Internal audit risk assessments and annual audit planning in public sector entities

Internal audit aims to be an independent and objective activity designed to add value and improve an organization’s operations. Leaders in governmental entities – management, elected officials and boards/councils alike – have different interpretations of how to operationalize the internal audit function to best serve the organization. The focus from each stakeholder usually varies slightly, as internal audit projects can focus on a number of activities. Audit objectives may include preventing or detecting fraud, waste and abuse; improving operational efficiency and effectiveness; enhancing the control environment; and providing recommendations grounded in best practices.

The starting point each year is conducting an internal audit risk assessment. The assessment enables internal audit to prioritize and focus activities on key risks, as well as organizational strategic objectives. To establish a risk-based plan, focus the priorities of the internal audit activity and align the internal audit function’s work with the organization’s goals.

Other related assessments, enterprise risk management, business impact analysis or an internal controls review are often mistakenly referred to as a “risk assessment.” Internal audit should seek a clear understanding of the objectives in order to identify the most appropriate assessment type. The internal audit risk assessment primarily measures inherent risk, before any internal controls or management plans are applied. The organization may already have plans, processes and/or controls in place to mitigate many or all of the identified risks. Internal audit’s work in this initial stage is generally not intended to assess the organization’s response to these risks. As the internal audit team develops its risk assessment work plan, they should meet with the various stakeholder groups – management, the audit committee and the governing body – to explain the process, set expectations for the results and listen to any desired outcomes, as a means of adapting the approach or identifying other activities where internal audit can add value.

In the risk assessment process, the internal audit team will identify numerous potential risks and is tasked with recommending audit activities to help address the risks. The challenge lies in assessing those risks in a way that allows for the most important and critical risks to rise to the top, when considering audit activities.

Consider, for example, attempting to weigh a capital project against an organization-wide objective such as the ethics program. In the absence of meaningful data and without a clear understanding of the likelihood and impact of an adverse event, it can be difficult to assign a risk rating.

Thus, it is important to develop a scoring methodology that rates risk. One possible means of categorizing risk includes the following categories:

• Environment, strategy and governance: This section often encompasses entity-wide considerations such as the organization’s mission, strategy and vision, as well as organization-wide concerns like the tone at the top or organizational governance.
• Major initiatives and large projects: This is where large projects, such as a capital/construction project or a large system implementation, would fit. This includes large initiatives that come with significant effort or cost to the organization – a common initiative is an employee engagement process where recommendations take time to implement.
• Function-specific: This is an area where risks can be represented within each function of the organization – finance, IT, human resources and operations, for example. Often, these risks are more transactional and can be more easily assessed in terms of likelihood and impact.

After categorizing risks, it is important to adapt the risk scoring methodology for each category under consideration. For instance, the impact rating scale for financial risks may be driven by the potential dollar amount impact from an adverse event. For non-financial risks, the risk categories encompass consider qualitative aspects of the risk – strategic, IT or reputational, for example. The likelihood rating scale may be driven by the expected number of occurrences of an adverse event annually in the absence of controls.

Paralysis by analysis is a common feeling when conducting a risk assessment. An internal auditor, who by nature wants to be absolutely certain that the analysis is correct, may become stuck determining whether the risk scoring methodology is perfect or if the risk ratings were assigned accurately. While accuracy is certainly important, it is also important to consider the end goal – prioritize internal audit activities and develop the internal audit plan.

At the end of the analysis, the internal audit team may have identified dozens or even 100-plus auditable activities. The internal audit function, however, has capacity constraints that may limit planned audit activities to five to 10 per year (excluding assignments that come throughout the year, of course). The more efficient the internal audit team can be in identifying the recommended risk-based internal audit plan, the more time and capacity it has to devote to value-add internal audit activities throughout the year.

Many organizations are aware of their opportunities for improvement and have initiatives in place to address them. It is important for the internal audit function to explore those initiatives through the risk assessment process to decide what consideration to give in instances where internal audit would be engaging in a parallel activity aimed at improvement.

There are many examples where this might occur – for instance, a succession and workforce planning initiative or a large technology project. These risks may be identified as moderate/high risk and are instances where the business unit has engaged a consultant or internal working group, not internal audit, as an advisor. While the internal audit team could perform an audit or consulting activity, the parallel activity may not be “ripe” for an internal audit. It may be most valuable for the new program to begin and run its course before evaluating opportunities for improvement.

This consideration is most important near the end of a risk assessment process, when considering how risk ratings generally drive the internal audit plan. As a result, it is important to ask about and discuss ongoing and planned initiatives during risk assessment interviews. 

It is easy to ignore emerging risks with which we are less familiar. Examples of emerging risks in 2020 include cybersecurity, pandemic/disaster response (e.g., COVID-19), policing and public safety (for state and local governments) and economic and financial distress. Because there is little existing literature or data, emerging risks are difficult to assess, making it harder for the internal audit function to assist and add value.

However, emerging risks should not be ignored. The internal audit team may need to be creative in evaluating these risks. First, identifying a SME may be easier than anticipated. In the risk assessment process, the internal audit team may not always solicit input below the department or division management. But, there may be a SME who falls within those departments or divisions who has specialized knowledge; identifying those individuals is key and could be an independent and objective member within the organization, a consultant or third party, or even a peer in a similar organization.