Home > Risk > How to do your internal audit risk assessment

How to do your internal audit risk assessment

A long-time vendor of software for internal audit departments, Thomson Reuters, has published a piece by Noah Gottesman. Prior to joining Thomson Reuters in 2012 as Director of Audit Advisory and Innovation, Noah was with EY (which is where I met him, if memory serves me right). In that capacity, he has performed and managed a variety of internal audits.

Get Your Internal Audit Risk Assessment Right This Year has some good suggestions for the traditional internal audit team. It includes “five steps to turning risk assessment principles into positive actions”, as well as sections on:

  • Listen to management: the real opportunity
  • Lay the foundations: the importance of a robust methodology
  • Know your organization’s risk appetite
  • Get into the details
  • Plan for success
  • Understand the business and its culture

Most will see value in these sections.

But, I have significant issues with the approach and assumptions.

My problem starts very early.

The paper quotes the COSO Internal Control – Integrated Framework:

“…risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives.”

Yet, this quote is followed by a reference to an “annual risk assessment process”.

Buried at the end of page 7 of the Thomson Reuters paper is this sentence:

“With no sign of the pace of changes affecting your organization slowing down, internal audit’s risk assessment must be dynamic, not static, and needs to be improved from year to year, using a top-down approach, beginning with management interviews and input.”

COSO similarly talks about a “dynamic and iterative process” (almost the same words as the ISO 31000 principle: risk management is “dynamic, iterative, and responsive to change”.

An annual process is NOT dynamic, iterative, nor responsive to change.

Change does not occur on an annual basis. It is all the time, which is why we use the word ‘dynamic’.

McKinsey prefers the word ‘turbulent’, as do I.

Internal audit needs to be aware of and responsive to changes in known risks or the emergence of new risks continuously, not on an annual cycle.

The move to a continuous, dynamic audit plan will be a major change for most internal audit departments. Many are already on that journey and have to adjust from a major initiative focused on listening to executives once a year to monitoring how business objectives and risks are changing.

I wish Noah had talked about the fact that every organization has hundreds if not thousands of risks. An internal audit risk assessment that includes, as he suggests, listening to management at all levels across the organization will identify a great many risks that matter to those managers.

But are they risks that matter to the organization as a whole?

In World-Class Internal Auditing: Tales from my Journey, I said:

When internal audit focuses on the risks that matter to the organization, provides objective and insightful assurance on how well they are managed, and use their intellect and imagination to work with management to effect necessary changes, amazing things can and do happen.

I believe internal audit should first understand the value drivers and the objectives of the organization. It should then seek to understand the risks (and continuously maintain that understanding) that are critical to the delivery of value and the achievement of corporate objectives.

One excellent question is “what could go wrong” and another is “what needs to go right”.

The risks to enterprise objectives that are identified are the risks that matter.

Those are the risks that need to be addressed in the audit plan.

I, and many other CAEs around the world, believe that internal audit should provide its stakeholders with a formal assessment of the condition of risk management and internal control as they relate to the more significant risks to the organization.

A major element of audit planning is ensuring that sufficient work is performed to support that assessment.

Another dimension to audit planning is whether an engagement will add value. Some risks are well-known and are already being addressed. In those cases, an internal audit engagement will probably add little value.

On the other hand, sometimes there are situations where the risk is seen as moderate but an advisory engagement would add value to the extent that it merits inclusion in the audit plan.

This whole question of the internal audit risk assessment is a tough one. I hope to provide more of my thinking on the topic later.

In the meantime, please share your thoughts on best practices.

  1. August 27, 2016 at 1:41 PM

    Internal audit should advise and assure on the governance, value management and performance programs (GVP) that are designed to create stakeholder value. Opioning on risk management is an old fashion notion from the regulated industries. And, as it relates to many financial institutions history tells us that did not work very well.

    • Norman Marks
      August 28, 2016 at 2:13 PM

      Michael, thank you for the comment. If the performance management program does not consider the downside, or even the likelihood of the upside, what do you do?

      Also, do you really think IA should audit board and CEO performance? I advise a risk-based approach. What is the likelihood of a failure in a governance process that would lead to failing to achieve objectives?

      • August 28, 2016 at 2:44 PM

        Norman, speaking broadly –many internal audit and other business people focus there thinking and approach only on risk and not reward.

        With regards to advising or providing assurance on governance absolutely IA needs to be involved. So many examples of major company governance failures we are all familiar with.

