Introduction

A complete overhaul of the risk landscape over the last few years, more so over the last few months, has created a pressing need to evaluate the change in role of auditors and chief financial officers (CFOs) and expectations from them. Organizations are now looking up to them more than ever before for guidance on how one should deal with the unknowns and continue to grow sustainably. Traditionally though, the role of auditors was perceived as more around adherence to regulations and compliance requirements, and a tick in the box requirement. The role now seems to be way more holistic and challenging as they now have the opportunity to be enablers and catalysts for sustainable growth by allowing organizations to take informed and measured risks. The changing objectives of the organizations, emergence of new technologies, and innovations have changed the risk landscape and have even influenced the blueprint of the regulatory systems. Thus, the onus lies on the auditors to act accordingly. Auditors along with the senior management should, thus, focus on identifying emerging threats and even look for converting those threats into opportunities. It is surprising that although risk management seems to be leading the way for the years to come, senior management seems to spend very less time on the emerging risks and focus on controls related to such risks. In recent times, the occurrence of a Black Swan event like COVID-19 has posed a threat to the mightiest of the organizations who felt that all the controls and systems are in place. Auditors thus need to look out for the monotone empirical ways and think from the frontline to envisage and mitigate risks more proactively. Over the years, the business landscape of the organizations has shifted focus from the recession survival tactics to aggressive growth strategies. Managing risks is the priority for senior management, and it is a key strategic parameter now for organizations to create sustainable value and succeed.

   As an effective risk management strategy is vital for organizations, risk management systems need to be robust and effective in view of the changing landscape and the continued technological advancements (Vij, 2019). Quon et al. (2012) argue that a series of company failures, corporate scandals, and fraud are amongst the reasons for companies to effectively implement risk management programs. These companies’ failures were caused by poor risk management and corporate governance practices. New ways and perspectives of risk management have emerged, and board, senior leaders, regulators, and leaders have all expanded their focus to include the concept of enterprise risk management (ERM). The realities of an ever-changing world with frequent business disruptions have made the concept of ERM important for companies. ERM is a structured, consistent, and continuous process across the whole organization for identifying, assessing, and deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives (The Institute of Internal Auditors, 2020). 

  With the expansion of regulatory compliance and changing stakeholders’ expectations, ERM is now formally a factor in credit rating issued by top agencies. It is embedded into the organization’s strategic decision process. S&P Global was the first to formally include ERM as part of an organization’s credit rating. S&P evaluates a company’s ERM initiative within a general framework that includes the following four components: first, risk management culture and governance; second risk controls; third emerging risk preparation; and finally, strategic risk management (ERM Insights by Carol, 2017).

  ERM is structurally supported by the internal audit process and framework as it has a critical and multidimensional role to play in making risk management and ERM implementation successful. It helps to ensure that key business risks are being managed appropriately and that the system of internal control is operating effectively. Against this backdrop, the primary objective of the article is to bring out what the business environment and changing risk landscape means for auditors and CFOs in terms of their roles and responsibilities. The research will offer ideas and suggestions to executives responsible for ERM implementation. The following sections present the review of literature, conceptual framework, and then discussion on developing a robust risk management framework. The final section provides the relevance, implications, and conclusions.

Review of Literature

According to Vij (2019), risk management and ERM continue to capture the top slot in future trends relating to risk and compliance. Gordon et al. (2009) argue that a paradigm shift has occurred regarding the way organizations view risk management. Instead of looking at risk management from a silo-based perspective, the trend is to take a holistic view of risk management. This holistic view of risk toward managing an organization’s risk is known as ERM. The Committee of Sponsoring Organization (COSO) defines ERM as

A process, effected by an entity’s board of director’s, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its appetite, to predict reasonable assurance regarding the achievement of entity objectives.¹

An enterprise-wide approach to risk management enables auditors to consider the potential impact of all types of risks on all processes, activities, stakeholders’ products, and services. This therefore tends to avoid a silo approach of identifying and managing the diverse risks faced by an organization (Kibisu et al., 2017). However, since ERM takes a more holistic view of risk across the organization, it considers both the upside and downside of risk, and focus here is on strategic and business goals of the organization (Vij, 2019).

