Internal auditors are shedding their number -crunching shells and taking wing as corporate-wide risk experts, recent trends seem to show. Building on their Sarbanes-Oxley (SOX) expertise in perfecting financial controls, auditors should--and many are beginning to--play critical roles in assessing enterprise-wide business and operational threats, according to a recent PricewaterhouseCoopers report. With SOX demands decreasing, notes Jim LaTorre, PWC internal audit services leader, "manpower is being freed up to tackle all risk issues that impact shareholder value."
That's presuming the environment is receptive, notes Michelle Scott, director of research and analysis at the Institute of Internal Auditors (IIA). "Our members are equipped and eager to contribute to risk assessment in all areas," she says. "It's more a question of whether management is open to the expanded role. You can tell executives all day about risks and what they should do about them, but it means nothing if those warnings are not heeded."
A case in point: A former internal auditor raised red flags about American International Group's derivatives valuations long before the insurer ran into trouble. Joseph St. Denis told a congressional panel in October that his early warnings about dangerous credit swap valuations were ignored by his boss, who, the auditor says, acknowledged "deliberately excluding" him from talks for fear he would "pollute the proceedings." Now, AIG could face criminal fraud charges.
AXA Equitable, among others, had keener foresight. "It's critically important to provide greater visibility by using strategic auditing methods in your organization," AXA senior vice president and auditor Andrew Raftis told a recent gathering of chief audit executives sponsored by software maker ACL Services, PWC and MIS Training Institute. Toward this end, says Raftis, "we are evolving internal audit to provide better auditing of organizational risk." And AXA's strategic audit team is making sure the lines of communication are open between auditors, the chief executive and the audit committee.
If other financial services companies had applied similar auditing strategies, particularly to credit risk, some might have been able to stem the losses that ultimately destroyed them, suggests PWC's LaTorre.
Moreover, if auditor evaluations extended to the supply chain and risks pertaining to safety, quality and reliability, the PWC whitepaper notes, lead-tainted products from China might have been prevented from hitting the market. Companies would also be well served if auditors participated in developing and monitoring processes to, say, detect and avoid discrimination lawsuits by customers, suppliers and employees, or to guarantee that pricing policies don't smack of collusion.
"Management is looking at the wealth of corporate knowledge and experience to make sure that the financial meltdown and other crises won't happen again," says IIA's Scott.