely on an annual risk assessment and plan, we end up auditing what used to be a risk, not what challenges the organization today or tomorrow. In fact, the annual audit plan is typically out-of-date even before it is approved by the audit committee!

Richard Chambers similarly uses the term to explain that we need to move to a model that relies on a more continuous assessment of risk and (as I described in a controversial blog) identification of the audit engagements that would provide the most valuable information (assurance, advice, and insight) to our leaders in executive management and on the board.

Another leader in internal auditing has shifted the focus just a little. In COVID-19 Crisis Highlights the Value of Agile Auditing, Protiviti’s Brian Christensen together with Sharon Lindstrom talk about the need for “agile auditing”. Here are some quotes. Note that the first quote uses that same phrase.

• With regard to immediate needs, the…

Подробнее…