Effective risk assessment (ERM) is increasingly important to the success and sustainability of any business. As firms begin to evaluate their long-range goals, risk disruption related to internal controls has been elevated. Donald Caputo, Shearman & Sterling's Chief Internal Auditor with 27 years of experience in audit and compliance, stresses the importance of systematic assessment as a foundation for evaluating events, processes, systems, employee conduct, and knowledge capital.
How do you define the role of an internal auditor?
I see the internal auditor role as historically defined: an independent, objective, and ethical resource designed to improve an organization's operations by following a systematic, disciplined approach to evaluating, assessing, and improving effectiveness through risk management, control systems, and governance processes. My global responsibilities remain keenly focused on control, risk, safety, and soundness, including providing an established audit presence in each of the firm's worldwide offices.
Because risk is inevitable in any business, proactive thinking and planning are essential. Placing a "stop sign" after an accident occurs is reactive and detrimental to business flow. This applies to all levels of partnerships and financial service organizations. By performing routine examinations and risk assessments, an internal auditor provides reasonable assurance that all aspects of the organization's internal control structure are sound.
How will internal risk evolve in the future?
I recently read that internal auditors will likely focus less on internal controls and more on risk management and governance. I completely agree. With the ever-increasing threat environment a firm faces, it is essential for auditors to strike a balance between verifying strong controls and paying attention to risk management, which invariably leads to the need for a particular control. Strong internal controls are a means to an end and should be kept in perspective. I further agree with the prediction that we could see a shift in the reporting structure for internal auditors, as audit committees become risk committees or a type of hybrid.
Can you walk us through your process? For example, how do you approach an internal audit with operational units so vastly different in scope, let alone global cultural nuances, and keep an effective cycle of review in process?
I approach an internal audit as a consultative process. An audit isn't an evaluation, but rather an independent assessment of risk and strength of controls. I have found that, through this approach, I can be regarded as more of a resource, a consultant who can collaborate more effectively in finding workable solutions to improve the business. Audit reports summarize real action items with recommendations that are practical and constructive to the organization or operational unit. I structure each audit with the goal of developing an entrenched mindset and maintaining a robust control structure and attention to risk, each becoming a learning experience and an exercise in improvement. The larger and more global an organization, the more difficult it is to cycle audits all at once, so I have developed a cycle based on a risk matrix and other factors aimed to provide efficient coverage. In a multinational organization, an internal auditor must also acknowledge that there often exist silos of information and processes that, while not practical at the organizational level, are, in many cases, a local business necessity. Being sensitive to these local practices as well as cultures and traditions is essential to obtain a value-added result.
Once you identify a risk, how do you partner with management to address it?
Once an audit is completed, a report of recommendations for improvement, including a respective assessment of associated risks, is submitted to management for a response. As internal auditors are not responsible for the execution of company business plans, they should be a catalyst for timely attention to audit findings and recommendations and ensure that management memorialize detailed corrective actions, including setting reasonable time frames and prioritizing risk. Material weaknesses, fraudulent or substantial risk disruptions are naturally addressed more directly through a very collaborative and hands-on dialogue with senior management.
Where does knowledge capital and knowledge management fit into the risk scenario?
In my risk-assessment scenario, knowledge capital management is given a high priority, particularly as part of high-profile succession planning. If left unchecked, lack of management could lead to a serious disruptive risk to an organization. Determining a risk's priority requires a comprehensive audit risk matrix specific to an organization, which, for instance, identifies a risk score within specific risk categories (finance, technology, governance etc.), thereby defining a priority of importance. Notwithstanding anything illegal, unethical, or fraudulent, these identified business risks are generally a subjective assessment; however they also take into account industry standards, individual corporate cultures and prior audit reports.
Take for example an organization's knowledge management or internal control environment as an identified risk category. I've designed my assessment using a weight scale of 1 to 10, with 10 being a critical risk to the organization, and a risk scale from 1 to 3, with 3 being defined as a high risk. I calculate a risk score for this category as it applies to its importance in each business process, department, or office. By assigning these individual scores to each category, I achieve an overall risk score as it applies to each auditable entity, thus allowing me to prioritize and ensure I'm giving the highest risk routine coverage and further provide assurances to management.
I emphasize that there is a great deal of subjectivity to assigning risk values and weights that align with business and strategic goals, and each must be ideally tailored to the business culture. As classifications of priorities shift with business trends, and process improvements modify the formulaic outcome, a robust risk matrix should also be fluid and be reworked or reassessed at least annually.
How would you advise a manager or director to approach a departmental risk structure audit?
- Identify key roles in your department and assign risk values.
- Name your top assets; identify, and classify what is important to your operations.
- Assign weights and risk scores to those assets specific to your business and efficiency level of your control structure.
- Communicate a sustainable, actionable plan and ensure controls and processes are in place to mitigate the identified high risks and begin planning for lesser risks.
- Review at least annually.
Internal risk structures can effectively reduce financial, operational, legal, and reputational risk. Effective risk management is an ongoing process that requires continuous oversight and top-down support within an organization. If a culture of risk management is unclear or poorly communicated—or for that matter never communicated—an organization is exposed to the loss of intellectual capital, operational inefficiencies, damaged reputation, and financial loss. Effective risk-based internal controls produce powerful benefits and strategic competitive advantage.
Back to Contents