10 Keys to Successful Internal Audit Risk Assessments
A new survey report delivers insights on how internal audit functions can fine-tune their current risk assessment and audit planning processes, and explores how auditors can better understand and audit the emerging and strategic risks facing their organizations.
The report, Enhancing Risk Assessments & Audit Planning: 10 Key Considerations, was released on Oct. 5 by Wolters Kluwer and TeamMate, an internal audit management system that is part of Wolters Kluwer Tax & Accounting. The backbone of the report are the findings from the 2016 TeamMate Global Audit Technology Survey, which polled nearly 600 global audit leaders last July and August.
“Our intent was to compile useful data on both current and anticipated practices in three related and interdependent audit processes – risk assessment, audit planning, and reporting on these activities to management and the audit committee,” the report states.
Based on the survey results, here are 10 best practices internal audit leaders can use to bolster their risk assessment efforts.
1. Move to a more continuous risk assessment process. Nearly half of the survey respondents indicate they either assess risk on a continual basis or combine an annual risk assessment with some form of continuous risk assessment. Looking at respondents who currently assess risk on either an annual or periodic basis, 56 percent expect to move to a more continuous risk process within the next two years.
2. Address the organization’s strategic risks. A majority of respondents said their risk assessment processes include formally assessing the strategic risks of their organizations. In addition, 70 percent are either highly or reasonably confident that their internal audit staffs would either identify any major changes in the organization’s strategic risk profile or would be informed of any such changes on a timely basis.
3. Target emerging risks. There is a growing focus on emerging risks, as 55 percent of respondents report having a formal process to identify, assess, and report on these risks, while 44 percent provide their audit committees with a regular report on internal audit’s assessment of emerging risks.
Of those who do not currently include emerging risks in their assessments, 62 percent plan to do so within two years.
4. Consider the impact of macro-risk factors. Nearly half (49 percent) of respondents said they are currently assessing external macro-risk factors, such as systemic, political, or macro-economic risks. Also, nearly half of those respondents whose risk assessments do not currently include macro risks plan to add that component within a couple of years.
5. Focus more on cyber-risks. Data from the Institute of Internal Auditors’ Common Body of Knowledge study show that cybersecurity is the greatest technology-related risk facing internal auditors today. As a result, most (85 percent) internal audit groups are changing their risk assessment processes to enhance their coverage of cyber-risks, according to the TeamMate survey.
6. Expand input from related functions to strengthen risk assessments. Survey respondents have adopted the idea that the stronger the input into the risk assessment process, the better the outcome.
Seventy-three percent of respondents report they either coordinate or align their risk assessments with other risk-and-control units, such as enterprise risk management (ERM), compliance, technology, finance, and legal. Nearly three-fourths also seek input for their risk assessments from management.
7. Enhance risk assessment techniques. Risk assessment techniques continue to evolve in sophistication. According to the survey, 22 percent of respondents currently use scenario analysis, 15 percent use forecasting or other risk modeling, and 11 percent perform stress testing against major economic assumptions.
Over the next two years, 37 percent of respondents expect to be monitoring key risk indicators, 35 percent expect to be conducting data or statistical analysis, and 22 percent are likely to be assessing the impact of innovative or disruptive technologies.
Speaking of technology, slightly less than half of respondents currently use it to support their risk assessment process, but 76 percent expect to use technology more over the next couple of years.
8. Make your audit planning more dynamic. Although 57 percent of respondents report conducting an annual audit plan with some periodic updates, a large number (40 percent) are updating their audit plans either monthly or as audit work is completed.
With an eye toward the future, however, 5 percent of respondents are already conducting totally rolling audits, while another 28 percent will likely move to a rolling audit plan over the next two years.
9. Enhance your risk reporting. In addition to refining their risk assessment processes, internal auditors also appear to be enhancing their reporting on process results.
While 61 percent of respondents report using Microsoft Word, Excel, or PowerPoint documentation for risk reporting, 22 percent are using new risk-reporting approaches, ranging from heat maps, risk dashboards, and SharePoint to combined reporting with an ERM function.
10. Address management and audit committee expectations. “Ultimately, an internal audit group needs to ensure that its risk assessments and audit planning processes are aligned with and meet, if not exceed, the expectations of key stakeholders,” the report says.
That being said, 42 percent of respondents said providing overall assurance on the risk management practices of the parent organization is viewed by their audit committees as a primary role of internal audit.
In addition, 58 percent are providing audit committees with an opinion on the adequacy of the organization’s risk management processes, while 75 percent inform both the audit committee and management about how changes in the organization’s risk profile are reflected in the audit plan.