Internal Audit’s Guide to Planning, Managing and Addressing Risks

As time passes and the modern-day enterprise evolves, so does the role of the internal auditor. What was once a function that was perceived as rule enforcers and compliance police is expanding into one that is a trusted advisor within the business. The last several years have introduced an enormous amount of change, but the proliferation of technology within the enterprise is accelerating every aspect; from operations to decision making.

The progressive steps organizations are taking as a result of the digital age present a bevy of benefits, but in turn, create a slew of challenges and risks. Subsequently, the internal audit function has been forced to adapt along the way, assuring key stakeholders in the business that risks have been identified, but above all, addressed and mitigated.

While identifying and managing risks tied to the business fall on management, it’s internal audit’s responsibility to focus on closing the loop. That’s why our second article focuses on the effective audit follow up, in addition to outlining the how and when tied to escalating risks.

A DYNAMIC AND ITERATIVE PROCESS

The COSO Internal Control – Integrated Framework (2013) provides that a “risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives.” (emphasis added). To be effective, internal audit should be aware of and responsive to changes in known risks and additionally the emergence of new ones.

A purpose for the traditional (i.e., annual risk assessment) is to allow internal audit to develop a planning horizon which is understood by stakeholders and, in particular, executive management and the audit committee as a basis for the risks identified. In this process there can also be a push to finalize the internal audit “plan” so that budgets, schedules and staffing can be arranged.

With the emerging concept of “risk velocity”—measuring how fast a risk may affect an organization—is recognition that the typical risk assessment process is one that is not dynamic and iterative nor responsive to change in real time. Change does not occur on an annual basis. The move to a continuous and dynamic audit plan is significant for most internal audit departments. Some departments are already moving on this path and have had to adjust from a static process focused on listening to management on a seasonal basis to monitoring business objectives and risks that are rapidly changing.

Tony Redlinger, internal audit director with IHS Markit, observes the difficulties of the timely capture of risks as “asking the pertinent questions often without the broader knowledge of what the business is getting into, where the technology often advances much faster than the controls.”

BEYOND THE TYPICAL INTERNAL AUDIT RISK ASSESSMENT

What approaches internal audit functions can take to ramp up the process to achieve more dynamic audit planning?

One technique is to increase the frequency of the process and design a rolling service of assessments and audit planning. If existing processes can be made more streamlined and efficient, the time trajectory can be intensified to occur more frequently. Potentially, a concerted effort can result in an audit plan being updated every six months instead of annually. Since the risk identification process ideally is ongoing, management should be encouraged to implement a schedule to periodically review risks, while reserving the ability to accelerate reviews if a company objective changes, or risk factors increase.

For example, if management is considering an acquisition in a new jurisdiction, it could require the reevaluation of risk factors to determine how the decision could impact operations. Such processes can be formally linked into internal audit planning. Of course, existing sources of risk information should be identified and integrated into internal audit planning.

Other assessment processes including Enterprise Risk Management activities, department self-assessments and other functionspecific reviews in high-impact areas depending on industry (e.g., environmental hazards, cybersecurity threats, etc.), should connect and feed into internal audit processes.

Internal Audit 1

TECHNOLOGY TOOLS AND REALISM ABOUT SURVEYS

In the typical risk assessment, preparatory materials are provided and participants are asked a series of questions during sessions with audit staff. This process is expected to produce information to guide the allocation of resources and activities within internal audit so as to optimize the match between the company’s greatest risks and the corresponding mitigation efforts. The availability of sophisticated technology tools such as online surveys can seem to make it cheap and easy to gather voluminous data from a larger population, and to conduct statistical analysis of that data.

Dr. Hernan Murdock, vice president of the audit division at MISTI, finds surveys and questionnaires to be a technique to collect information. “[Questionnaires] promote risk and control awareness, while encouraging transparency and accountability,” he says.

Potentially, this means we can conduct a much larger assessment with the same resources. There is definitely a place for crowdsourcing risk as well as casting a wide net for particular fact patterns of concern, such as use of third-party sales intermediaries or collection of consumer personal data. Still, more data is not always better data. The essence of a good risk assessment is not popular opinion, mechanically sliced and diced; it is informed opinion and expert judgment applied to the facts. Be careful with gathering far more data than can be followed up on or that can be analyzed meaningfully which can result in human-judgment bottlenecks in the process.

Ordinarily, risk assessments gather information from senior executives and managers, as well as a sample of senior operational personnel in the business units. To the extent that “risk owners” are not in these groups, they are usually sought out, and sometimes manager-level input is also requested.

Front-line workers should be considered as well. It’s usually those who are in the details on a daily basis that have the best perspectives on risks and low-hanging fruit when it comes to increasing operational efficiency.

THE RISK OF THE INTERNAL AUDIT RISK ASSESSMENT

Here we are not talking about the risk assessment that drives the audit plan. Rather, this is the risk that the internal audit function itself will not achieve its objectives as a result of the risk assessment. Should you perform this type of quality engagement as well? See IIA’s Standards for the Professional Practice of Internal Auditing 2120—Risk Management: “The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.”

