Steve Forman (LinkedIn), Senior Vice President at Strategic Management Services, had an eye-opening experience years ago when interviewing for the job of Vice President of Audit and Compliance for New York Presbyterian Hospital. The chair of the board’s audit and compliance committee told him that his main role was not to find problems or weaknesses but to validate through the discipline of the audit processes what management suspected were problematic areas in terms of audit and coverage of risk areas.
That insight had several implications. First, it underscored that operational managers will always know more about their risk areas than auditors will, which means they are in the best position to identify problems and weaknesses. Second, it was a good reminder that there are never going to be enough auditors to even address the high risk areas. Once again, we are dependent on managers.
So what does that mean? It means that monitoring should help drive the audit plan and strategy. In addition, managers need to be listened to on a regular basis, and they should be charged with monitoring.
In addition, he observes that the risk assessment must also not be treated as a static document. Risks can go up and down during the course of the year, and the risk mitigation strategy needs to be adjusted with it.
Listen in to learn more about how to improve your monitoring and auditing, as well as the role of management in it.