It is a time of great change in internal auditing, and the expectations to deliver have never been higher. There are many new — and some repackaged — concepts floating around, such as audit innovation, agile auditing, becoming a trusted advisor, and strategic auditing. One thing that has not changed, however, is internal audit's desire to add value to the organization through the execution of its work, whether through assurance or consulting activities. Internal audit, more than ever, is moving into areas of the business — such as strategic planning and culture — that are more subjective and require more auditor judgment. Venturing into these areas may require auditors to recalibrate their risk appetite and accept more risk going forward.
To successfully meet the expectations of their key stakeholders, chief audit executives (CAEs) must first ensure that, foundationally, internal audit is set up for success. A key element is that the objectives of the internal audit department are clearly defined and agreed upon with stakeholders, and an assessment of the risks to achieving those objectives are clearly identified. Building the elements of risk management into the day-to-day activities of internal audit, from the overall operations of the department down to the engagement level, will ensure sustainable activity and should facilitate more agile auditing through clear understanding of risk appetites and tolerances.
Internal auditors, while having the unique position and ability to provide opinion on the ability of others to identify and manage risk, whether strategic, operational, compliance, or financial, seem less inclined to look internally at their own risk management practices. Internal audit's appetite for risk may be too low, inhibiting agility, innovation, and the transformation of the function. Although there is no absolute assurance in internal auditing, it is easy to default to a risk-averse position when headlines call out internal audit specifically — Where were the auditors? — when analyzing compliance failures, cultural issues, and material weaknesses or significant deficiencies in internal control over financial reporting.
The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) updated Enterprise Risk Management–Integrating With Strategy and Performance provides the opportunity to take a fresh look not only at the organization's risk management practices, but also those within internal audit. Although it is directed at the enterprise level, the updated framework is scalable, and parallels can be drawn to the department or function level.
When looking at risk management within internal audit, CAEs can follow the model that the framework has established, starting with the mission, vision, and core values of the department and ending with the delivery of enhanced value through its risk management processes.
Step 1 – Mission, Vision, and Core Values Internal audit should clearly articulate its mission, vision, and core values. It should start with The IIA's Definition of Internal Auditing and then survey key stakeholders to understand the expectations of the internal audit department. The mission and vision will vary by organization depending on many elements, including the industry, how highly regulated the entity is, and the overall governance structure. The mission and vision may be aspirational depending on the level of maturity of the internal audit function. The steps to achieve an aspirational mission and vision may be part of the risk profile.
The new COSO framework clearly indicates that a key component of sustainable and embedded risk management is to align with strategic objectives. The mission, vision, and core values are the foundation for the strategy, business objectives, and performance. Managing the risks associated with those items will drive enhanced performance.
Step 2 – Define Strategy and Identify Business and Performance Objectives In identifying internal audit's business and performance objectives, there should be alignment to the organization's overall objectives and consideration of the feedback received from key stakeholders. For example, a proposed internal audit strategy could be that the function should primarily focus on compliance-related audits. The objective could be to ensure that the first — and second, if applicable — line of defense have appropriate risk management and internal controls in place to address compliance-related risk. A risk implication of this strategy is that other risks are not covered by internal audit, as the strategy is too narrow. That risk (although not recommended) could be accepted by the appropriate stakeholder based on the governance structure in place. Clearly defining the audit strategy, and related business objectives and performance, should help facilitate audit operations and the audit plan, with all stakeholders aligned on what falls under internal audit's purview.
Step 3 – Identify the Risks, Risk Appetite, Risk Tolerance, and Risk Response Internal audit should identify the risks of not achieving the determined audit strategy and business and performance objectives. For each risk, internal audit should consider its risk appetite, tolerance, and response. For example, a risk to performance of the audit plan may be lack of personnel with technical expertise in specific subject matters. The risk appetite for this situation may be relatively low, to comply with the International Standards for the Professional Practice of Internal Auditing's Standard 2230: Engagement Resource Allocation. The risk tolerance may be limited, and the likelihood of the risk occurring may be high, depending on the department make-up and audit universe. Appropriate risk responses include accept, avoid, pursue, reduce, or share. Internal audit may choose to share this risk by co-sourcing resources within the organization (as appropriate, considering independence and objectivity restrictions) or with an external subject-matter expert.
Step 4 – Stakeholder Buy-in Throughout the various phases of the process, the CAE should work with key stakeholders to ensure buy-in with the finalized elements, as there is a cascading effect from the determination of the mission and vision; through the strategy, objectives, and performance; to the determination of relevant risks and the risk appetites, tolerances, and responses. The governing body, typically the audit committee, should have the final authority in concurring with the risk responses, especially when the risks are accepted.
As the internal audit risks are built out, with defined risk appetites, tolerances, and responses, this information should be distributed throughout the department to educate team members on expectations and enable them to use it to make risk-based decisions when executing audits. Defining authorities around risk decisions throughout the framework will empower the different levels within audit to make judgment calls and use critical thinking to complete audits in the most agile way.
Risk management should not be a once-a-year process, but instead continuous and evolving as necessary based on risk changes at the organizational level and within the internal audit department. The process and framework should be pliant enough to flex and pivot as needed, with clearly defined governance processes around when specific stakeholders from senior management to the audit committee need to authorize or review changes. Understanding internal audit's strategy and objectives, defining the risks to achieving them, and adding a new level of transparency to risk responses should facilitate internal audit's transformation into a trusted advisor and demonstrate the most effective use of its resources in creating and preserving value.