   Study by Standard and Poor’s (2008) developed an ERM framework which demonstrates that ERM practices are significantly aligned with manager’s behavior in everyday decision-making. According to the new COSO framework, “The complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of ERM while asking for improved risk reporting” (COSO, 2017).

   By contrast, traditional risk takes a narrow view of risk, is conducted in silos, and is a bottoms-up approach. It considers risk as an individual hazard and focuses only on loss prevention. More often than not, ERM takes more of a top-down approach. Ideally, ERM will start with the strategic plan and key objectives of the institution. Traditional risk management is reactive and sporadic, whereas ERM is proactive and continuous. It is mostly embedded in the culture and mindset of an organization.

   Researchers in the past few years have explored the relationship between ERM and an organization’s performance (Chen et al., 2019; Florio & Leoni, 2017; Hanggraeni et al., 2019). They have argued that a strong risk management and ERM system could increase the overall firm’s performance and shareholder value. Yang et al. (2018) argue that top management’s financial education is associated with ERM practices, which in turn can influence a firm’s competitiveness and performance. Floria and Leoni (2017) conducted a study on ERM and the firm’s performance. The results of the study show that firms with advanced levels of ERM implementation present higher performance—both as financial performance and market evaluation. De Souza et al. (2012) specified that the effect of ERM on a firm’s performance is influenced by the degree of involvement of the stakeholders in risk management and the maturity level on managing risk. Despite these studies, Tahir and Razali (2011), McShane et al. (2011), Quon et al. (2012), and Li et al. (2014) demonstrated no additional increase in the firm’s performance for companies implementing ERM.

  Morse (2020) recently conducted a research study on the link between ERM and organizational financial performance. The research focused on Australian-based companies in the ASX30, which includes Australia’s top 300 organizations ranked by market capitalization, and members of the Risk Management Association of Australasia. The study concludes that an ERM framework should not be a compliance tool; it should rather be an insight and value driven. By achieving this, organizations have greater visibility of the health of their business and consequently make better strategic decisions.

  Parvaneh et al. (2020) conducted a study to evaluate the influence of ERM on a firm’s performance with the moderating effect of intellectual capital dimensions. A questionnaire survey was distributed to 84 Iranian financial institutions. The findings revealed that ERM had a positive relationship with a firms’ performance. This study provided an insight into the impact of ERM in recent years on nonfinancial performance and the influence of intangible assets on ERM and its function.

Conceptual Framework

The risk landscape in today’s environment has created a need for organizations to adopt a sturdy risk management culture and process for the organizations. The focus of the risk addressed should be aligned to the overall objectives of the organization. The ever-changing risk landscape impacts the auditor and his/her opinion. It is thus important for the auditor to understand the changing risk landscape and apply changes to the audit approach accordingly. It is also important to have a sound conceptual framework that would serve as a foundation for the setting of standards and norms and enhance the consistency of the standards over time. A conceptual framework would also provide guidance for solving the emerging practical problems and the threats posed by such risks to organizations. During recent times, threats and uncertainties faced by organizations are difficult to be dealt with, and thus auditors need to assess and measure risk proactively. They need to look into the risk tolerance and the velocity of risks that organizations can face keeping in mind how often risk perceptions are changing for the organizations. The current situation may increase the challenge of gathering sufficient appropriate audit evidences which are needed to form an independent view to reason out the management’s estimates and judgments. Auditors need to exercise significant professional judgment and professional skepticism to remain focused on their ethical responsibilities and also take public interest into consideration. The process of risk identification and assessment is iterative and dynamic for auditors. Owning to the changing times and modify the audit responses and procedures, they need to revise the risk assessment procedures on the basis of new evidences and new information obtained. This comes out to be important, especially at the hours when business continuity planning and disaster management for majority of organizations seem to fail. Because of the implications of COVID-19, there might be changes in the entity’s objectives, strategy, organizational structure, governance arrangements, and business model, and it is important for auditors to consider how such changes would impact the audit. It is also important for the auditors to change their approach even during the audit as the environment might continue to evolve despite they have already completed planning and have done the organization’s risk assessment before the onset of the COVID-19 pandemic.

