Although internal audit, compliance and risk management functions play separate roles in helping organization identify and mitigate risk, increasing demands and a stronger need to act quickly are fostering new demands for growing collaboration among these groups.
FEI Daily spoke with Dan Zitting, chief product officer at ACL, about the changing compliance environment and a resulting desire among many companies to foster audit, compliance and risk management collaboration.
FEI Daily: Are the demands on audit, compliance and risk management evolving?
Dan Zitting: We certainly think so, and there are differing pressures in various industries. If you look at the SEC enforcement actions over the last year, you can see pressures on several issues, in particular on bribery and money laundering. It seems regulators have pushed a lot of companies to the point where some of these issues have become much hotter than they were in the past, so the question getting asked becomes, “What are compliance and audit, or risk management and audit, doing to coordinate on some of these problems?”
And we find, especially if the company is big and complex, it’s surprising how often the perception of the risk agenda is different between those groups. That disconnect is creating pressure to bring them together.
FEI Daily: What do you think contributes to that disconnect, or the perception of one?
Dan Zitting: What we often see pushing that is a question among the risk management and compliance folks who think audit is missing the mark by focusing on issues that aren’t what they see as really high risk. Audit’s always in that dual pressure of reporting on the things that audit committees are interested in, and pressure from the business to be closer to their risk management concerns.
So we see more of that coming together to say, are we working off fundamentally the same set of risk assessments? Some of these issues are getting to the point where we need both the frontline testing or monitoring of risks as well as that audit oversight, and improving alignment among these functions. It’s interesting how challenging that seems to be across companies.
FEI Daily: How are companies trying to improve that collaboration?
Dan Zitting: In the clients that we work with, we see a push coming to give audit a stronger role in providing assurance over the risk management process by working with risk assessments and saying, “Is their process for doing that working well? Is it highly effective?” There’s a move away from starting an annual audit risk assessment from scratch and ending up with a completely different set of priorities than perhaps what the risk management function is focusing on.
Collaboration today is happening more frequently so these groups can become more agile and shift away from an annual planning exercise where they do a big risk assessment and build an audit plan to understanding, “what are the key risks this month?” Things change too quickly for traditional type of annual audit planning exercise.
FEI Daily: Is the risk or regulatory environment evolving too quickly for annual planning to be sufficient?
Dan Zitting: It’s not even close anymore, and a good example would be an agency like the Consumer Financial Protection Bureau. That’s only been around a couple of years, but they’re changing the kinds of audits and inspections they’re doing regularly. That forces a reaction on the compliance side and the audit side to say, “How are we going to respond to these changes and these oversight bodies in a more agile way?”
In that environment, we think you need to come up with methodologies and tools to give you the ability to analyze risk much faster. If you spend a month going around setting up interviews with key executives and it takes you two months to build an annual plan, that approach won’t fit this faster-moving model.
You need to encourage the use of tools and data to understand how you’re monitoring risk in real time, or at least be able to do so very quickly every month or every week or whatever the case is.
FEI Daily: Are you starting to see more use of data and analytics to support risk management?
Dan Zitting: As a company, it feels like we’ve been working on analytics for a long time, and yet it does still feel early, in the sense that we’re finally starting to see a shift in expectations over the last year or so that everybody in the field needs to be able to analyze data at some kind of level.
Analytics are still harder, I think, than a lot of vendors would like to portray, but we’re getting better at making these data sets available so those less technical users can use tools to do that kind of light-level analysis much more quickly. It’s really just on the early stages of that, but there are opportunities with data because the pressure to move faster is so acute now.
FEI Daily: When you look at the interaction of audit and compliance, are there traditional obstacles you have to address?
Dan Zitting: Oddly enough, one of the single biggest choke points I see over and over again is the language that’s used between these different departments. It can be as simple as compliance folks, when there’s a compliance violation, they call it an incident, but when an auditor finds something that’s problematic, they call it a finding. It’s almost like, these relatively simple differences in vocabulary can choke off the collaboration, because these departments will think that they’re doing something different, when at a fundamental level, they’re really not. Most of these departments are saying, “Hey, the business has objectives, there’s key risks to those objectives, and there needs to be controls in place to mitigate those risks.” Yet the language around the methodology they use, I think, can choke off collaboration.
If we could bring folks together on how we’re going to talk about risks, then we can align the processes and use the same sorts of technology, reporting then become much less complex.
FEI Daily: When you have a conflict like that, how do you start to address it?
Dan Zitting: What we would generally recommend doing is taking a step further back and asking the operational business how would they refer to these things and how would they describe their processes. If they understand the vocabulary and risks, they’re more likely to understand any recommendations and change their operations based on it.
Really, that’s the goal these oversight functions are looking for, and you then move that alignment back into the risk assessment process and the auditors, as an oversight role, are working off that same risk assessment and control process.
Dan Zitting: I think there’s a big value there. Certainly in COSO, there’s a recommendation to have an overt culture around risk management and how the organization approaches it. I think that’s a big part of it. We see it on the technology side where it comes down to time to implement technology and there’s conflict or trouble making decisions because of the group think. But if they’ve taken time to think and talk about their risk management culture, that makes those down-the-line activities much easier.•