COVID-19 has disrupted business operations worldwide. Offices sit empty as many employees continue to work remotely. Considering the fact that many organizations may offer remote working as a permanent option for some employees, business won’t return to the old normal anytime soon, if ever.
During these unprecedented times, internal audit also faces challenges to modernize practices, processes, and methodologies amid today’s digital age. As organizations continue to adjust their business models and operations with a digital mindset, internal audit must innovate and transform itself into an agile, multiskilled, and technology-enabled function. It must become a “next-generation” function that can recognize emerging risks and changes to the organization’s risk profile quickly and efficiently, and incorporate them into the audit plan timely. This requires a dynamic risk assessment process.
From Static to Dynamic
The risk management methodologies most organizations have in place today were developed before the turn of the century. In effect, risk management is frequently an analog approach being applied in what is now a digital world.
Organizations need to do more to embed deeper and more insightful risk information in strategy-setting, performance management, and decision-making processes. Twenty-first century advances of digital, cloud, mobile, and visualization technologies; exponential growth in computing power; and advanced analytics can help elevate organizations’ risk management capabilities.
Internal audit can be part of the change by transitioning to a dynamic risk assessment model that enables the department to respond to risks quickly as they change. Next-generation internal audit functions have moved beyond annual or quarterly risk updates to obtain a real-time view of changes to risk and their impact on the organization, as well as the effect on the assurance needed from internal audit.
A dynamic risk assessment approach enables organizations to:
- Identify changing risk trends in real time.
- Reprioritize coverage of risk as changing risk trends are identified.
- Develop an ongoing and common view of risk and the integrated assurance map across the Three Lines Model.
The dynamic risk assessment process must be agile, integrated, and aligned. From an integration standpoint, the risk assessment must closely align with other internal audit processes, leveraging Agile auditing and continuous monitoring practices. In addition, the view of risk across the Three Lines Model must be consistent and aligned to measure and monitor the achievement of the organization’s objectives. Aligned assurance is the correlation of risk, controls, and a broader view of the control environment across the Three Lines Model. Facilitating governance and management of risk within an organization’s risk appetite, aligned assurance seeks to maximize operating efficiency and provide clearer visibility of results to stakeholders.
This alignment relies on an Agile audit approach in which enterprise risk management and internal audit are aligned. Agile auditing uses a framework that is based on iterative and sustainable development, where requirements and solutions evolve through collaboration among cross-functional audit teams focused on quality. Internal audit and its stakeholders are focused on a common goal of risk mitigation by responding to changing and emerging business needs and directions, while simultaneously working to meet business and regulatory commitments. In Agile auditing, if a dynamic risk assessment model does not have an impact on internal audit’s assurance plan, the full potential of the model cannot be realized.
A Call to Action
Internal audit departments should adapt their risk assessment approach to more effectively quantify risk in a rapidly evolving business environment, in real time, and execute relevant assurance work to align with key organizational risks and priorities. Organizations and internal auditors must not only consider urgent matters requiring attention now, but also determine what is coming next and what may happen eventually.
Now The disruptions created by the pandemic are particularly challenging for internal auditors performing risk assessments. Auditors are illustrating the strengths of Agile and targeted risk assessments in an unanticipated and fluid environment.
Auditors have the task of uncovering immediate risks associated with the changes wrought by COVID-19. These threats span the breadth of organizations and include risks related to keeping systems secure while employees are working from home, employees’ mental health and well-being, and meeting compliance obligations in a distributed environment.
Using targeted risk assessments to identify threats during a crisis can deliver more meaningful and valuable results to stakeholders. They can set the stage for discussions about regulatory changes or compliance, as well as emerging or heightened risks, and immediate actions to address them.
Next To build a dynamic risk assessment, internal auditors can use flexible risk assessments to continuously monitor the organization’s operations and identify matters requiring attention. This practice allows internal audit to more quickly and accurately determine where organizations should focus attention and resources to improve processes, address risks, make corrections, and launch goal-achieving initiatives.
Technology is pivotal in effective continuous monitoring. Organizations increasingly are adopting innovations to move toward a continuous monitoring approach, which can help pave the path for a dynamic risk assessment.
Many organizations are leveraging advanced data analytics to allow internal auditors to more effectively map out action plans; make better inquiries into the various owners of risks and processes; and improve how, when, and where audits are conducted. During the pandemic, internal audit functions have used such data to inform and test the value of key risk indicators and then recalibrate these indicators to better align with available data.
Process mining is becoming a key differentiator for internal audit programs, particularly in a work-from-home environment. Process-mining technology provides auditors with critical insight into how systems and processes are operating in these situations and identifies where deviations may be occurring. The data tells auditors what is actually happening and supports dynamic risk assessment activities by identifying hot spots, driving audit focus.
Eventually At some point, the crisis will end and a rebuilding phase will begin. As workers transition to a more familiar routine, internal auditors can use dynamic risk assessments to prepare relevant audit plans and ensure organizations remain responsive to the risks facing day-to-day operations. Internal audit also can enhance the success or repositioning of project delivery, an area impacted heavily by the pandemic. Most importantly, the audit plan needs to provide executives with confidence that internal audit can accurately assess the organization’s financial sustainability and any underlying risk.
The Change Imperative
In today’s rapidly changing world, every organization faces the same reality — improve continuously or be left behind. Internal audit is no exception.
Chief audit executives (CAEs) need to respond to the emerging needs and new strategies of management and the board. When doing this, they must ensure the information they are communicating is timely and relevant.
Many CAEs have amassed goodwill by demonstrating internal audit’s value in response to COVID-19. They can enhance their standing further by adopting next-generation audit practices that include dynamic risk assessments.