  Some of the circumstances in the COVID-19 scenario which might increase the susceptibility of risks for material misstatement include:

1. Ineffective execution of strategies or inappropriate objectives by the management.
2. Lack of expertise and failure to deal with changes.
3. Inaccurate estimation of demands and thus reduction in business.
4. Improper due diligence performed on new products and services.
5. Lack of financing due to the inability of the entity to meet requirements.
6. Increase in legal exposure has led to the increase in regulatory requirements and needs.
7. Increase in fraudulent activities.

It is important for auditors to understand how any relevant changes in laws and regulations would impact the entity and how it would operate after the changes are brought in. This may include the extension of the reporting periods for some of the jurisdictions. There might also be changes in financial reporting standards applicable in some jurisdictions which may be required to be considered.

Developing a Robust Risk Management Framework

The risk profiles for most of the organizations have constantly changed due to internal and external influences. The risk landscape in today’s environment has pointed out the need for organizations to adopt a robust ERM culture and process. The pandemic has brought to the forefront a whole basket of risks that needs to be addressed by auditors’ vigilantly. The key role of auditors with regard to ERM is to provide assurance to the senior management and board on the effectiveness of risk management. The audit should also involve the standards to measure the impact and likelihood of some of the risks that might arise even after the wave of the pandemic has subsided. It is also important to address the high impact and high likelihood risks on a priority basis to keep the organization in its shape and form even during this pandemic, especially when all the business continuity planning and disaster recovery mechanism of the organization has drastically failed.

   Some important frameworks to help auditors analyze and develop a robust risk system are discussed in the following sections.

HazOP and HazID

Risk assessment tools such as HazOP and HazID can be helpful for auditors in analyzing risks. Classifying risks and addressing them become very important for auditors in such times. Analyzing and quantifying the risk appetite of the organizations and following a top-down approach by the senior management and cascading down to the organization would help the board and the auditors to engage in risk issues, integrate risk management systems, and would help them in strategic decision-making.

BS 31100

British Standard BS 31100 suggests that an organization needs to set up its risk appetite before either setting of its strategic objectives or identifying and assessing its risks. According to the British Standard BS 31100 (Paragraph 3.8):

Both the risk appetite and risk profile should be monitored by the board (or equivalent) and formally reviewed as part of the organization’s strategy and planning processes. This should consider whether the organization’s risk appetite remains appropriate to deliver the organization’s objectives in light of internal and external drivers and constraints.

It is also important for the organization to effectively communicate its risk appetite so that the auditors and other decision makers can effectively understand the “rules” within which they should operate. The auditors should thus suggest and help prepare a risk appetite statement that would provide for direction and boundaries to the risk which can be accepted at various levels in the organization. The BS31100 suggestion to have a risk appetite statement at various levels of the organizational structure is aligned to an organization’s overall ERM maturity as the risk appetite forms a key component in any ERM maturity model.

Firm Scorecard

The assessment by the auditors of the risks for material misstatement, including fraud risks, continues throughout the audit during these pandemic times. When an auditor obtains any audit evidence during the audit procedures that would tend to contradict the audit evidence basis which the auditor originally has done the risk assessment, the auditor should revise the assessment of the risk and thus modify the already planned audit procedures or implement additional procedures in response to the revised risk assessments. A firm scorecard proves to be helpful in the risk assessment by the auditors. A corporate risk scorecard would also help in a country risk assessment for an organization situated in different continents across the globe. This would help organizations to take decisions according to diversifications and help auditors to perform their audit procedures accordingly. This would also help businesses to explore or exploit new opportunities. Risk management by the auditors for the organization does not only mean to identify, assess, and mitigate risks, but it also means to take up new opportunities and ventures with higher risks to ensure a greater return. This would add value and also help the organization grow to its optimal level.

