For an internal audit function to be effective, its efforts must be risk-based and must meet the organization’s long-term assurance requirements. Members of the board, the audit committee and executive management look to internal audit to cover the entire spectrum of risks and issues facing the organization; that is, they expect internal audit to assess the significant risks to the organization and provide timely assurance that adequate controls are operating effectively to mitigate those risks.
It is a huge responsibility.
Most organizations have numerous potentially auditable entities (corporate initiatives, business lines, systems, regulatory requirements; the list is endless) and internal audit must decide which of these entities they are going to tackle first. The audit risk assessment works to bring at least a semblance of order to the audit universe, evaluating the various possibilities and attempting to address the potential risks facing the organization.
Risk Assessments And Auditing Priorities
The International Standards for the Professional Practice of Internal Auditing as promulgated by the Institute of Internal Auditors specify that:
The chief audit executive should establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals (Standard No. 2010 – Planning); and
The internal audit activity’s plan of engagements should be based on a risk assessment undertaken at least annually. The input of senior management and the board should be considered in this process (Standard No. 2010A).
That is to say, internal audit plans and priorities must be driven by a risk assessment at both the macro level (for the annual plan) and the micro level (for each audit engagement).
Audit risk assessments come in all shapes and sizes, reflecting the vast diversity of business environments: from very formal, very detailed, annual assessments, to more of a rolling high-level analysis on a quarterly or even monthly basis (even moving to an almost continuous basis for some organizations) with the related audit plans being revised almost as regularly.
To develop an audit plan, the risk assessment evaluates the key forces that create risk for the organization and assesses two fundamental factors:
The potential impact of a risk’s occurrence, and
The likelihood of that occurrence.
Those factors must also be aligned with the business environment in which the organization operates; in other words, they must be relevant. The audit risk assessment is not an end—it is a means to an end. Internal audit needs to define the audit universe and assess the risks facing the organization in achieving its objectives, so that audit efforts can be properly prioritized.
Revisiting the risk assessment regularly helps ensure that the path you take continues to be the right one. After all, mid-course corrections are always needed. Consider a 747 flying from New York to San Francisco. A flight plan is created based on all the factors known prior to leaving New York—which is to say, the risks and requirements are assessed (weather concerns, traffic issues, equipment capabilities, and so forth). Throughout the flight, progress is monitored and mid-flight corrections are made to ensure the flight is efficient and on the right path. Finally, upon arrival, a post-trip evaluation is completed to determine what, if anything, should be changed for the next trip.
Now apply that approach to the world of corporate auditing. What priority should be assigned to an audit of, say, the human resources department’s efforts, versus the security system for an organization’s numerous inventory warehouses? If the skills and creativity of the organization’s workforce truly drive the long-term success of the organization, HR might be the logical target for your next big audit. Conversely, if the products in the warehouse (if compromised) could bring the organization to its knees, then a security audit might be the top priority.
In other words, improving the risk assessment process helps to ensure that audit priorities are appropriate. Many of the resources provided in the sidebar (see box at left) present the consensus views of leaders in internal audit and risk management, and should be evaluated for applicability to your organization.
And what if your audit risk assessment is wrong? My answer has always been that it’s better to try to forecast the future than just to let it happen to you. Besides, whenever you have analysis and debate about risks—their potential to disrupt, the controls and contingency plans to address them, and so forth—that invariably strengthens the organization. It’s just human nature: If you give the auditor and management a flashlight and tell them to look in their closets each year, eventually people starting cleaning those closets up.
The Internal Audit Plan As Roadmap
The end result of the risk assessment process is the internal audit plan. Establishing or updating an internal audit plan isn’t always easy, but it is critical; without a plan you are not in control. Without an approved plan you also don’t have the needed support and (equally important) agreement on what the long-term assurance requirements for the organization truly are.
An important issue in developing the internal audit plan is the involvement of management. While the input from management stakeholders is vital, the independent judgment and final decisions need to rest mainly with the chief audit executive. Management cannot dictate audit priorities.
Establishing or updating an internal audit plan isn’t always easy, but it is critical; without a plan you are not in control.
In an established audit function, with many years of experience with audit plans, a meeting with a few executive guests can complete the review and provide a final proposal to the audit committee. At the end of the day, the audit committee (representing the board’s many interests) is responsible for approving the CAE’s audit plan.
Presenting the proposed internal audit plan to the audit committee for approval is one of the most critical activities within internal audit. The audit committee’s stamp of approval sets the direction for internal audit’s efforts, and facilitates senior executives’ debates about:
What is really important to the company;
What challenges are facing the company; and
What the internal audit department believes to be the key risks facing the company.
As corporate governance debates go, they don’t get any better than that!
Directors must satisfy themselves that the audit plans are appropriate and that internal audit will contribute to the organization’s performance results. The dialogue between management, the audit committee, and the the chief audit executive regarding the audit plan ensures that internal audit has a seat at the governance table. In general, development of an effective audit plan involves a combination of everything talked about today: risk assessment, dialogue among all the key stakeholders, a consensus on what internal audit wants to achieve, and finally, what assurance needs for the organization must be met.
Finally, an approved audit plan is not the end of implementing an effective internal audit function; it’s more like the beginning of a new year, and very similar to the approval of the organization’s annual budget—where you’ve decided what the priorities are, what you’re going to spend, where you plan to spend it, and what you expect to get. But throughout the year you’ll still need to assess changes to the risk profiles and the related plan, propose adjustments to the audit committee, and most importantly, meet your many goals and objectives.
Related resources can be found in the box above, left, and other columns and coverage of internal audit issues can be found in the box above, right.
No comments yet