Welcome to Blog EN - Business & IT Transformation

cancel
Showing results for 
Search instead for 
Did you mean: 

What does the Newlywed Game mean for Internal Audit?

0
0
internal-audit-newlywed.png

What is the Newlywed Game?

It was a TV game show that first aired in the 1960’s where newly married couples would be pitted against each other in a series of revealing question rounds to determine how well the spouses knew each other: if both spouses gave the same answer to the same question, then they won the round. The show became famous for some of the arguments that couples had over incorrect answers in the form of mistaken predictions, and it even led to some divorces.

How does it relate to an Organization?

Any organization has a certain culture and values that, in turn, steer its attitude to risk taking. Ensuring all parts of the organization abide to this risk culture is called Risk Assurance and is usually performed by Internal Audit reporting to the organization’s board. Internal Auditors usually would be the last line of defence in a series of 3. The other 2 are Controllers (1st line as operational) and Risk Managers (2nd line). Applying the Newlywed principle, the risks are the questions, the Risk Managers and Controllers are the spouses and the Internal Auditors are the game show host.

What do Internal Auditors usually do?

An Internal Audit Director’s job is to provide assurance to the board that the organization’s risks are managed in line with its risk attitude. In order to do so, Internal Audit has to (obviously) audit the parts of the organization less likely to abide to this risk attitude and report Findings and Recommendations to the Board. When planning Audit missions, the difficulty lies in choosing the Risks to include in the next Audit scope.

Why would Internal Audit use the Newlywed Game?

Let’s draw a parallel between the newlyweds and the 1st & 2nd line of defence of our organization: a marriage (or an organization) is only going to work if both spouses (Controls & Risks) communicate and are aligned with each other. If the answers to important questions regarding your marriage (organization) are different from one spouse to another (between risk managers and controllers), then we may want to have a closer look at the potential issues behind the differing answers. This kind of dichotomy between 1st & 2nd line of defence could be a clear marker for including the concerned risk in the next Audit scope.

How would Internal Audit use the Newlywed Game to determine scope of Audits?

When planning a Risk Based Internal Audit (RBIA), an Audit Director would have to consider which risks to audit next. Looking at a list of the risks applying to his Organization is only a starting point.

The Audit Director could then look at the answers of controllers and risk managers regarding these risks. Differing answers could raise the alarm and indicate an audit of the concerned risk is necessary.

  • Missing risk target (spouse 1): Risk managers are to handle assessment of Risks and set the risk appetite, reflected by a Risk Target. If the Net Risk rating does not match with the Target Risk rating desired, it would indicate that the concerned risk should be audited as risk management does not achieve the risk goals set by the board.internal-audit-newlywed-risk-1.png 
  • Ineffective Controls (spouse 2): Internal Controllers are to ensure Controls mitigating risks are designed and executed. Controls then get tested and receive a pass or fail regarding their effectiveness. Any Controls deemed ineffective means it does not contribute to reducing the risks it is meant to mitigate and its Control Level is set as Weak.internal-audit-newlywed-risk-2.png

     

The difference between the answers regarding Risk ratings and their mitigating Controls’ effectiveness is like comparing both spouse’s answers on the newlywed game: risk managers could say that everything is mitigated effectively while controllers have very little confidence in the control measures. An Audit Director would be choosing the risks that seem to achieve their target at first but have been found to have very weak mitigating Controls.

So the following 2 scenarios from the Newlywed Game can help Internal Audit prioritize risks for their RBIA:internal-audit-newlywed-risk-3.png

 

  • Risk Target is reached but the Controls are weak. The spouses’ answers do not match.

internal-audit-newlywed-risk-4.pnginternal-audit-newlywed-risk-5.png

 

  • Risk Target is not reached but the Controls are strong. The spouses’ answers do not match.

 

internal-audit-newlywed-risk-6.png

 A third scenario could present itself. Similar to when both spouses can have arguments but pretend everything is fine in front of the cameras during our Newlywed Game, Incidents could still take place without Risk Managers or Controllers contradicting each other.internal-audit-newlywed-risk-7.png

 

internal-audit-newlywed-risk-8.png 

How can Internal Auditors implement their own version of the Newlywed Game?

In many organizations, all 3 lines of defence tend to work with different tools on different registers and sometimes at odds with each other. Internal Auditors being the last line of defence, they need to ensure they have access to the most accurate and up-to-date information regarding the Risks they are to audit. Building a Risk Assurance Dashboard (available in our next version of HOPEX Internal Audit) featuring a health summary of the Risk (Net vs Target, Control Levels, Incidents) would help the Audit Director quickly identify those high priority Risks and include them in their next audit. To come back to our Newlywed Game, the point of the game is to reveal both spouses’ answers to the questions to find out if the couple has won. If Risk Managers and Controllers do not reveal their assessment of the Risks, Internal Audit is unable to concentrate on auditing the right Risks and the organization loses.

