As I reflect upon the last 20 years of my career in Internal Audit, there are two constants: an ever-changing business environment and the continual challenge of incorporating risk into our audit activities. With risk continually at the forefront of the profession, having been incorporated into our authoritative guidance, why is it that I run across so few people who are satisfied with their risk program and the role it plays in the work of internal audit? With effective risk programs remaining elusive I am reminded of King Arthur’s search for the Holy Grail. Will incorporating risk into internal audit remain unfinished as was the grail quest?
Now I am sure that there are those who feel they have implemented effective, value-added Risk Management programs in their departments and their companies. I just haven’t met enough of these people to reach that conclusion. Consider also that those small- to medium-sized companies that would benefit greatly from an effective Risk Management program are those that can least afford the ongoing costs of such a program. So rather than get into a debate about anecdotal risk success stories, let’s look at what Internal Audit can do to successfully incorporate a risk strategy into our auditing activities to help our companies begin to be risk-focused in their daily activities.
First, we must start with the proper perspective. Instead of considering all risks that could impact the organization anywhere, anytime as would be done in a comprehensive Enterprise Risk Management (ERM) based approach, an alternative is for Internal Audit to pursue a more limited approach that focuses upon risks to specific company initiatives and programs. Limit the risk focus and shrink the scope of risk efforts to those projects that are management’s current priorities. Internal Audit can focus on those risks that will directly impact the company’s existing strategies, goals and initiatives; the company’s annual plan, if you will.
Once a function decides to address risk in this fashion, there are some foundational elements and factors to be considered, including the following:
King Arthur never completed his quest for the grail. Internal Audit has been on its own quest for decades, but success in the area of Risk remains elusive. By employing a limited, yet focused, approach to addressing risk, Internal Audit has the opportunity to finally complete its quest and in the process position itself for the profession’s next challenge – increasing enterprise value.
Brad Zolkoske is a CPA and an experienced Chief Audit Executive that specializes in starting up Internal Audit Departments for small and medium sized manufacturing companies. During the course of his 30 year career he has held audit management positions with such companies as Freightliner Corporation, Louisiana-Pacific Corp., Nautilus, Inc., and International Coal Group. Most recently he started up the audit function for Dura-Line Corporation; a US based manufacturing company with production on five continents.
A native of Oregon, Brad currently resides in Knoxville, Tennessee. He is a frequent speaker for the MIS Training Institute and has participating in programs such as SuperStrategies and the Manager’s and Directors Symposium. Having graduated from Portland State University with a degree in Accounting Brad specializes in developing and managing small audit departments that focus upon analyzing yesterday’s data using today’s processes to ensure tomorrow’s success.