The Committee of Sponsoring Organizations of the Treadway Commission has released a new paper Wednesday on unifying COSO’s enterprise risk management framework with “agile” practices in internal audit and other functions.
The guide explains how agile practices can make risk management more effective. It gives some examples of how the internal audit function and other parts of an organization can be more flexible and adaptable with risk management. In one example, a company performs traditional audit and ERM functions with a 12-month plan, but now the plan would only be locked in for two quarters at a time, allowing risk and audit managers to increase the agility of the organization. COSO is supported by the Institute of Internal Auditors, the American Accounting Association, the American Institute of CPAs, Financial Executives International and the Institute of Management Accountants.
In another example cited in the report, an internal audit team chose to meet with the business more frequently to focus on meeting business needs. “By focusing on the problems the company was trying to solve – rather than following a traditional approach – the team further helped the company and earned its respect,” wrote Paul Walker, executive director of the Center for Excellence in Enterprise Risk Management in St. John’s. University of New York, in the COSO report, “Enabling Organizational Agility in an Age of Speed and Disruption.”
“These sprint-style meetings usually started at a higher level and left room for just walking away after gaining that opinion,” Walker added. “The team took a ‘choose’ approach rather than a ‘must do’ approach. In some cases, the team performed short sprints to get to the root causes faster. In other cases, they performed a sprint alongside the business unit sprint.”
The concept of agile management has gained popularity in the technology arena, but has spread more widely over the years.
“Agile is something that originally started in the IT world, primarily as an agile approach to systems development projects,” said COSO President Paul Sobel. “It has now evolved into a larger concept. Some of the same terms and approaches are used but are broader than IT projects. Emphasis is placed on an ever-changing or fast-changing world like this, it is very important for a business to remain nimble and forward-thinking. Otherwise, they may be left behind. So, as these approaches have evolved, we thought it was worth posting advice like this, as we believe it helps those involved in risk management. Sometimes internal auditors will play this role – not always – but those involved in risk management will be in a better position to try to work with and advise others in the environment on how risk management may be affected by an agile approach, but also to ensure that risk managers are more agile in their approach to enterprise risk management. In terms of what this means for internal auditors, as internal audit plays an important and defined role in risk management, I think this guide is a must read as it will really help them understand better. what they need to do to ensure they can best apply COSO risk management principles in an agile way. »
Not only internal auditors might be able to apply the guidelines, but also external auditors who work for audit firms.
“For internal auditors who aren’t specifically responsible for risk management — and I assume that would apply to external auditors as well — I think the guidance is also very helpful,” Sobel said. “If you are an internal auditor in an agile environment, or an external auditor auditing the client following agile approaches, this helps you better understand how they may approach strategies and objectives a little differently and how risks may be affected in an agile environment, an environment that is perhaps different from a more traditional type of environment.
Sobel himself worked as an audit manager at papermaker Georgia-Pacific, and he saw how internal auditors could use guidance from that perspective. “Either our organizations are already agile and I need to make sure we help advise them on how to optimize in an agile environment, but even more so make sure we develop our audit plan and actually implement implement more agile internal audit approaches ourselves so that we can fit into that culture,” he said. “The second alternative is if it’s not yet a very agile culture, but maybe be looking to go in that direction. These tips can help internal auditors be great advisors on how you get there, what does it mean, what are the keys to success, and more. ? »
The guidelines are organized around COSO’s Enterprise Risk Management Framework, but they could also work in tandem with COSO’s Internal Control Framework, which is used by many audit firms. “It’s structured around the COSO ERM framework,” Sobel said. “It doesn’t necessarily touch on all the principles, but this framework really applies to any organization. If I am an external auditor and I have a client that is moving towards agility, I want to understand what this means and how do we view our risk assessment? Sure, it might be financial reporting or fraud risk if you’re an external auditor, but how we view risk might be a little different in an agile environment than in a more traditional one. »
The two frameworks more or less work together, and the new guidance could fit into audits of internal controls over financial reporting as well as enterprise risk management.
“We focus on the ERM framework, but the internal control framework is really a subset of ERM and focuses on one type of risk response, which is risk reduction,” Sobel said. “That’s basically what internal controls are. Now that we’ve released the guidelines, I’m going to start talking about them at some of the presentations I do around the world, and I’ll argue that even though it’s ERM, there’s a lot to learn here also around internal controls.