Comment

What is the Newlywed Game?

It was a TV game show that first aired in the 1960’s where newly married couples would be pitted against each other in a series of revealing question rounds to determine how well the spouses knew each other: if both spouses gave the same answer to the same question, then they won the round. The show became famous for some of the arguments that couples had over incorrect answers in the form of mistaken predictions, and it even led to some divorces.

How does it relate to an Organization?

Any organization has a certain culture and values that, in turn, steer its attitude to risk taking. Ensuring all parts of the organization abide to this risk culture is called Risk Assurance and is usually performed by Internal Audit reporting to the organization’s board. Internal Auditors usually would be the last line of defence in a series of 3. The other 2 are Controllers (1st line as operational) and Risk Managers (2nd line). Applying the Newlywed principle, the risks are the questions, the Risk Managers and Controllers are the spouses and the Internal Auditors are the game show host.

What do Internal Auditors usually do?

An Internal Audit Director’s job is to provide assurance to the board that the organization’s risks are managed in line with its risk attitude. In order to do so, Internal Audit has to (obviously) audit the parts of the organization less likely to abide to this risk attitude and report Findings and Recommendations to the Board. When planning Audit missions, the difficulty lies in choosing the Risks to include in the next Audit scope.

Why would Internal Audit use the Newlywed Game?

Let’s draw a parallel between the newlyweds and the 1st & 2nd line of defence of our organization: a marriage (or an organization) is only going to work if both spouses (Controls & Risks) communicate and are aligned with each other. If the answers to important questions regarding your marriage (organization) are different from one spouse to another (between risk managers and controllers), then we may want to have a closer look at the potential issues behind the differing answers. This kind of dichotomy between 1st & 2nd line of defence could be a clear marker for including the concerned risk in the next Audit scope.

How would Internal Audit use the Newlywed Game to determine scope of Audits?

When planning a Risk Based Internal Audit (RBIA), an Audit Director would have to consider which risks to audit next. Looking at a list of the risks applying to his Organization is only a starting point.

The Audit Director could then look at the answers of controllers and risk managers regarding these risks. Differing answers could raise the alarm and indicate an audit of the concerned risk is necessary.

  • Missing risk target (spouse 1): Risk managers are to handle assessment of Risks and set the risk appetite, reflected by a Risk Target. If the Net Risk rating does not match with the Target Risk rating desired, it would indicate that the concerned risk should be audited as risk management does not achieve the risk goals set by the board.internal-audit-newlywed-risk-1.png 
  • Ineffective Controls (spouse 2): Internal Controllers are to ensure Controls mitigating risks are designed and executed. Controls then get tested and receive a pass or fail regarding their effectiveness. Any Controls deemed ineffective means it does not contribute to reducing the risks it is meant to mitigate and its Control Level is set as Weak.internal-audit-newlywed-risk-2.png

     

The difference between the answers regarding Risk ratings and their mitigating Controls’ effectiveness is like comparing both spouse’s answers on the newlywed game: risk managers could say that everything is mitigated effectively while controllers have very little confidence in the control measures. An Audit Director would be choosing the risks that seem to achieve their target at first but have been found to have very weak mitigating Controls.

So the following 2 scenarios from the Newlywed Game can help Internal Audit prioritize risks for their RBIA:internal-audit-newlywed-risk-3.png

 

  • Risk Target is reached but the Controls are weak. The spouses’ answers do not match.

internal-audit-newlywed-risk-4.pnginternal-audit-newlywed-risk-5.png

 

  • Risk Target is not reached but the Controls are strong. The spouses’ answers do not match.

 

internal-audit-newlywed-risk-6.png

 A third scenario could present itself. Similar to when both spouses can have arguments but pretend everything is fine in front of the cameras during our Newlywed Game, Incidents could still take place without Risk Managers or Controllers contradicting each other.internal-audit-newlywed-risk-7.png

 

internal-audit-newlywed-risk-8.png 

How can Internal Auditors implement their own version of the Newlywed Game?

In many organizations, all 3 lines of defence tend to work with different tools on different registers and sometimes at odds with each other. Internal Auditors being the last line of defence, they need to ensure they have access to the most accurate and up-to-date information regarding the Risks they are to audit. Building a Risk Assurance Dashboard (available in our next version of HOPEX Internal Audit) featuring a health summary of the Risk (Net vs Target, Control Levels, Incidents) would help the Audit Director quickly identify those high priority Risks and include them in their next audit. To come back to our Newlywed Game, the point of the game is to reveal both spouses’ answers to the questions to find out if the couple has won. If Risk Managers and Controllers do not reveal their assessment of the Risks, Internal Audit is unable to concentrate on auditing the right Risks and the organization loses.