Last week I came across a gem of a post over on ACL’s in-house blog, about the future of internal audit. One of the senior executives there, Dan Zitting, was talking about the premium that recruiters now place on audit executives who understand data analytics—to the extreme that one recruiter told Zitting, “Frankly no one in management truly needs the services of the traditional auditor any more; what they need is the promise of Big Data to materialize.”
I’m not sure I buy that recruiter’s rather extreme position about traditional auditors. Those other points, however, about wanting the promise of Big Data to materialize and paying more money to people who know how to do it… Well, that is not surprising at all.
Nor is it a trend likely to stay confined to the audit industry, so compliance officers should take note. Because when you contemplate what the promise of Big Data requires, that could include some mighty big changes to how audit and compliance cooperate.
What intrigues me here is the potential collision of three forces: Big Data, the enterprise risk assessment (which internal audit typically manages), and more pressure from regulators on issues like third-party oversight or business conduct (which compliance typically manages). We could see—and I would argue, we already are seeing—so much pressure to improve business conduct that compliance risks are evolving into one large, messy enterprise risk overall. Ultimately Big Data will be crucial to understanding and taming all of that.
Which leaves me stuck on a question: What will a risk assessment look like in that world?
When you look at the audit committee charters of some large companies (I’ve been doing that lately), plenty of those charters still define compliance and enterprise risks as two separate things to be managed in two separate ways. Take Cardinal Health as an example. The audit committee oversees both compliance and enterprise risk, and the charter even defines them as similar but separate responsibilities: the first few duties outlined in the charter talk about the chief compliance officer, while the latter talk about assessing financial risks and reviewing the enterprise risk management program. AT&T is another: it clearly defines compliance and internal audit as separate responsibilities for the audit committee, as if what internal audit and compliance are two ships passing in the night there.
I’m sure that on a practical, daily basis, the compliance and audit teams at both companies cooperate well enough. Still, if we want to anticipate the future—which occasionally is something an organization should do—then we can’t deny where the world is taking us. It’s taking us to a place where compliance and enterprise risk assessments will look and feel very, very similar.
Right now, companies are divided in how they do compliance risk assessments. According to the Deloitte Compliance Trends 2015 report, 82 percent of large companies do some type of assessment, but that group is split almost evenly in how they do it: one-third of them as a compliance-only exercise; one-third as part of internal audit’s risk assessment; and one-third as part of some other enterprise-wide assessment project. (Deloitte’s 2016 report is due soon, and I’ll report back on those numbers in the future.)
In the Future…
But when you consider those two forces, Big Data and growing regulatory pressure, you have to wonder what risk assessments will look like in the future. At some point, “relentless pressure on third-party oversight” translates into “supply chain efficiencies” that internal audit examines—because the risk of large fines can elevate that specific compliance risk into a general enterprise risk. One can easily imagine a similar dynamic for employee training, or know-your-customer policies, or whistleblower operations. Their risk becomes so acute it transcends the compliance officer’s concern.
Am I saying that compliance and internal audit will merge? Or that internal audit might take over management of some of these risks? No—although I won’t put it past companies to try either idea as a cost-saving measure. I also can’t help but recall the Institute of Internal Auditor’s recent guidance earlier this year on how internal audit can oversee some Second Line of Defense functions; maybe some companies strong on internal audit but weak on ethics & compliance might back into a consolidated function.
For now, I just want to focus on the risk assessment. That is all about looking at your operations as they are, and deducing where the risks might be. From here forward, “looking at your operations” will really mean looking at data and analyzing it, as Dan Zitting’s recruiter friend said. And internal auditors are really good at analysis. That is what they do.
In a future where “compliance risk assessment” and “enterprise risk assessment” becomes a distinction with no meaning amid all that data, you have to wonder how digging into that data will work—and who will do it.