COSO guidance urges more agility in risk management, auditing

The Committee of Sponsoring Organizations of the Treadway Commission released a new paper Wednesday on uniting COSO’s enterprise risk management framework with “agile” practices in internal auditing and other functions.

The guidance explains how agile practices can make risk management more successful. It gives some examples of how the internal audit function and other parts of an organization can be more flexible and adaptable with risk management. In one example, a company does traditional auditing and ERM functions with a 12-month plan, but now the plan would be locked in for only two quarters at a time, allowing the risk and audit executives to increase agility in the organization. COSO is supported by the Institute of Internal Auditors, the American Accounting Association, the American Institute of CPAs, Financial Executives International and the Institute of Management Accountants.

In another example cited in the report, an internal audit team chose to meet with the business more frequently to focus on meeting the business needs. “By focusing on problems the business was trying to solve — rather than following a traditional approach — the team helped the business more and gained its respect,” wrote Paul Walker, executive director of the Center for Excellence in Enterprise Risk Management at St. John’s University in New York, in the COSO report, titled “Enabling Organizational Agility in an Age of Speed and Disruption.”

“These sprint-style meetings usually started at a higher level and left open the option of just walking away after gaining that view,” Walker added. “The team adopted a ‘choose’ approach rather than a ‘must do’ approach. In some cases, the team did short sprints to get to the root causes more quickly. In other cases, it did a sprint alongside the business unit’s sprint.”

The concept of agile management gained popularity in the technology field but has spread more widely over the years.

COSO chairman Paul Sobel speaking at an Institute of Internal Auditors conference

Courtesy of COSO

“Agile is something that originally started in the IT world, primarily as an agile approach to system development projects,” said COSO chairman Paul Sobel. “It has evolved now into a broader concept. Some of the same terms and approaches are used but are broader than just IT projects. The focus is in an ever-changing or rapidly changing world like this, it’s very important for a company to remain agile and anticipatory. Otherwise, they can be left behind. So as these approaches have evolved, we thought it was worth issuing guidance like this because we think it does help people involved with risk management. Sometimes internal auditors will play that role — not always — but those involved with risk management will be in a better position to try and work with and advise others in the environment around how risk management can be affected by an agile approach, but also to make sure that risk managers are being more agile in their approach to enterprise risk management. In terms of what it means for internal auditors, to the extent that internal audit has a prominent and defined role in risk management, then I think this guidance is a must read because it will really help them better understand what they need to be doing to make sure they can better apply COSO’s risk management principles in an agile way.”

Not only internal auditors might be able to apply the guidance, but also outside auditors who work for auditing firms.

“For those internal auditors that are not specifically responsible for risk management — and I suppose this would also apply to external auditors as well — I think the guidance is very helpful too” said Sobel. “If you’re an internal auditor in an agile environment, or an external auditor auditing the client that follows agile approaches, it helps you better understand how they may be approaching strategies and objectives a little differently and how risks may be affected in an agile environment that’s perhaps different than a more traditional type of environment.”

Sobel himself worked as chief audit executive at paper manufacturer Georgia-Pacific and he saw how internal auditors could use the guidance from that perspective. “Either our organizations are already agile and I need to make sure that we are helping advise them on how to optimize in an agile environment, but more so, make sure that we are developing our audit plan and really implementing more agile internal audit approaches ourselves so we can fit into that culture,” he said. “The second alternative is if it’s not a very agile culture yet, but maybe looking to go that direction. This guidance can help internal auditors be really great advisors on how you get there, what does it mean, what are the keys to success, etc.?”

The guidance is organized around COSO’s enterprise risk management framework, but it could also work in tandem with COSO’s internal control framework, which is used by many auditing firms. “It’s structured around the COSO ERM framework,” said Sobel. “It doesn’t necessarily touch on every principle, but that framework applies to really any organization. If I’m an external auditor and I’ve got a client that’s moving in the agile direction, I want to understand what does that mean and how do we consider our assessment of risk? Granted, it may be financial reporting or fraud risk if you’re an external auditor, but how do we consider risk maybe a little differently in an agile environment than in a more traditional environment.”

The two frameworks more or less work together, and the new guidance could fit in with audits of internal controls over financial reporting as well as enterprise risk management.

We focus this on the ERM framework, but the internal control framework is really a subset of ERM and focuses on one type of risk response, which is risk reduction,” said Sobel. “That’s basically what internal controls are. Now that we’ve issued the guidance, I’ll be starting to talk about it at some of the presentations I do around the world, and I will be making that point, that even though this is ERM there’s a lot that can be learned here around internal controls as well.”

Source link