New Paper on Risk Assessment and the Audit Plan
One of the software vendors that have been providing solutions for internal auditors for many years is Thomson Reuters. With annual revenues of nearly $13 billion, they are one of the few large software companies in this space. So when they speak, I tend to pay attention.
Thomson Reuters recently published a paper written by a former senior manager with E&Y. Entitled “Get Your Internal Audit Risk Assessment Right This Year” (registration required), the paper purports to share best practices for internal audit risk assessment.
Unfortunately, it fails to deliver on that promise.
While it includes some useful guidance for the discussions every internal audit team should have with management, it barely touches the surface of the issue.
I do agree with this statement: “the Internal Audit Risk Assessment presents an oft-missed opportunity for internal auditors to understand their organization’s evolving objectives and implement a more dynamic risk-based approach to the internal audit process.”
The last sentence in the report starts to get to the real point: “With no sign of the pace of changes affecting your organization slowing down, internal audit’s risk assessment must be dynamic, not static, and needs to be improved from year to year, using a top down approach, beginning with management interviews and input.”
Here are the two main problems with that last sentence:
- The internal audit assessment of risk and updating of the internal audit plan should be far more frequent than the annual cycle implied by the report. Many departments are moving to a quarterly update, and best practice (in my opinion and which I personally followed) is a rolling quarterly plan that is updated as often as the risks change.
- While management interviews and input are useful, they are hardly the best place to start. The internal audit team should understand whether and how the organization as a whole has identified the more significant risks to the achievement of its objectives. While not clearly stated in this report, I will give credit to the author for understanding that internal audit should focus on risks to the organization as a whole, and not risks to a location, business unit, or process. However, the organization’s risk management program is not mentioned as a source of information that drives, at least in part, the audit plan! It is also critically essential that internal audit has a deep understanding of the business, its processes, systems, organization and systems, sufficient to challenge management’s assessment of risk – or make its own assessment when there is no ERM in place.
My recommendation: read the report for tips on how to interview management. But, go into that set of discussions with either the organization’s risk ‘register’ or another document that can drive a discussion about which are the risks to the organization that matter – and where the assurance and consulting/advisory services provided by internal audit can be of value. (I have shared a number of files on Box, including a Risk Universe slide you may find useful. Please go to this tab on my web site to download.)
Ask yourself this: do your internal audit plan and the process around it ensure that appropriate engagements are performed on the risks that matter to the organization, when that assurance or advisory service is needed?