10 Most-read Blog Posts of 2020 About “Internal Auditors”

From Mr. Richard Chambers


Internal Audit, COVID-19 Risks, and the Year Ahead

By Richard Chambers, President and Chief Executive Officer of The Institute of Internal Auditors


Readers of my blog know that, in recent years, I have constantly emphasized the importance of internal auditors anticipating future risks for our organizations. As I observed in a 2018 blog post:

As a profession, internal auditors have cultivated a long and respected legacy as purveyors of hindsight. Almost all of us are adept at looking at last year’s data and telling management where past mistakes were made. While hindsight is a necessary part of internal auditing, 20/20 hindsight is one of our least valuable skills. Often, our clients are already aware of past mistakes.

With the advent of operational auditing and, ultimately, the introduction of consulting/advice into our portfolio of services, we also became purveyors of insight. Insight is generally seen as more valuable than hindsight to our beleaguered stakeholders, but it too suffers from limitations in an era when risks emerge at warp speed. Today’s insight may well be tomorrow’s hindsight.

There will always be a need for hindsight and insight, but foresight is the ultimate source of value. Stakeholders seek to navigate the future more than revisit the past or dwell in the present. It is time for internal auditors to focus our telescopes ahead. We need to concentrate on the risks of tomorrow if we are to not only protect but enhance value for our organizations.

As important as it was to identify emerging risks two years ago, anticipating risks has never been more critical than it is today. The COVID-19 pandemic has accelerated the velocity of risk to an unprecedented level. For many organizations, risk assessments undertaken in 2020 have had shelf lives of only weeks or days. Each day brings new developments that directly influence the likelihood and potential impact of future events.


Consider a few of the uncertainties that organizations may face in just the fourth quarter of 2020:

  • Will there be a second wave of COVID-19 infections where our organization operates?
  • Will government officials and regulators relax quarantine restrictions that impact my company/industry?
  • Will there be additional stimulus relief from the federal government?
  • Will U.S. elections impact the equity markets?

As much uncertainty as there is in that list, remember that the fourth quarter is only days away. I believe those uncertainties will be only a drop in the bucket compared with the uncertainty of risks we face in 2021. Yet, if we are to be a source of value to our organizations, we must pull out our telescopes again and start surveying the horizon.

Better yet, we must start looking beyond the horizon – deep into 2021 – to identify emerging risks.

Many internal auditors are intimidated by the prospect of foreseeing future/emerging risks. We are uncomfortable because we lack the empirical evidence that we rely on in so much of our other work. However, this really isn’t rocket science. As I observed in the 2018 blog post:

There is no silver bullet for identifying emerging risks. Like all risk assessment, there is a degree of art in addition to science. However, if internal audit isn’t looking in the right direction, there is a greater likelihood of missing emerging risks. But just as storms in the Northern Hemisphere often emerge from the west, there are directions from which potential risks facing your company are likely to emerge.


For 2021, these could include:

  • Prospects for a COVID-19 vaccine, its potential timing, and how it could impact your company/market.
  • Prospects for renewed/extended COVID lockdowns in your region/market that will continue to disrupt or re-disrupt continuity of your business operations.
  • Economic forecasts, macroeconomic as well as those facing your industry.
  • Prospects for additional government stimulus and any provisions that would benefit your organization/sector.
  • Other COVID-19-related disruptive threats or opportunities facing your industry.
  • Resilience of the supply chain(s) upon which your organization depends.
  • Outlook for the flu season and how it could exacerbate another COVID-19 wave.
  • Geopolitical developments and the potential for extended international travel restrictions.

Regardless of the steps you take to identify emerging risks, you must remember that the risk assessment is a means and not an end. A risk assessment can serve several important purposes, but I believe the two most important uses for internal audit are: 1) to serve as a basis for audit planning, including securing the talent to address the risks and 2) to share internal audit’s perspective on emerging risks with management and the board.

Of course, our perspective will be useful, but certainly it shouldn’t be the first time management gives thought to these risks. As I noted before:

Identifying emerging risks should be a collaborative process with management. After all, management is likely to have already identified many emerging risks that threaten the organization.We should position ourselves as a partner, not a competitor trying to one-up management, when it comes to emerging risk acumen.

After fully vetting our inventory of emerging risks, we should be prepared to share our perspectives with the audit committee. Our conversation must include our own plans for monitoring and responding to these risks as the organization’s internal auditors.

The COVID-19 pandemic presents both risks and opportunities for internal audit. If we are proactive in identifying the risks that the pandemic presents, we have the opportunity to reinforce the value we deliver. The world’s best internal audit functions are already looking at 2021, and they are preparing to address the emerging risks that are almost certainly heading our way.

To be ready for 2021, we must start preparing now.

Copyright 2020 – Richard F Chambers and The Institute of Internal Auditors. Article was orignally published in Feb  2020 at ,The Institute of Internal Auditors website iaonline.theiia.org/blogs.


About Author:

Mr . Richard Chambers Serve as the Global President and CEO of The Institute of Internal Auditors (IIA), representing 195,000 members in 170 countries worldwide. The IIA is the internal audit profession’s global voice, chief advocate, recognized authority, acknowledged leader, and principal educator. Serve along with the Chairman of the Board, as the chief spokesperson and advocate on behalf of the global internal audit profession.

Direct more than 200 professional staff at the IIA Global Headquarters in achieving the agreed-upon strategies and objectives on behalf of the North American and Global Boards of Directors.

Over almost 10-years as the Global CEO, The IIA has achieved unparalleled growth and progress, including record membership, more than 100% increase in gross revenues, and a 800% increase in net assets. As CEO, directed the launch of the Audit Executive Center, the Certification in Risk Management Assurance, Internal Auditor Online, the AuditChannel.tv, and the American Center for Government Auditing. Serve concurrently on the COSO Board of Directors and the International Integrated Reported Council. Recognized by the Orlando Business Journal as “CEO of the Year” honoree in 2016.

Author of two award-winning books: “Lessons Learned on the Audit Trail” in 2013 and “Trusted Advisors: Key Attributes of Outstanding Internal Auditors” in 2017.