Internal audit standards require that the internal audit function conduct an annual risk assessment in order to develop a risk-based internal audit plan for the year. This assessment and planning exercise can take many shapes and sizes, and it serves as the starting point from which internal audit can provide independent, objective insights that add value and improve an organization's operations.
Outlined below are five key considerations for the risk assessment process that will enable public sector entities, including state and local governments, public utilities and tribal governments, to develop a value-added internal audit plan.
Internal audit aims to be an independent and objective activity designed to add value and improve an organization’s operations. Leaders in governmental entities – management, elected officials and boards/councils alike – have different interpretations of how to operationalize the internal audit function to best serve the organization. The focus from each stakeholder usually varies slightly, as internal audit projects can focus on a number of activities. Audit objectives may include preventing or detecting fraud, waste and abuse; improving operational efficiency and effectiveness; enhancing the control environment; and providing recommendations grounded in best practices.
The starting point each year is conducting an internal audit risk assessment. The assessment enables internal audit to prioritize and focus activities on key risks, as well as organizational strategic objectives. To establish a risk-based plan, focus the priorities of the internal audit activity and align the internal audit function’s work with the organization’s goals.
Other related assessments, enterprise risk management, business impact analysis or an internal controls review are often mistakenly referred to as a “risk assessment.” Internal audit should seek a clear understanding of the objectives in order to identify the most appropriate assessment type. The internal audit risk assessment primarily measures inherent risk, before any internal controls or management plans are applied. The organization may already have plans, processes and/or controls in place to mitigate many or all of the identified risks. Internal audit’s work in this initial stage is generally not intended to assess the organization’s response to these risks. As the internal audit team develops its risk assessment work plan, they should meet with the various stakeholder groups – management, the audit committee and the governing body – to explain the process, set expectations for the results and listen to any desired outcomes, as a means of adapting the approach or identifying other activities where internal audit can add value.
In the risk assessment process, the internal audit team will identify numerous potential risks and is tasked with recommending audit activities to help address the risks. The challenge lies in assessing those risks in a way that allows for the most important and critical risks to rise to the top, when considering audit activities.
Consider, for example, attempting to weigh a capital project against an organization-wide objective such as the ethics program. In the absence of meaningful data and without a clear understanding of the likelihood and impact of an adverse event, it can be difficult to assign a risk rating.
Thus, it is important to develop a scoring methodology that rates risk. One possible means of categorizing risk includes the following categories:
After categorizing risks, it is important to adapt the risk scoring methodology for each category under consideration. For instance, the impact rating scale for financial risks may be driven by the potential dollar amount impact from an adverse event. For non-financial risks, the risk categories encompass consider qualitative aspects of the risk – strategic, IT or reputational, for example. The likelihood rating scale may be driven by the expected number of occurrences of an adverse event annually in the absence of controls.
Paralysis by analysis is a common feeling when conducting a risk assessment. An internal auditor, who by nature wants to be absolutely certain that the analysis is correct, may become stuck determining whether the risk scoring methodology is perfect or if the risk ratings were assigned accurately. While accuracy is certainly important, it is also important to consider the end goal – prioritize internal audit activities and develop the internal audit plan.
At the end of the analysis, the internal audit team may have identified dozens or even 100-plus auditable activities. The internal audit function, however, has capacity constraints that may limit planned audit activities to five to 10 per year (excluding assignments that come throughout the year, of course). The more efficient the internal audit team can be in identifying the recommended risk-based internal audit plan, the more time and capacity it has to devote to value-add internal audit activities throughout the year.
Many organizations are aware of their opportunities for improvement and have initiatives in place to address them. It is important for the internal audit function to explore those initiatives through the risk assessment process to decide what consideration to give in instances where internal audit would be engaging in a parallel activity aimed at improvement.
There are many examples where this might occur – for instance, a succession and workforce planning initiative or a large technology project. These risks may be identified as moderate/high risk and are instances where the business unit has engaged a consultant or internal working group, not internal audit, as an advisor. While the internal audit team could perform an audit or consulting activity, the parallel activity may not be “ripe” for an internal audit. It may be most valuable for the new program to begin and run its course before evaluating opportunities for improvement.
This consideration is most important near the end of a risk assessment process, when considering how risk ratings generally drive the internal audit plan. As a result, it is important to ask about and discuss ongoing and planned initiatives during risk assessment interviews.
It is easy to ignore emerging risks with which we are less familiar. Examples of emerging risks in 2020 include cybersecurity, pandemic/disaster response (e.g., COVID-19), policing and public safety (for state and local governments) and economic and financial distress. Because there is little existing literature or data, emerging risks are difficult to assess, making it harder for the internal audit function to assist and add value.
However, emerging risks should not be ignored. The internal audit team may need to be creative in evaluating these risks. First, identifying a SME may be easier than anticipated. In the risk assessment process, the internal audit team may not always solicit input below the department or division management. But, there may be a SME who falls within those departments or divisions who has specialized knowledge; identifying those individuals is key and could be an independent and objective member within the organization, a consultant or third party, or even a peer in a similar organization.
Seeking continuous improvement to your risk assessment and internal audit planning process is key to strengthening governance, risk management, internal controls, business processes, program management and overall operations within your entity. The practices noted above should be considered by your organization leadership and the internal audit function.