PCAOB Auditing Standard 2110

The Public Company Accounting Oversight Board (PCAOB) Auditing Standard 2110, AS2110: Identifying and Assessing Risks of Material Misstatement, as amended states: The auditor needs to perform risk assessment procedures that are sufficient to provide a basis to identify and assess the risks of material misstatement, whether due to an error or a fraud, and design the audit procedures accordingly. The risk due to material misstatement may arise from a variety of sources that includes external factors also, such as the environmental conditions in the company’s industry, and certain company-specific factors such as the nature of the company, its activities, and internal control over financial reporting. The external or company-specific factors can affect the judgments involved in determining the accounting estimates or create pressures in order to manipulate the financial statements for achieving certain financial targets. Many organizations are also facing certain uncertainties as public health officials and business leaders focus mainly upon understanding the COVID-19 virus so as to plan and re-open the economy, and to understand what getting back to normal would be like in different geographies and across different industries. It has been directed to public companies to provide as much information as possible to the investors and other stakeholders about their current financial and operating status, as well as their future operational and financial planning, and business objectives and strategies.

  For auditors, identifying and assessing risks during forthcoming days might be more challenging owning to these uncertainties.

  While assessing the risks of material misstatements, auditors should also look into the fraud risks that have aggravated to a great extent during the pandemic. Auditors may also need to periodically update their understanding of the management’s processes for identifying the risks that are relevant to the financial reporting objectives, which would include risks of material misstatement due to fraud. PCAOB’s SPOTLIGHT states that the auditors may consider some aspects to modify different procedures or design new procedures. This would include enhancing the supervision on the less experienced members and review and modify their nature of work. This would also include the involvement of senior managements in addressing more complex issues. The evolving time demands for the need of specialists and people with specialized skills and knowledge in their fields of expertise. As far as approaches to engagements of other auditors involved are applicable, the use of technology becomes an area of utmost importance. Auditors should also consider whether audit evidences are gathered through alternative approaches or include new or extensive procedures that need to be performed by the lead auditors. Auditors should exercise professional skepticism when gathering audit evidence. With management and auditors alike working remotely, it is important to stay alert to whether evidence obtained is sufficient and appropriate to meet PCAOB’s auditing standards. Auditors may need to obtain audit evidence of a different nature or form than originally planned, which may affect the auditor’s consideration of its relevance and reliability. Among other required communications, the auditors should communicate to the audit committee the significant changes for a planned audit strategy or the significant risks that have initially been identified, and also state the reasons for such changes. It is important for the audit committee to provide for a robust oversight and effective inputs to help ensure that the risks are properly identified, assessed, and responded to by the auditor. With the changing environment and the potential for newer risks to evolve, it is important to have more frequent engagement with the audit committee related to the auditor’s risk assessment.

COSO Framework

COSO was established by five major accounting associations and institutes in the United States in the mid-1980s as part of the National Commission on Fraudulent Financial Reporting. The aim of COSO was to understand and study financial reporting and develop recommendations to prevent fraud. In 2004, COSO published an ERM cube that placed a strong emphasis on audit as the driving force behind ERM. To achieve a successful ERM initiative, eight components are shown on the front of the cub: internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring. Further, all eight components need to be integrated with each of the four risks as indicated on the side of the cube namely, Strategic, Operations, Reporting, and Compliance.

  In September 2017, COSO published a revision of its corporate risk management framework called ERM – Integrating with Strategy and Performance. This framework provides a guidance on ERM, internal control, and fraud deterrence to help organizations attain better value in an increasingly complex and uncertain business environment. The framework will also help business leaders prioritize the risks and understand the new risks that are fast emerging in an uncertain and complex business scenario. The 2017 framework builds on the solid foundation of the COSO 2004 document and establishes a strong link between risk, strategy, and performance. Risks are viewed not just as negative risks, but also as risks that will add value to the organization. The framework has been designed to help organizations deal with the multiplicity and complexity of risks that have increased in today’s complex scenario. Risks are linked with strategies to help the board of directors and top leaders understand the risks that stem from executing a chosen strategy. The COSO ERM update was designed to help organizations deal with risks that have increased in volatility and complexity with the expansion of regulatory compliance and changing stakeholders expectations.

