Using this chart can assist with making a quick decision about where your organization is positioned.
Supportive environment and strong behaviors place you in the highly desired quadrant 1. But plenty of controls matched with inconsistent daily human behaviors has the potential to move you down to quadrant 2.
And no amount of enhanced or additional policy, procedure or leadership ‘tone’ will fix your problem. It has been my experience that 90% of organizations exist and operate primarily in quadrant 2.
At the risk of overstating the obvious, this simple 4 quadrant analysis may be all that is needed to know with certainty where corrective activity must occur to move towards the ideal, ‘top-right’ quadrant results.
Bringing focus to the risk-audit relationship
In general, an auditor’s role is to identify risks and evaluate management’s controls and procedures to manage those risks. We do that through testing, data analytics, research, industry benchmarking and a long list of other tools. We also fulfill our role by asking questions and listening to the answers (Remember the definition of an “auditor” in part one?).
Conclusion
Strengthening the risk-audit relationship can help auditors cut through complicated risk models to ensure we focus on what matters most to our organization. But remember, one size does not always fit all. The amount of time and resources we spend measuring and monitoring depends on our industry, business model, leadership team, and an evaluation of the current state of controls and behaviors.