by Tom Hanlon
Kurt Gabouer, Mark Peecher, Thomas Duffy, Stacy Sturgeon, Bob Litt
“Whether you aim to be a CEO, a CFO, or an auditor,” said Thomas Duffy, “The dialogue that you will have every day will center around risk. You will always be thinking about risk.”
Duffy, the national managing partner of audit for KPMG LLP, the audit, tax and advisory firm, spoke recently to students attending a Department of Accountancy Lyceum. Duffy pointed out these hot spots for risk:
Those are a lot of hot spots, Duffy acknowledged. A lot can go wrong. And auditors, as well as management and audit committees of their clients, need to constantly be aware of those risks – and understand there are a lot of external factors that influence those risks.
- Emerging technologies/pace of change
- Disruption of business model
- Information privacy/cyber security
- Globalization and systemic risk
- Extended organization (vendors, suppliers, partners, supply chain, outsourcing)
- Business transformation, mergers and acquisitions, changes in operational environment
- Compliance and government regulation
“Enterprise risk,” Duffy said, “is the way we go about things in thinking about all these factors that could ultimately impact the overall strategic direction of a company. How do you mitigate risk at an acceptable level?
“How companies manage those risks has a huge impact on the audit procedures that we have to perform.”
Companies need to understand their risk hot spots and put controls in place to manage those risks. Those areas that may require increased controls, Duffy said, include
“You need to piece it together,” he said. “You say, these are my risk hot spots. I have risk in technology or in business transformation, changes in my operating environment; how do I manage these risks? Who in my organization can help me think about these risk hot spots?”
- Strategic planning and execution
- Board and committee oversight
- Internal audit
- Financial reporting and internal controls
- Contingency planning
- Risk management
That risk management begins with strategic planning and execution, Duffy noted. “Management manages risk, and the board and audit committee have risk oversight,” he said. “The long and short of it is, many of the risks that companies have fall right into the lap of the audit committee for oversight. When those risks are identified, procedures to mitigate the risk are developed by management and monitored by internal audit.
“The key element is that you have a lot of constituencies involved in developing controls and managing risks associated with that. That’s the governing process around all this.”
But, as Duffy said, those risks are often coming from outside of the company. “You have to look outside your four walls,” he said. “You look at the level of uncertainty. Whether it’s fiscal uncertainty in the US, or the Euro, or China -- whatever the risk is, it can have significant impact on the company’s ability to manage its own risks.”
Duffy related the story of a KPMG client who in 2009 was experiencing a significant credit crunch. “This client was a major medical device company,” he said. “The company’s CEO told us that some of his suppliers were impacted by the credit risk to where they couldn’t borrow. So our client couldn’t get the components they needed, and they didn’t have the appropriate backup suppliers. This obviously impacted their product and their ability to ship and generate revenue.”
What that client had failed to do, Duffy noted, was think of the “what-if” scenarios – the low probability but high impact risks. Every company needs to do this. “What if my supplier can’t deliver equipment or materials?” he said. “What is the potential impact to the company?
Auditors need to be adept at not only uncovering and understanding risk, but in communicating it to their clients. “You get to a point where there are a range of possible outcomes,” Duffy said. “In any of these risk areas, you could go from A to Z in possible outcomes.
“ What were the judgments related to risk? Have they been consistently applied? We spend a lot of time dealing with companies on management estimates and areas of judgment.”
The impact of innovation and social media
Auditors are also spending a lot of time with clients who are focused on growth and innovation. “You can’t talk to any of our clients without realizing the big push these days in growth and innovation,” Duffy remarked. “They have on their agenda that they need to transform with innovative technology. They need to determine how to maximize technology and how to minimize risk.
“Well, there are two sides to that risk. There’s a risk if you don’t do it, and you become obsolete, and there’s a risk that if you go too fast, and you don’t build in controls for that risk, then you can find yourself in trouble.” Companies are walking the fine line between innovating where not many companies have gone before, and controlling the inherent risk involved.
Duffy also acknowledged the double-edged sword of social media. “Social media is unbelievably powerful,” he said. “But it presents a tremendous risk as well. We’re privy to a lot of information that could put our clients and our firm in harm’s way” if it is made public through social media. “You can’t let proprietary information get out into the public.”
Just as social media has changed the way people communicate, the changing economy, political unrest, and technological innovations have changed the way auditors must go about their work.
Need for a global perspective
“Without having a global perspective, without understanding what technology can do, without having the big picture in front of you, you won’t be able to audit,” Duffy said. “It’s critical that we have a deep level of understanding to be able to say, okay, in this area the risk is either reduced or it’s increased. If the risk is reduced, the procedures might be reduced. The type of work that we do might be affected. If the risk is increased, we might have to do far more procedures to assess controls.
“You can have an immediate impact when you join the profession if you have these perspectives,” he added. “You can have an impact if you’re thinking about all those factors that come into play.
“But it’s a lot of work. If you plan the work right, the execution is a lot easier. But if you don’t plan it right, if you don’t take into consideration all the risks involved, then you may have to go back and rethink all you did.”