Reverse Stress Test

Reverse stress testing can be used as a tool by almost all organizations in order to enhance their going concern assessments and improve risk assessment during the pandemic and even beyond that. It can help managements enhance their robustness and can also help the auditors to provide for persuasive evidence to support their conclusions on the going concern. The going concern forms a key focus area for audit reform. A reverse stress test (RST) is a test that starts from the opposite end, and thus it identifies a predefined outcome. An RST would broadly involve exploring three questions in the following order: What would it take for an entity to fail What individual event, or sequence of events, could lead to this outcome What can be done now to avoid this Auditors are required to efficiently address such questions in order to look ahead and help the management chalk out their objectives and strategies accordingly.

  It is suggested that the aftermath of a pandemic provides for an opportunity to learn, and the innovations that are adopted during the pandemic can be a part of the new normal and the Next World. The Next World is typically associated with the risks and opportunities that are related to the Digital Age. Auditors would thus need to update themselves on their entrepreneurial thinking and behaviors, analyzing data and their data capability as required by the organizations, communication skills, personal resilience, and agility. A pandemic proves to give organizations a unique opportunity to make changes and take up risks that would guarantee higher returns.

Relevance and Implications

As organizations rely more on the advancement in the areas of technology, artificial intelligence, and data analytics, etc., the focus of the management shifts toward adapting to such changes. Research would help auditors understand their changing roles and responsibilities in an organization owning to the evolving risk environment. It would be insightful for the auditors to understand their approach that needs to be modified over time and how they can add value to the organization. It would help them understand that the role of the auditors is not only confined to addressing the risks but also to seek opportunities out of it to help the growth of the organization. The auditors also need to move away from their empirical approaches and concentrate more on the value addition for the organization and explore the new and underdeveloped areas for managing risks. The changing environment because of the pandemic has been impacted by new technologies, and thus the auditors have a major role to play in determining the risks associated with it and design controls against such risks. With the evolution of the risk landscape, it has been observed that organizations are moving toward technological development to perform the basic and repetitive tasks. Along with this, they are also looking ahead to improve the processes, finding opportunities, and ensuring that tasks are performed with greater precision. Auditors should look into avoiding duplications and unnecessary governance to put forward a lean process. Focus should also be given on the inherent risks faced by the organizations which tend to have a high impact and likelihood. On the other hand, a quantitative measurement of the risk tolerance and risk appetite of the organization needs to be scrutinized by the auditors. It is important for the auditors to analyze the potential impact of certain events which can be done by having a proactive approach toward risks rather than a reactive approach toward it. The risk-handling functions should thus move from just simply alerting the management and needs to be cascaded down to the bottommost rung of the organization. There is thus a need for effective governance than just focusing on and assessing of risks. The auditors with the evolving times need to think about the returns for the organization rather than addressing only the risks. Value addition to the organization is of utmost importance at all levels because of the evolution of the risk landscape and the dynamic environment that has arisen due to the pandemic.

Conclusion

The complexity and competitiveness the business world is experiencing has focused on the rising importance of risk management and the increasing expectations of internal audit’s contribution to the effort. A survey by PwC (2012), “Aligning Internal Audit: Are you on the right floor,” found that almost everyone wants internal audit to maintain or add focus to the top risk areas. Top-down, risk-based planning begins with seeking management’s viewpoint on their top priorities. As risks are not static, internal audit must be flexible. Thus, the need to manage risk in an organization has become an indispensable part of good corporate governance. High performing organizations manage their risks strategically in all areas of operation. Risk-based internal auditing provides assurance to management that risk management processes are not only classified accurately but are also working efficiently. They provide an environment where both upside and downside risks are highlighted so as to create a significant impact on the bottom line of performance. The changing risk landscape has made the process challenging for auditors and CFOs as the focus of risk management has elevated from the tactical to strategic level. Onus is now on the auditors and CFOs to accept the challenge, rise to the occasion, and be a torchbearer for organizations during turbulent times.

Declaration of Conflicting Interests

The authors declared no potential conflicts of interest with respect to the research, authorship and/or publication of this article.

Funding

The authors received no financial support for the research, authorship and/or publication of this article.

Note

1. https://www.complianceonline.com/dictionary/COSO_ERM_framework.html#: ~:text=Unlike%20any%20other%20risk%20management,guidance%20for%20enterprise%20risk%20management.&text=As%20 defined%20by%20the%20COSO%20 framework%2C%20ERM%20is%20%22