  2. August 28, 2016 at 12:01 PM

    Norman, you say, ‘This whole question of the internal audit risk assessment is a tough one’. It depends what you mean by ‘risk assessment’. I don’t believe it is internal audit’s responsibility to assess the significance of each risk, so I’ll be controversial and say that it isn’t tough at all – because risk assessment is not internal audit’s job, it’s management’s job and it is internal audit’s responsibility to make sure that they are doing this job properly and taking appropriate steps to mitigate the risks to a level considered acceptable by the board.

    You go on to say, ‘I believe internal audit should first understand the value drivers and the objectives of the organization. It should then seek to understand the risks (and continuously maintain that understanding) that are critical to the delivery of value and the achievement of corporate objectives.’. The understanding of value drivers, objectives and the risks threatening their achievement must come from the continuous dialogue with management, not from an internal audit assessment.

    You comment, ‘Some risks are well-known and are already being addressed. In those cases, an internal audit engagement will probably add little value’. How do you know they are being addressed? I would argue internal audit adds value by confirming those risks likely to have the greatest impact are actually being managed to acceptable levels. I don’t think we ought to make the assumption that, if internal audit finds everything is OK, it has added ‘little value’.

    I believe internal audit’s plan should be driven by the requirements of the Board and Audit Committee, and these requirements will generally be driven by their ‘stakeholders’ and legislation. So I would say that internal audit’s risk assessment is an objective assessment of how the Audit Committee’s requirements are to be met. This would normally include a discussion with them about those principal risks on which they would like confirmation about the proper operation of controls.

    • Norman Marks
      August 28, 2016 at 2:10 PM

      David, I believe there are nuances rather than disagreements between us.

      I agree, and said in this and other posts, that risk identification, assessment, and response are all management responsibilities.

      However, internal audit needs to identify the sources of risk to focus on in audit engagements.

      If management does not have a reliable risk program in place, IA will have to do all the work.

      When management does have a reliable program in place, it may still not be entirely suitable for IA. Multiple sources of risk may have been combined into one area of risk. IA may want to audit only one or two of these aggregated sources of risk. For example, the procurement of critical components may be identified as a risk but the sources of that risk may exist all over the global enterprise.

      Further, management may assume the controls are working. IA needs to factor in its assessment of control risk (the likelihood and extent of controls failing).

      Now to the point about risks where management is already working on the issue. I suspect your comment is because I was not clear. If management has a task force working to solve a known issue, why should audit duplicate their work? If the board has just fired the SVP Engineering because of product development problems and a new one is just starting, where is the value of an IA engagement?

      The board and audit committee may or may not know how and where IA can add value with assurance, advice, and insight. Many depend on IA to recommend a plan which they approve – and I believe that is the right approach.

      Does that make more sense?

      • August 28, 2016 at 2:40 PM

        Norman, many thanks for your comprehensive reply. Yes, that makes more sense.

        It’s a shame that some ‘commentators’ on internal audit are not reflecting the current thinking.

  3. Kabbila Walker Nsemani
    August 30, 2016 at 7:56 AM

    Norman, I have appreciated your concern on risk assessment which is unfortunately performed once annually in most entities.

    The reason for me in doing so is to allow me create a planning horizon which is easily understood by stakeholders and in particular Executive Management and the Audit Committee as a basis for the risks identified.

    However, how do I intend to address emerging risks or changes to initial assessed risks? I begin by acknowledging the fact that risk assessment must be continuous through daily, monthly and quarterly engagements with top management and the Audit Committee. I have on my annual plan an item called ‘Follow-Up and Contingency’ a tool that is helping my organisation to address elements of changes in planned risk assessment and it is working well for the entity.

  4. Jai
    August 31, 2016 at 8:51 PM

    There is no dispute that risk management is a management responsibility. However, in order to assess the design and effectiveness of controls internal audit invariably has to get involved in identifying the sources of risk to get a better understanding of the risk. My experience with risk identification and assessment indicates that many managers experience difficulty in writing a well defined risk statement. For example if the risk event and cause and effect are not properly identified, it would be difficult to put an effective control in place. At other times managers end up with too many risks thus making it difficult to place any reliance on the risk framework and the risk register. It is therefore quite correct that the “whole question of the internal audit risk assessment is a tough one”.

  5. September 1, 2016 at 5:09 AM

    I think we all understand by “risk assessment”, the execution/implementation of risk management and control processes.

    It is also accepted that this is a management responsibility.

    Norman, you say, “If management does not have a reliable risk program in place, IA will have to do all the work.” (By “all the work”, you mean the risk assessment, in spite of the view that it is a management responsibility.)

