Do your managers routinely self-report control issues or do they still have the 'let's wait and see if the audit team finds it' attitude?
The constant change affecting businesses, their objectives and the overall work environment has weakened operational management's effectiveness at defending against risk. Relentless business change has often left middle management too distracted and exhausted to effectively enforce policies, adapt controls or respond to new risks that could ultimately undermine not just their performance, but that of the company as well.
As a result, management frequently fails to act as an effective first line of defence. Worse, some might deliberately avoid disclosing known risk issues and instead wait to see if Internal Audit is able to find the management control failings.
Within this context, it's no surprise that management is often unwilling or unable to communicate risk. In fact, CEB research shows that self-reporting rates are extremely low across industries, with an average of only 6.2% of total control issues being self-reported by management.
Because management often has the best understanding of risk and control issues in their business, it's vital that they be encouraged or required to proactively report them. After all, the increased likelihood of risk and control issues being trapped in the organisation can undermine the Internal Audit team and the assurance they provide to the audit committee - not to mention the disastrous implications it can have for the company.
As such, self-reporting is quickly becoming a key priority for many Internal Audit teams across the globe. As one chief auditor of a global financial services company recently told us, "historically, the business adopted a 'let's wait and see if the audit group finds it' attitude toward reporting issues. However, in this new environment, we want everyone to act as risk managers on behalf of the firm."
It's this type of proactive mind-set that is critical to effectively mitigate risk. Close collaboration between Internal Audit and management - to identify the risk and control issues that matter most and to develop an effective remediation strategy - can significantly improve overall risk management effectiveness. So, how can we encourage better collaboration between these two functions?
Companies need to establish a clear process for self-reporting by management and a supportive culture that sees self-reporting as a required activity and, more importantly, as a sign of manager strength not weakness. To foster a management mind-set that embraces the importance of proactively identifying and resolving risk and control issues, Internal Audit teams should embrace the following:
1. Gauge Readiness: Recognising the competing demands placed on the first line of defence, determine whether your organisation is prepared, both operationally and culturally, to adopt an enterprise-wide management self-reporting system.
2. Highlight the Benefits: Educate management on the business benefits of self-reporting control issues and clarify their roles and responsibilities.
3. Make Things Easy: Develop reporting tools that minimise the effort required of managers such as offering reporting through a Risk & Control Self-Assessment process.
4. Make It Engaging: Involve senior management in an awareness campaign about the importance of promptly and fully self-identifying and reporting issues.
5. Encourage Year-Round Involvement: Capture self-reported issues during the audit process as well as those outside of traditional procedures and ensure that they are promptly reported upwards.
6. Provide Useful Guidance: Create clear criteria for effective self-reporting, including what defines an issue that merits self-reporting, how much the issue needs to be investigated before reporting and how detailed the proposed remediation plan should be.
7. Understand What's Important: Use self-reported control issues to make audit engagements more focused and efficient, and avoid time wasted identifying control issues already known by management.
8. Rate & Report Management Effectiveness: Evaluate line management on the effectiveness of their self-reporting activities and incorporate that rating into audit reporting for senior management.
9. Establish Incentives: Collaborate with HR to design incentives that encourage more timely and accurate self-reporting of material issues.
10. Leverage Existing Protocols: Train auditors to encourage management self-reporting throughout their audit engagements and leverage any existing mechanisms like Health & Safety processes or Six Sigma protocols.
Although developing a self-reporting program significantly benefits assurance and the business, the process for developing such an approach is not easy. Internal Audit must methodically evaluate management's readiness to self-report, enable self-reporting across the organisation, incorporate self-reporting into audit workflows, and sustain a culture of self-reporting throughout the organisation.
Join the discussion on self-reporting and let us know your thoughts by leaving a comment below.
Ian Beale is a senior director in CEB's Legal, Risk, Audit and Compliance practice, based in London. Read our "Risk Intelligence Quarterly," which is focused on how to manage enterprise-wide risks such as self-reporting here.