It was a TV game show that first aired in the 1960’s where newly married couples would be pitted against each other in a series of revealing question rounds to determine how well the spouses knew each other: if both spouses gave the same answer to the same question, then they won the round. The show became famous for some of the arguments that couples had over incorrect answers in the form of mistaken predictions, and it even led to some divorces.
Any organization has a certain culture and values that, in turn, steer its attitude to risk taking. Ensuring all parts of the organization abide to this risk culture is called Risk Assurance and is usually performed by Internal Audit reporting to the organization’s board. Internal Auditors usually would be the last line of defence in a series of 3. The other 2 are Controllers (1st line as operational) and Risk Managers (2nd line). Applying the Newlywed principle, the risks are the questions, the Risk Managers and Controllers are the spouses and the Internal Auditors are the game show host.
An Internal Audit Director’s job is to provide assurance to the board that the organization’s risks are managed in line with its risk attitude. In order to do so, Internal Audit has to (obviously) audit the parts of the organization less likely to abide to this risk attitude and report Findings and Recommendations to the Board. When planning Audit missions, the difficulty lies in choosing the Risks to include in the next Audit scope.
Let’s draw a parallel between the newlyweds and the 1st & 2nd line of defence of our organization: a marriage (or an organization) is only going to work if both spouses (Controls & Risks) communicate and are aligned with each other. If the answers to important questions regarding your marriage (organization) are different from one spouse to another (between risk managers and controllers), then we may want to have a closer look at the potential issues behind the differing answers. This kind of dichotomy between 1st & 2nd line of defence could be a clear marker for including the concerned risk in the next Audit scope.
When planning a Risk Based Internal Audit (RBIA), an Audit Director would have to consider which risks to audit next. Looking at a list of the risks applying to his Organization is only a starting point.
The Audit Director could then look at the answers of controllers and risk managers regarding these risks. Differing answers could raise the alarm and indicate an audit of the concerned risk is necessary.
The difference between the answers regarding Risk ratings and their mitigating Controls’ effectiveness is like comparing both spouse’s answers on the newlywed game: risk managers could say that everything is mitigated effectively while controllers have very little confidence in the control measures. An Audit Director would be choosing the risks that seem to achieve their target at first but have been found to have very weak mitigating Controls.
So the following 2 scenarios from the Newlywed Game can help Internal Audit prioritize risks for their RBIA:
A third scenario could present itself. Similar to when both spouses can have arguments but pretend everything is fine in front of the cameras during our Newlywed Game, Incidents could still take place without Risk Managers or Controllers contradicting each other.
In many organizations, all 3 lines of defence tend to work with different tools on different registers and sometimes at odds with each other. Internal Auditors being the last line of defence, they need to ensure they have access to the most accurate and up-to-date information regarding the Risks they are to audit. Building a Risk Assurance Dashboard (available in our next version of HOPEX Internal Audit) featuring a health summary of the Risk (Net vs Target, Control Levels, Incidents) would help the Audit Director quickly identify those high priority Risks and include them in their next audit. To come back to our Newlywed Game, the point of the game is to reveal both spouses’ answers to the questions to find out if the couple has won. If Risk Managers and Controllers do not reveal their assessment of the Risks, Internal Audit is unable to concentrate on auditing the right Risks and the organization loses.