Risk based internal audit planning
The IIA's standards require us to prepare a risk based internal audit planning. However, if risk assessment and management is not (yet) embedded in your organization, it requires a concerted effort from the auditees to provide you with the relevant information. Given this is not necessarily a priority to them, are there more efficient ways to gather more relevant information you need for risk based planning without overburdening your auditees?
Defining the auditable space
In the end, our assurance role as internal auditor is to provide assurances to the audit committee, the board and management. We developed the risk control matrix to properly segregate the responsibilities of management and the responsibilities of internal audit:
- internal audit is responsible to provide assurance in the high risk areas where management considers the risk management measures to be adequate;
- internal audit is responsible to assess the relevance, appropriateness and effectiveness in the low risk areas where management may have provided too many risk management measures;
- management is responsible for developing actions plans for high risk areas where risk management measures are considered inadequate;
- management is responsible for monitoring issues in low risk areas where risk management measures are low, to ensure timely identification and management of emerging risks;
The risk control matrix is a good concept, but how do we ensure completeness of identification of all elements that need to be included in the matrix? In talking with the both the actual and the ad-interim head of internal audit at the Belgian federal government service Mobility & Transportation, we came up with the following ideas.
Identifying risks related to action plans
Action plans are developed when management deems specific risk management measures inadequate. Action plans are prioritized, ideally as a function of the risks they aim to cover. Hence, the identification of risks in quadrant I comes down to the identification of which risks the current action plans aim to cover. A good approach would therefore be to either ask management which risks they aim to cover with a specific action plan. An alternative would be to read the action plan and identify the risk which should at least be referred to in that action plan.
I am aware completeness of identification is not assured if the budgets are not adequate to fund all required action plans. I would at least expect management to have developed a list of future actions to be taken, which can be traced back to the risk we need to identify.
The assurance function of internal audit in this risk control matrix quadrant is limited. We can assess the relevance and adequacy of action plans, however, given it is the discretion of management to manage the business, and given they know there are issues, our assurance contribution would be limited. We can act in an advisory capacity, as long as this does not influence our independence and objectivity now and in the future.
Identifying risk related to measures deemed adequate by management
Quadrant II and III of the risk control matrix is where the core assurance function of internal audit is situated. Again the question occurs how we can best (as complete as possible with minimal disruption of day-to-day activities) identify the relevant risks? A suggested solution to bring the questioning our of the theoretical realm of risk to the level of day-to-day operations is to ask management to provide us with a list of risk management measures they deem adequate. The measures need to be linked to processes (elements of the audit universe) in order to allow for development of risk based, process related audit programs. We would identify risk by asking management to explain why they have taken these measures. The why is often the relevant response to which risk a control aims at covering.
Our assurance function then needs to focus on both assessing the adequacy of the risk management measure as it relates to the risk as well as the completeness of risk coverage. But how are we sure that all relevant risks under responsibility of the different members of management have been appropriately identified, assessed and covered?
Closing the risk gap
Based on the above, we now know which risks management covers with its action plans. These are reactions to risks the consider inadequately covered. We also know which risks they consider relevant and adequately covered as they offer these to us for auditing. But what about the risks not identified.
Here, we need to revert to the risk identification model, but not as a full-blown identification tool, but rather as a trigger list. A trigger list is a list which a manager reviews on a regular basis to assist him in jogging his memory on exposures known but not formally identified. If by going through the risk trigger list a manager would discover a risk not formally identified in the prior assessment, there are a couple of possible outcomes:
- The risk is known, managed, but not formally identified. This is an issue linked to formalization which does not necessarily leads to a specific exposure.
- The risk is known, not formally identified and not managed. This could indicate an exposure to be managed. Risk severity will impact the urgency.
Rather than having management and their collaborators go through a theoretical exercise each year, we can use information generated by them in the course of their day-to-day activities as a good basis for risk identification and prioritization. This would allow us to reduce the effort required from management in risk identification as well as reducing the effort we need to put in risk assessment for audit purposes.
This approach does not alllow for identification of the so-called Black Swans. I am a taker for any good solution that would not influence the efficiency of my audit planning process.