Companies are increasingly seeking to improve their ability to define and manage growing and changing risk profiles. More often, they are turning to internal audit to help with that task.

Chief audit executives and internal audit commentators agree that internal audit activities should be risk-based in order to contribute to the long-term assurance needs of the organization.

The top challenge for internal audit in this complicated risk landscape is ensuring that audit priorities are aligned with organizational needs. In a 2012 survey on the state of the internal audit profession conducted by PwC, the majority of participating executives said that as the awareness of risks becomes of greater concern to investors, they are seeking greater assurance in their companies' ability to manage current and future risks. The survey also found that “providing advice on risk and controls” is a very close second expectation of internal audit to the traditional role of “auditing of financial controls and compliance.”

An Evolving Role

The majority of executives participating in the PwC survey said their businesses face more risks than ever before and the consequences become apparent much more quickly. Although it is not fully clear if this is more perception than reality (perhaps because we know more), what is plain is that many executives are not comfortable with how well their company's most critical risks are being managed. Thus CAEs must become focused on ensuring internal audit understands the major risks the company faces and be in a position to “address those risks in a timely manner, provide insight on risk impact, and clearly communicate recommendations focused on improving business performance,” PwC stated in its analysis of the survey results.

The International Standards for the Professional Practice of Internal Auditing, issued by the Institute of Internal Auditors, emphasize top-down risk-based planning in developing the audit plan. The standards also urge auditors to consider the input of senior management and the board to better ensure the plan is consistent with the organization's goals. But there is concern expressed in the PWC study with the wide variation seen in internal audit risk-assessment approaches, areas of focus in internal audit plans, and the quality of resources devoted to internal audit efforts.

Within the profession itself, there is agreement that internal audit needs to think and act more strategically to target and prioritize audit coverage of risk. Anecdotal stories persist of internal audit shops that avoid major risk areas because they don't understand either the risk or the area of the business, although progress is being made. Internal audit plans now appear to reflect more comprehensive coverage among operational, financial, and compliance to more clearly align with the actual risks experienced by the company. This is in contrast to much of the past decade—when audit plans tended to focus on financial risks and controls and compliance with the Sarbanes-Oxley Act of 2002.

Companies increasingly expect internal audit to develop skills and leverage specialists to support areas where it traditionally does not have the breadth and depth of expertise in order to provide necessary insight. It's no longer acceptable for internal audit to stay in its comfort zone and focus only on safe areas such as financial controls.

Strategic Audit Risk Assessments

So how does internal audit adjust to focus on the greatest risks facing the organization?

There are tools and methodologies for the internal audit professional to think this through from top down or bottom up. For companies with an enterprise risk management (ERM) program, the internal audit department can leverage and coordinate with risk management and corporate compliance efforts. The standby risk assessment approach, which analyzes the risk universe to find higher risks based on asset size, revenue, and other measures, is no longer adequate in today's world.

Successful risk assessments require the involvement of many individuals with a variety of areas of expertise. Their divergent business experiences—inside and outside the organization—add richness to the data collection and analysis and ensure that the risk assessment is not the exclusive product of a single department or perspective. Benchmarks indicate that a wide range of functions participate, with certain core departments including legal, compliance and ethics, internal audit, human resources, and finance, leading the field of participants.

By reviewing and supporting risk-management processes—and proactively offering advice—internal audit can help connect the dots and identify common themes and trends to ensure the assessment of risk is not just an exercise in futility.

Because the risk assessment is not a one-time event, the organization should have a management-level risk steering committee to maintain continual oversight over the periodic performance of risk assessments. With a core team in place and the objectives confirmed, the organization can start identifying the universe of risks to be evaluated. The following are essential considerations:

·         Identifying the Risk Universe: Risk assessments should be based on data collected from a variety of sources. Risk itself is not easily described or measured; therefore it must be inferred from a wide range of data from inside and outside the organization.

·         Prioritizing the Risks: Following data gathering and discussions, internal audit should be prepared to prioritize the identified risks in order to evaluate the controls in place and to recommend how to mitigate those risks.

·         Inventory Key Controls: Once the top risks are identified and prioritized, the next challenge is to identify existing measures that address those risks, if any. What are the appropriate and required responses to the identified and rated risks? Some may require more auditing and proactive monitoring or additional systems controls and other measures.

A formal audit risk assessment should be completed at least annually, and the results of that assessment should direct internal audit priorities. A once-a-year risk assessment and planning process, however, may not keep pace with changing and emerging risks. Continuous risk assessment activities, such as participation in standing committees throughout the organization to keep a finger on the ever-changing risk pulse, are also becoming necessary.

Emerging Threats Versus Unknown Unknowns

One of the most challenging aspects of risk assessment is gaining an understanding of emerging risks—those outlier threats that are either unknown or on the periphery. As with most things that are complex and unfamiliar, companies tend to focus on the issues they already understand, rather than expend the time and energy to delve into an unknown threat.

Then there are the unknown unknowns, also called “black-swan” risks: the threat nobody had considered, and nobody can see coming. But the black-swan risk is not what the auditor should be concerned about. The simple truth is that black-swan risks are, by definition, beyond our ability to perceive and anticipate. The much more pervasive and dangerous risk is that we fail to see the risks right in front of us, amplifying over time, until it is too late. The vast majority of risks can be anticipated by understanding the business environment in which your organization operates and closely monitoring government actions and industry trends.

Scenario Analysis

To stay one step ahead of what's coming, CAEs need to examine more than just the potential impact of emerging risks. It is not enough to attempt to qualitatively identify and assess emerging risks; companies need to recognize the factors that combine to create emerging risks and develop the ability to quickly respond.

One way to evaluate high-impact, low probability events is through scenario planning, which can augment statistical models and help companies prepare for specific events. Scenario planning enables executives to answer the questions: “What could disrupt our plans? And how vulnerable are we to it?”

Scenario analysis forces executives to ask, “What could go wrong in the future?” Proper scenario analysis improves decision making by allowing management to more completely consider various outcomes and their implications to an organization.

The New Risk Landscape

Obviously, internal audit can't audit everything. In reality internal audit cannot be expected to audit esoteric yet substantial risks outside of financial and basic operational and compliance areas. Yet the board still requires assurance that these risks are being managed and internal audit can add value to the process.

Internal audit's role is to coordinate all the assurance provided, and ensure that it is credible, and provided in a consistent manner. By providing deep insight in major risk activities, internal audit provides a point of view to help the organization improve its response to risk. The CAE is expected to be in the boardroom where their voice is well respected and heard.

Internal audit professionals should also keep in mind that a poor risk-assessment process (and therefore risk-management function) is itself the biggest risk an organization may face. By reviewing and supporting risk-management processes—and proactively offering advice—internal audit can help connect the dots and identify common themes and trends to ensure the assessment of risk is not just an exercise in futility.