    I submit it is an indictment on internal auditing if the above is the case because evaluating and providing advice on how to get, loosely speaking, “a reliable risk program in place”, is precisely what is required of internal auditing – 2100.

    Proponents of RBIA admit, when pressed, that it is only applicable where an organisation’s risk maturity is either risk enabled or risk managed. If practice, RBIA does not care what the status quo is. All that matters is “risks that matter”, not whether or not, according to their belief, the appropriate risk maturity for the application of RBIA is present or not.

    2100 evaluates or provides advice on, as appropriate, the risk maturity. In other words, thanks to internal auditing’s consulting mandate, internal auditing helps to get an organisation’s risk maturity to the “risk enabled or risk managed” level RBIA, in practice, takes for granted that an organisation is at.

    Suppose an organisation’s risk maturity is either risk enabled or risk managed. What then?

    RBIA says “audit risks that matter” or “high risks” or something similar which makes no sense in internal auditing.

    Actually, what internal auditing should then do, is ensuring that the risk maturity of each and every organisational unit is maintained at the acceptable level and ensuring that THAT opinion is current, i.e. less than 3 months old.

    Where internal auditing does what is expected of it, (2100 and 2450), any exposures should be picked up from the periodical monitoring evaluations and independent assessments.(2210.A1-2210.A3 plus 1220.A3)

    There is absolutely no reason for internal auditing to conduct risk assessments outside of the internal audit function itself. Interestingly, this is the one place you almost never find internal auditing conducting a risk assessment.

    I have yet to get a clear explanation of why a risk assessment done by internal auditing would be different to, (and better than, if you follow the logic being provided), that done by management if internal auditing was all along doing the job it is required by 2100 to do.

    When internal auditing goes beyond its 2100 – 2600 obligations, by implementing RBIA, this obviously means it has to neglect what it is supposed to do as RBIA is in no way consistent with the responsibilities imposed throughout the IIA Standards (the 2010 risk basis contamination, excepted).

  6. Noah Gottesman
    September 1, 2016 at 7:04 AM

    Norman,

    Thank you for the feedback. I do agree with your perspective and the inclusion of wording from McKinsey that Internal Audit’s Risk Assessment needs to be dynamic, interative, if not turbulent in nature. It needs to be a continuous, almost evolution/cycle/process that involves assessment, analysis, and the determination of activities. Please note that in working with clients, I have both advised on developing and enabling such activities. So, why didn’t I mention it / include it?

    In reading through numerous Audit Committee Charters, I have found that the underline ‘expectation’ has been for Internal Audit to perform an ‘annual’ activity. While I am in favor of exceeding ‘expectations,’ and advocating for others within the profession to do similarly, I also realize the uncomfortable reality. That reality involves the ‘analysis’ that should occur post risk-assessment and prior to the development and/or discussion of the Internal Audit Plan or other lines-of-defense activities. Too often, there is this surge of energy (rush) to develop the Internal Audit Plan of Activities, so that budgets, schedules, and staffing can be arranged.

    The other uncomfortable reality is that this ‘analysis’ is considered to be administrative and a non-audit production / finding generated activity. The reality is that this analysis component is a blend of both tactical and strategic activities, specifically:
    a) coordination / understanding of activities of the the other lines-of-defense,
    b) access and ongoing dialogue with the external auditors,
    c) access and ongoing dialogue with any regulators,
    d) internal purview in the strategic plan, objectives, forecasts, budgets, disclosures,
    e) understanding / consideration of geo-political and economic considerations / factors / trends,
    f) the ability to make relevant decisions and judgments without significant red-tape that impact (Internal Audit budgets, schedules, and staffing,)
    In summary, it involves unencumbered access to a lot of data points, the ability to continuously synthesize / analyze information, and be able to make relevant decisions and judgement. It is not an administrative ‘scheduling’ role to determine the most efficient or effective use of schedules, budgets, and utilization.

    Thank you for the sandbox and rousing my true aspirations for making Internal Audit both more tactical and strategic, but unfortunately, I do not see too many organizations clamoring for such ‘support’ roles within their Internal Audit Department. Maybe it is just me.

    • Norman Marks
      September 1, 2016 at 7:06 AM

      Thanks for the clarification and expanded comments, Noah

  7. Cathy Bordelon
    September 1, 2016 at 8:09 AM

    Thanks for sharing your thoughts. This statement is very true, “When internal audit focuses on the risks that matter to the organization, provides objective and insightful assurance on how well they are managed, and use their intellect and imagination to work with management to effect necessary changes, amazing things can and do happen.” While I manage a function still rooted in the use of an annual plan, I and my team manage to use whatever flexibility we can to stay on top of the emerging risks at our organization. We have proven many times that flexibility in a plan or use of a dynamic plan can add tremendous values to an organization, especially an organization that is constantly changing. In order to move the needle, we as professionals need to influence our stakeholders to change in this direction.

