Part of an internal audit department’s mission is to ensure that the organization has effective governance and management around its risks. But what about internal audit, itself?
Audit departments face similar risks to other corporate functions. If internal auditors cannot manage their own risks appropriately, it is hard for them to educate others about the need to manage their risks effectively. Auditors should practice what they preach.
Internal audit’s risk management program should result in risks being managed like in any other competent risk management program. The audit function needs to identify all relevant risks; perform risk assessments; set its risk appetite; mitigate, manage, avoid, transfer, or accept the risks; and continuously monitor the risks.
Risk in the context of internal audit can be defined as an uncertain event or condition that, if it occurs, has an effect on at least one internal audit objective. As such, internal audit should start by examining its mission and objectives, which are typically defined in the internal audit charter approved by the organization’s board of directors or audit committee. By understanding internal audit’s key objectives, auditors can then identify the risks that can prevent them from achieving those objectives.
One of the most significant risks is strategic risk. For internal audit, one risk is whether the department is strategically positioned within the organization to achieve its objectives. Other considerations include whether the department has the authority, independence, and objectivity to provide assurance and help the organization improve its risk management; whether it is focused on assurance or financial recoveries; and whether the audit team has the right personnel.
Strategic risk also could arise when audit strategy does not align with the organization’s overall strategy. For example, this can happen in an organization that is planning to expand into emerging markets when internal audit is not equipped to cover anti-bribery and foreign corruption risks associated with the expansion. Every organization is different, but the chief audit executive (CAE) can generally manage this risk by refining the internal audit charter; interacting with the board, senior management, and other stakeholders; and ensuring risk assessments and audit plans are up to date.
Credibility is the most important asset of any audit function. Reputation risk is the potential that negative publicity regarding internal audit’s practices will cause a decline in trust in the department. Misconceptions about internal audit can damage its ability to achieve its objectives. Also, reputation risks can arise from operational or compliance risk.
This risk can be managed by maintaining timely and efficient communications among stakeholders, reinforcing ethics, creating awareness at all staff levels, developing a comprehensive audit methodology, focusing on risk and built-in controls, responding promptly and accurately to stakeholders, and establishing a quick response team in the event there is a significant action that may trigger a negative impact on the function. A strategically positioned internal audit function also may be better prepared to defend its own reputation.
Compliance risk is becoming important for internal auditors, particularly in highly regulated industries such as large banks. For example, the U.S. Office of the Comptroller of the Currency created Heightened Standards that includes guidelines about the roles and responsibilities of internal audit. The Federal Reserve Bank has issued a Supplemental Policy Statement on the Internal Audit Function and its Outsourcing.
As audit departments get deeper into data analytics, compliance with consumer data and cross-border privacy laws could become a concern. The key to managing the risk is to thoroughly evaluate the laws and regulations and address them through internal audit’s own policies and procedures as well as ensuring the ability to demonstrate compliance with the rules. Internal reviews performed by an independent quality assurance team can help identify potential issues and prevent noncompliance incidents.
Apart from the previous risks, the category most relevant to internal audit’s day-to-day activities is operational risk, which consists of risks that arise from deficiencies in people, process, or technology. Like other departments, internal audit has specific operational goals such as completing the annual audit plan, validating audit-identified issues, maintaining costs within a defined budget, and developing a skilled workforce.
A systemic approach should be taken to manage the operational risks, including creating operational risk appetite, developing key performance and risk indicators, monitoring, and taking actions to mitigate the risks. For example, to ensure timely completion of the audit plan, it may be helpful to closely monitor audit start, fieldwork completion, and report dates. A dashboard stratified by teams may help manage each team’s execution risks. A graph about quality assurance review results by team also may enable the CAE to identify teams that have issues with executing audits and provide training to remedy the risk.
Once identified and defined, internal audit should establish thresholds to monitor and mitigate the risks. Color codes could highlight areas of focus. For example, if more than 20 percent of the audits in progress are delayed more than 30 days, a red status may indicate the risks to timely completion of the audit plan. If one team’s turnover ratio is more than 20 percent, it may be time to highlight the risk as red for action.
The thresholds are dependent on the CAE’s risk appetite, but they also should consider input from key stakeholders. For example, the CAE may want to specify that no more than 5 percent of the audit plan may be carried over into the next calendar year. If that target appears to be at risk, then the CAE should take action to mitigate risks. For example, if turnover around a certain time of the year is elevated, a prenegotiated cosourcing arrangement may help mitigate the risk of not completing the audit plan.
Furthermore, internal audit should apply the organization’s enterprise risk management polices where relevant, at least in principle. For example, when operational incidents such as near misses — incidents that almost happened — occur in internal audit activities, internal audit should file internal incident reports, analyze root causes, and prevent similar events in the future.
Better Risk Assurance
In addition to risk indicators, thresholds, and incident tracking, other useful tools exist. For example, internal audit can use a risk control matrix to perform a risk control self-assessment that evaluates the adequacy of internal controls in place within the department. By creating a library of risks and corresponding controls and self-evaluating periodically, internal audit departments can have better assurance about their own risks.
A holistic approach to managing internal audit’s strategic, reputation, compliance, operational, and other risks can bring more consistent performance. Moreover, it can better position the department to help the organization improve its risk management process