The internal audit function in this regard should consider risks such as:

  • The potential that the audit risk assessment is inaccurate or incomplete leading to an ineffective audit plan
  • Audit staffing that is insufficient in terms of quality and capacity to deliver useful results on every engagement
  • Changes in business and risk not promptly identified so that the audit plan can be updated
  • Audit communications failing to provide information organizational stakeholders need, when they need it
  • Governance roles not able to understand audit results and their implications for management of the organization

Internal Audit 2

Beyond Quality: The Four-Part Approach for Audit Efficiency and Effectiveness

STEP 1: PLAN FOR ORGANIZATIONAL GROWTH

While the concept of quality is uniform for internal auditors of different varieties and capacities, effectiveness and efficiency can vary from organization to organization. Accordingly, clear definitions for these terms—the expectations for your team—must be established and adopted to plan for growth.

Use these questions as guidance when defining exactly what effectiveness and efficiency mean for you and your team:

  • Are we equipped with the up-to-date tools needed to conduct the best work possible?
  • Do we have the right resources and skill sets required to deliver our audit plan?
  • Are we contributing to organizational improvement? If so, can others see this?
  • Have we obtained any validation of our team’s quality, such as notification from managers or executives?
  • Is feedback effectively distributed to team members, so they know what areas to improve?
  • What quantifiable metrics can we associate with these definitions?

While you and your team’s definitions of effectiveness and efficiency are crucial, it is also important to gain the approval of key stakeholders involved in internal audit.

A major reason that process improvement initiatives fail, according to one Harvard Business Review article is that the people whose work will be directly impacted are often left out of the process.

Accordingly, feedback from stakeholders at the helm of the financial success of your company should also be incorporated. Here are a few stakeholders who should weigh in on your definitions of effectiveness and efficiency:

  1. Internal stakeholders: Board of directors, audit committee, executives, senior management and department leads
  2. External stakeholders: Regulators, standard-setters, vendors, customers and external audit teams

STEP 2: DO THE WORK NEEDED TO SET EXPECTATIONS

The second step of this process continues to articulate the definitions of effectiveness and efficiency, and sets expectations for your team.

By this stage, you should have an internal definition of effectiveness and efficiency, and you have tempered that definition in the context of what key internal and external stakeholders need. To better set your organization up for success, make these definitions more actionable and specific through the assignation of qualitative and quantitative metrics.

As described in a Forbes article, Forrester reports 74 percent of firms say they want to be “data-driven,” but only 29 percent are actually successful at connecting analytics to action. Actionable insights appear to be the missing link for companies that want
to drive business outcomes from their data.

Make these definitions more actionable and specific for your team by assigning qualitative and quantitative metrics for each. To collect qualitative and quantitative metrics, try the following tactics:

  • Look back at past performance data to determine quantitative metrics:
    • How many audits were scheduled?
    • How many were completed?
    • How was staff utilized?
    • What were the budgeted hours as compared to the actual hours?
  • Go on a listening tour of departments impacted by your work to determine qualitative metrics:
    • What do clients think of your team’s performance?
    • What do other internal stakeholders think of your team’s performance?
    • Do they consider you and your team leaders in their role or order-takers?
    • Would they want to engage in future projects with your team?

With these actionable definitions in hand, the expectations for your team should be crystal clear. It is ultimately up to chief audit executives to hold their teams accountable for efficient and effective—along with quality—work.

STEP 3: CHECK PROGRESS AGAINST SET EXPECTATIONS

To check the quality, effectiveness, and efficiency of your team’s work, internal audit leaders should look at individual performance on an ongoing basis—not just an annual one. After all, it is easier and less problematic for leaders to reevaluate individual performance in small increments before it becomes a major issue.

In organizations of all sizes, a traditional once-per-year approach to employee reviews is fading away in favor of more ongoing ones. As a Washington Post article describes, today’s employees have come to expect instant feedback in many other areas of their lives, and performance reviews should be the same. Besides, the article states, one report found that two-thirds of employees who receive the highest scores in a typical performance management system are not actually the organization’s highest performers.

Chief audit executives should encourage the completion of self-appraisals. A Harvard Business Review article explains that an effective self-appraisal should focus on what you have accomplished and talk about weaknesses carefully, using language with an emphasis on growth and improvement, rather than admonishment. Highlight your team’s blind spots that they might not be aware exists.

In short, employees want more frequent and iterative assessments of their work, and internal audit leaders need to step up to deliver this and ensure quality, effectiveness, and efficiency at all stages.

STEP 4: ACT UPON WHAT YOU HAVE LEARNED

By this step, internal audit leaders have an array of tools at their disposal, including:

  • Actionable definitions of effectiveness and efficiency for their teams
  • Qualitative and quantitative metrics to bolster these definitions
  • Information gathered from self- and manager-guided evaluations
  • An understanding of how team members have performed along these guidelines

With this information in hand, many opportunities for growth are apparent—simply compare where you want your team members to be against where they are right now. By
implementing these fact-based changes into your internal audit processes, leaders set the stage for cyclical organizational and personal improvement.

According to a survey, this type of continuous improvement yields a positive ROI for organizations, helping increase revenue, along with saving time and money—an average annual impact of $6,000. Additionally, these improvements are designed to compound with each cycle.

Just as the approach to monitoring and improving audit quality is ongoing and cyclical—there are always improvements yet to be made—this approach to improving effectiveness and efficiency is fluid as well.

By weaving this four-part process into the fabric of your internal audit methodology, leaders can improve effectiveness and efficiency in their organizations.

 

Click here to access Workiva’s and MISTI’s White Paper