  8. Richard Fowler
    September 1, 2016 at 8:39 AM

    I agree with most of your thoughts, Norman, but I have an issue with one statement: “Internal audit needs to be aware of and responsive to changes in known risks or the emergence of new risks continuously, not on an annual cycle.” It’s that pesky word “continuously.” If we consider continuous auditing, that word means different things based on transaction frequency. If I have a process that functions once per year, the “continuous” means once per year; if the process functions one a month, “continuous” means once per month as well. I’m not aware of any audit shop that has a dedicated resource to perform daily risk assessments – and I’m sure that’s not what you were implying.

    For most audit shops, and for most audit plans, the annual risk assessment is still a good idea and provides input from management and visibility to IA. We just need to be aware, and inform the Audit Committee, that emerging risks will be monitored and the plan may be updated to address those new risks. Few companies operate in such a volatile environment that their audit plan would need to be totally scrapped based on a single new risk or even several emerging risks. The significant efforts that go into the risk assessment and creating an annual audit plan will remain, for the most part, valid throughout the year.

    I suggest that auditors and audit management stay abreast of current issues and emerging risks by subscribing to industry news feeds, reviewing social media (such as these posts), and reading current business and security news. Come to think of it, this is a good idea for most employees. Innovations and risk identification can come from any source. If a significant risk emerges, the audit plan can be modified to include a review of the new or revised mediation plans. This will not adversely impact the rest of the audit plan.

    • Norman Marks
      September 1, 2016 at 8:49 AM

      Richard, thank you for the comment and question.

      As the GTAG explains on continuous auditing, ‘continuous’ is not necessarily every day – it is more often than occasional.

      OK, that’s clearly unclear.

      I believe IA needs to monitor and respond to risks at the speed of risk. If that is slow, then IA won’t have to do much. But these days we operate in a more dynamic environment.

      We need to know when sales in a region rise of fall significantly more than planned; when a new trading instrument or strategy is employed; when a far-flung location is under scrutiny by local regulators; when a key player in internal controls resigns; and so on.

      I found it useful to ask, before deciding which audit we should start next, whether that is still the best audit to perform – whether something has come up or whether this area is no longer the risk we thought it was.

      Auditing by walking around and listening to employees as well as management can be extraordinarily useful.

      Hope that helps explain my thinking.

  9. G Nicholas
    September 1, 2016 at 1:03 PM

    Yes , we have an annual audit planning session but the Board require us to revise the plan every quarter and to explain why we move priorities. This helps us to have a plan that is representative of emerging risks as well as requiring regular assessment of what was thought important “last month”

  10. Min On Lee
    September 1, 2016 at 3:56 PM

    The above comments would appear relevant and doable for an in-house internal audit function. However, the reality is there are companies who engage external parties to conduct internal audit on an outsourced basis. Wonder how the continuous assessment by the internal audit would apply when they are engaged to conduct internal audit assignments 2 to 4 times a year. Would be good for the writer to augment his comments to include the outsourced IA scenario.

    • Norman Marks
      September 2, 2016 at 7:07 AM

      When IA is outsourced, it has to be overseen by an internal resource who is responsible for setting the scope of any audit engagement. That individual, with assistance from the external provider as necessary, should maintain an understanding of the risks that matter and ensure IA work is properly focused.

      • Lee Min On
        September 3, 2016 at 6:50 AM

        This is where the real challenge arises in maintaining an in-house resource just to oversee the outsourced IA function. It may not make economic sense and moreover, there are countries which do not insist on having an in-house resource for that purpose.

        • Norman Marks
          September 3, 2016 at 7:10 AM

          Companies can always choose to “check the box” and have occasional outsourced IA engagements. That may satisfy the regulators but little else.

  11. Sergey Utkin
    September 6, 2016 at 5:42 AM

    I would change the proposed range and definitions
    Listen to management: the real opportunity
    Lay the foundations: the importance of a robust methodology
    Know your organization’s risk appetite
    Get into the details
    Plan for success
    Understand the business and its culture
    I would propose the followng ones:
    Understand the business and its organisation culture
    Get into the details
    Know your organization AND it’s managemenst’s risk appetite
    Plan for success (IA or organisation one’s)
    Perform & Report
    The result is unpredictuble for IA Leader.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: