Matt Podowitz at corporatecomplianceinsights.com has an interesting column up about finding value in your investment in internal audits. It's an interesting idea, given that most people seem to view all GRC initiatives in terms of avoiding non-compliance fees and especially risky practices.
Many of the existing controls in Internal Audit plans are focused on risk of loss, but additional controls may be developed, implemented and monitored to address risk of “lost opportunity,” which is inherently more recoverable. For example, existing controls over a quoting and bidding process may help to ensure that appropriate individuals were involved in the sign-off of a given contract. However, an additional set of controls could also focus on whether the pricing, profitability and other economic factors associated with bids and quotes were (or are being) met. If they have not been met, this would trigger a reevaluation process or even renegotiation of the bid.
I'm of two minds about this. On the one hand, the idea of drilling risk analysis down to this level is appealing. On the other hand, it seems that it may lead to clunky controls that could restrict normal business actions.
However, with good technology in place, the internal audit practices Matt talks about could lead to some pretty notable improvements. In many ways, the whole article reminds me a bit of the sustainability and enterprise performance management (EPM) efforts many companies in the SAP space (including SAP itself) are undertaking -- looking for ways to optimize normal business functions by using processes that typically are only associated wi
th risk avoidance.