Many internal audit functions work hard to complete one enterprisewide risk assessment each year and then plan, or hope, to rely on it for the next 12 months.
But what good is an annual audit plan that can become obsolete almost overnight by new risks we know are surfacing faster than the expected shelf life of the plan?
Richard Chambers, president and CEO of The Institute of Internal Auditors (IIA), in a recent article for Internal Auditor Magazine, called for the adoption of a new, continuous approach to risk assessment. I couldn’t agree more.
Audit plans need to evolve continuously, incorporating up-to-date information and assessments of potential risks as they emerge. There are several techniques that can be used to do this efficiently and effectively, but they must be embraced and practiced by the entire audit team. As Chambers emphasizes, a continuous risk assessment process can’t be executed by the CAE alone.
To adopt this new approach, Chambers recommends the following steps:
- Identify key risk indicators (KRIs) – At the beginning of the year, identify KRIs and monitor them continuously, or at least periodically, throughout the year. KRIs can be linked to the results of the annual risk assessment or to risks that are known to be volatile. When anomalies appear in these KRIs, “red flags” should go up, triggering internal audit to evaluate whether risks are shifting and adjust coverage as needed.
- Conduct “shoe-leather assessments” – This approach involves conducting risk assessment “by walking around.” As the name implies, auditors need to spend quality time with senior management leaders with the intent of learning about new risks as soon as management does. Though they may lack the structure of formal assessments, shoe-leather assessments can uncover vital new information that otherwise may skip detection. It’s imperative that the entire internal audit team develop relationships with all key executives – especially in large organizations with numerous business units – to ensure comprehensive coverage.
- Establish a “bird’s-eye view” – Chambers recommends “setting your antenna as high as possible” to alert your organization as soon as possible about industry-wide changes, economic trends and other external factors. Practically speaking, this means, among other things, attending professional association meetings and seminars and keeping current with industry publications as some of the ways to see ahead of the curve.
Using these three approaches together best assures protecting the organization. And they work well with other key action steps recommended for CAEs in the most recent Common Body of Knowledge (CBOK) Study by The IIA Research Foundation. It echoes Chambers’s advice and urges organizations to develop a more responsive and flexible risk-based audit plan.
One way to help companies not just realize the importance of but fully embrace continuous assessment is to set new priorities and incentives for the audit team. In other words, make the identification of emerging issues a key performance responsibility for those who report to you directly.
CAEs are encouraged to discuss with executive management and the audit committee the need to make more frequent updates to the audit plan and establish a clear process to make changes to appropriately address emerging risks.
Businesses have improved their ability to manage risks and that’s great. Now it’s time for all of us to learn to do it faster.