Internal auditors characteristically interpret professional requirements to contribute to organizational risk management as helping senior management address weaknesses and threats to achieving the organization's objectives. The tendency to focus on downside factors that can actually or potentially impede organizational success is well-established and provides value that must continue to meet professional and stakeholder expectations.
But what about the organization's strengths and opportunities and their contribution to organizational goals? The concept of positive auditing, an approach that extends risk-based analyses and plans to improve strengths and opportunities, can enhance the value of independent assurance. While a typical internal audit provides assurances on downside organizational weaknesses and threats needing to be addressed, positive auditing provides assurances on upside organizational strengths and opportunities that need to be sustained.
Risk-based plans should include assurances on strengths, opportunities, and upside factors deemed critical to achieving organizational objectives. Importantly, this expansion complies with the current Definition of Internal Auditing and mandatory requirements of the International Professional Practices Framework (IPPF). Positive auditing enhances the organization's reputation by addressing the interests of the organization's stakeholders on what is working, as well as identifying areas needing improvement.
A Shift in Approach
Shifting focus to strengths is consistent with innovations in the fields of social behavior. In 1998, after more than 100 years of primarily addressing the negative aspects of individual and social behaviors, the psychology profession formally expanded its scope to include the now burgeoning field of positive psychology. As noted by C. R. Snyder, Jennifer Pedrotti, and Shane Lopez in their book, Positive Psychology: The Scientific and Practical Explorations of Human Strengths, "positive psychology offers a balance to this previous weakness approach by suggesting that we also must explore people's strengths along with their weaknesses. … Positive psychology seeks a balanced, more complete view of human functioning."
By making a similar enhancement to how it sees and promotes itself, and how it is seen by its stakeholders, internal audit offers a more balanced and complete orientation to the assurance paradigm, which is a new area for service innovation and professional growth.
Balanced Engagement Reporting
Internal auditors have taken initiatives to provide more balance in their reports by including positive findings for engagements that normally focus on downside issues requiring improvement. This added balance demonstrates a greater understanding of business operations by internal auditors, motivates managers by recognizing where their efforts are showing results, and, consequently, encourages greater acceptance to address recommendations for improvement. Positive auditing builds on these initiatives and benefits by designing risk-based plans and engagements from the outset that consider the provision of high levels of assurance on positive areas deemed critical to organizational success within the domain of internal audit.
More Complete Risk Analyses
The IPPF defines risk as "the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood." This definition is not limited to downside uncertainties; it also includes upside uncertainties, such as opportunities for gains.
The concepts of risk and risk management applied by internal auditors characteristically focus on addressing adverse uncertainties that are likely to negatively impact the achievement of organizational objectives. The orientation toward negative risk may be partly explained by the desire to minimize audit risk, such as the risk of making inaccurate assessments. As organizational weaknesses and threats often are known or suspected, there is less risk in accepting an internal audit and its recommendations. Because management makes decisions involving both upside and downside uncertainties, internal audit's risk analyses should be more comprehensive, leading to the development of more complete analytical tools and critical thinking.
More Complete Risk-based Internal Audit Planning
With positive auditing, risk-based audit planning broadens the scope of risk assessments to consider strengths and opportunities critical to the organization and where independent confirmation adds value. It brings consultations on internal audit plans more in line with management's interests in what is working and where independent assurances address the interests of external stakeholders. There is likely to be wider coverage and fuller alignment with the organization's business priorities.
There are occasions when independent evaluation and confirmation by internal audit of organizational strengths and weaknesses adds value. Consider three internal audit domains — organizational governance, risk management, and controls processes — which in the examples shown are not given priority in internal audit plans because there are no indications of significant adverse risk.
Organizational Governance This domain can benefit from assurances on organizational opportunities and strengths, as well as threats and weaknesses. Internal audit's objectives might be to:
- Ensure the organization appropriately administrates complaints concerning social and personal behavior.
- Ensure the integrity of positive performance information supporting year-end bonus payments to management.
Risk Management This domain benefits from oversight that provides comprehensive, validated information. The internal program of risk management considers strengths and opportunities, as well as weaknesses and threats to organizational success. Internal audit's objectives might be to:
- Ensure the robustness of the strengths and opportunities reported across the risk management program.
- Ensure the quality of due diligence activities in support of significant organizational initiatives and decision-making.
Examinations of Control Processes This domain provides operational oversight to keep the organization on track in achieving its objectives. Control processes adapt to evolving organizational needs. Internal audit's objectives may be to:
- Ensure the continued relevance and quality of performance standards and information relied on by senior management.
- Ensure the continued cost-effectiveness of systems of internal oversight.
These examples show where positive auditing might provide value-added assurance to the organization's stakeholders, even when the internal audit program and engagement plans are not expected to make material recommendations for improvement. The expanded scope into positive areas has the additional benefit of increasing internal audit coverage to find possible fraudulent behavior within the organization.
The Case for Positive Auditing
Positive auditing broadens the range of internal audit assurance services by enhancing systematic consideration of upside factors — organizational strengths and opportunities — in support of achieving organizational objectives. It provides a direction for service innovation and professional growth within the current IPPF by addressing upside risks and confirming what is working — both of which are deemed critical to organizational success.
It also contributes to organizational improvement by enhancing due diligence of management oversight and confirming the strengths in areas deemed critical to success. Internal audit processes increase analysis and attention to critical factors in the area being examined by all concerned. Should the examination disclose unexpected areas for improvement, management will have shown itself to be proactive and diligent in its pursuit of organizational performance. Either way, the confidence of external and internal stakeholders in management oversight is increased.
Positive auditing also provides an opportunity to enhance the paradigm of the internal audit profession, expand the range of assurance services in risk-based plans, and tell new stories to our varied stakeholders. The internal audit community should consider the matter together, consult with stakeholders, and determine the extent to which positive auditing offers a viable direction for innovation in the profession.
Source: Internal Auditor: The Upside of Risk (url), The Upside of Risk (pdf)