A long-time vendor of software for internal audit departments, Thomson Reuters, has published a piece by Noah Gottesman. Prior to joining Thomson Reuters in 2012 as Director of Audit Advisory and Innovation, Noah was with EY (which is where I met him, if memory serves me right). In that capacity, he has performed and managed a variety of internal audits.
Get Your Internal Audit Risk Assessment Right This Year has some good suggestions for the traditional internal audit team. It includes “five steps to turning risk assessment principles into positive actions”, as well as sections on:
- Listen to management: the real opportunity
- Lay the foundations: the importance of a robust methodology
- Know your organization’s risk appetite
- Get into the details
- Plan for success
- Understand the business and its culture
Most will see value in these sections.
But, I have significant issues with the approach and assumptions.
My problem starts very early.
The paper quotes the COSO Internal Control – Integrated Framework:
“…risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives.”
Yet, this quote is followed by a reference to an “annual risk assessment process”.
Buried at the end of page 7 of the Thomson Reuters paper is this sentence:
“With no sign of the pace of changes affecting your organization slowing down, internal audit’s risk assessment must be dynamic, not static, and needs to be improved from year to year, using a top-down approach, beginning with management interviews and input.”
COSO similarly talks about a “dynamic and iterative process” (almost the same words as the ISO 31000 principle: risk management is “dynamic, iterative, and responsive to change”.
An annual process is NOT dynamic, iterative, nor responsive to change.
Change does not occur on an annual basis. It is all the time, which is why we use the word ‘dynamic’.
McKinsey prefers the word ‘turbulent’, as do I.
Internal audit needs to be aware of and responsive to changes in known risks or the emergence of new risks continuously, not on an annual cycle.
The move to a continuous, dynamic audit plan will be a major change for most internal audit departments. Many are already on that journey and have to adjust from a major initiative focused on listening to executives once a year to monitoring how business objectives and risks are changing.
I wish Noah had talked about the fact that every organization has hundreds if not thousands of risks. An internal audit risk assessment that includes, as he suggests, listening to management at all levels across the organization will identify a great many risks that matter to those managers.
But are they risks that matter to the organization as a whole?
When internal audit focuses on the risks that matter to the organization, provides objective and insightful assurance on how well they are managed, and use their intellect and imagination to work with management to effect necessary changes, amazing things can and do happen.
I believe internal audit should first understand the value drivers and the objectives of the organization. It should then seek to understand the risks (and continuously maintain that understanding) that are critical to the delivery of value and the achievement of corporate objectives.
One excellent question is “what could go wrong” and another is “what needs to go right”.
The risks to enterprise objectives that are identified are the risks that matter.
Those are the risks that need to be addressed in the audit plan.
I, and many other CAEs around the world, believe that internal audit should provide its stakeholders with a formal assessment of the condition of risk management and internal control as they relate to the more significant risks to the organization.
A major element of audit planning is ensuring that sufficient work is performed to support that assessment.
Another dimension to audit planning is whether an engagement will add value. Some risks are well-known and are already being addressed. In those cases, an internal audit engagement will probably add little value.
On the other hand, sometimes there are situations where the risk is seen as moderate but an advisory engagement would add value to the extent that it merits inclusion in the audit plan.
This whole question of the internal audit risk assessment is a tough one. I hope to provide more of my thinking on the topic later.
In the meantime, please share your thoughts on best practices.