Danny M. Goldberg, CISA, CGEIT, CCSA, CIA, CPA
Chief audit executives (CAEs) cannot forget the importance of the audit risk assessment (ARA). The basics of internal auditing always start with the assessment of audit risk. This is the foundation for the audit work plan and the deployment of resources for the year. However, in these difficult economic times, many audit departments have become reactive and have difficulty seeing the entire picture. Additionally, many audit departments become complacent and routine oriented. Internal audit (IA) departments should not lose sight of the importance of the ARA and its tangible and intangible benefits to the company and the department.
The Institute of Internal Auditors (The IIA) standards are what guide IA departments on basic principles. As outlined here, the standards are explicit as to the importance of the audit risk assessment:1
As noted in the extracts from The IIA standards, audit departments are required to perform an audit risk assessment annually. The risk-based priorities must be consistent with the organization’s goals, which many CAEs tend to overlook at times. Although internal audit is an objective and independent body, it wants to improve the organization through a risk-based conscience.
As outlined in the standard interpretation, the audit risk assessment is guided by the risk appetite of management and the audit committee. This process is very similar to the enterprise risk assessment (ERA), which is the assessment of risk for the enterprise risk management (ERM) process.
ERM is defined as a process “affected by an entity’s board of directors, management and other personnel; applied in strategy setting and across the enterprise; and designed to identify potential events that may affect the entity and manage risks to be within its risk appetite and to provide reasonable assurance regarding the achievement of entity objectives.”2 Accordingly, internal audit typically does not own the ERM process, but can be integrally involved. Internal audit can assist management and the board/audit committee in the process by:
Additionally, internal audit can provide key assistance in the assessment of enterprise risk, as the process of interviewing/questionnaires, compiling results and ranking risk is similar to the ARA. The focus of each is slightly different; the ERA takes a more holistic view of the risk for the entire organization, while the ARA is focused more on risk that is auditable. For example, the ERA focuses on risk areas that could hinder the overall success of the organization. Many areas of risk are not auditable. On the other hand, risk that is auditable should be addressed in the ARA. However, IA involvement in each risk assessment process can be extremely beneficial. Some of the underlying benefits to IA of conducting risk assessments include:
Those internal audit shops that do not value the formal assessment of risk on an annual basis omit the impact and significant exposure that not performing an ARA may bring to management. In many instances, this might be the most in-depth conversation IA will have with some key personnel throughout the year. Additionally, the more people are engaged with IA, the greater the chance of building a trustworthy relationship. Without trust, IA will have a significantly more difficult time penetrating the proverbial wall between management and IA and building a strong advisory role inside the organization. To truly provide value inside an organization, IA needs to have a strong rapport with management. An audit department that is valued and trusted inside an organization is more likely to receive incoming calls to assist departments, as needed. This cannot happen without the face time involved in the risk assessment process.
Shelby Faubion, a CAE of a global defense services provider, said, “As a service function within an organization, IA must market its services with its customers as any service provider, internal or external. Its customers must understand the nature of services offered and the value they receive for their effort. To remain relevant, IA departments should establish and deliberately execute customer relationship management plans with accountability clearly defined. If a CAE only has contact with his/her business leaders annually, the CAE probably does not really know what is going on with the business. Many organizations today are rethinking their strategies and are looking to enter new markets, which poses new risk to their organizations. Businesses that are to survive and thrive in the current marketplace are likely seeing significant shifts in strategy.”
Without performing a risk assessment, IA is at risk of losing its relevance. Whether the organization is seeking to enter new markets, leverage new technologies (e.g., social media, cloud) or expand its business portfolio organically or inorganically, IA has a role in helping the organization understand and prepare for the associated risk implications. Ultimately, if IA cannot effectively articulate how its work relates to the company’s goals and strategic objectives, it may indeed have lost its relevance to the company.
Finally, many internal audit departments get stuck in an extended audit cycle. The audit cycle can be very long and arduous and, in many respects, never ending, even after audit follow-up. To be a true advisor to the organization, continuous monitoring and recommendations are critical. On the other hand, it is easy to get caught up in this never-ending audit cycle. When audit departments are busy throughout the majority of the year, the fourth quarter rolls around and there are too many audits to get through to complete the ARA. As a result, by the time year-end comes around, the ARA process is internalized and reproduced from the prior year.
However, performing a more formal ARA helps audit refocus its efforts on the true risk areas and goals of the organization. Understanding risk, with consensus from all parties as to the risk exposure reported, helps the audit activity understand the point of view of management and how best to assist the organization.
Many internal auditors do not perform the annual risk assessment because there is an innate belief that there is little overall control of the audit schedule. Shops tend to reproduce the work from the prior year or budget hours based on man-hours available rather than actual risk to the organization. Additionally, it is not the audit department’s responsibility to budget to man-hours rather than organizational risk. Audit’s role is to outline the risk and exposure to the organization and allow the audit committee to determine whether additional resources are necessary. If audit budgets are based only on man-hours available, the audit committee will never fully understand the risk to the organization and the risk areas not addressed.
One way to assist audit departments in alleviating this stress at year-end is to establish ample amounts of audit flex time in addition to creating an audit plan based on risk to the organization. Flex time is the part of the audit schedule that is grayed out and establishes flexibility in the audit plan. The audit department should identify specific audits to conduct if the schedule does not change, but most organizations find that the schedule always changes. For example, fraud investigations are difficult to plan for, and there are special request audits that cause changes to the original plan.
Finally, 2010.A of The IIA standards states that risk must be assessed at least annually. However, in today’s current depressed economy, is it sufficient to assess risk only annually? Many organizations have evolved to more of a continuous risk assessment, in which audit activities identify and evaluate companywide risk levels by examining trends and comparisons within a single process or system throughout the year. An example of this is when results are compared to their past performance and other business systems. Ongoing trending of business and compliance metrics (including profit margin, earnings before interest and taxes [EBIT], win rate, open positions, days sales outstanding, hotline complaints) can help to identify problems in their early stages, according to Faubion. Used by IA as a tool, an ongoing risk assessment can help IA proactively respond to risk indicators and, in turn, help the company minimize exposure. In summary, risk assessment is a valuable tool to proactively leverage risk indicators to prioritize a company’s limited IA resources.
In practical terms, IA will utilize computer-assisted audit techniques (CAAT) (regardless of sophistication) to monitor risk. This would entail monitoring key indicators/ ratios that could change the risk profile of the organization, which, in turn, would alter the ARA and the audit plan. Having sufficient audit flex time in the audit plan will give the department flexibility to alter its plan in an efficient and effective manner.
Internal auditors should not underestimate the importance of the internal ARA and completion of the formal process at least annually. The exposure and relationship development opportunities with management are endless and, in these times of consistent financial pressure, staying on top of key organizational risk areas and goals is one of the most important steps that continue to add value. Regardless of the benefits, performance of the ARA at least annually assists audit in right-sizing expectations and refocuses the department on the goals and objectives of the organization.
1 Institute of Internal Auditors, International Standards for the Professional Practice of Internal Auditing (Standards), January 2011, www.theiia.org/guidance/standards-and-guidance/ippf/standards/ 2 Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management—Integrated Framework, 2004
Danny M. Goldberg, CISA, CGEIT, CCSA, CIA, CPA, is the professional development practice partner at Sunera (www.sunera.com), an international corporate governance, risk management and regulatory compliance firm. Prior to joining Sunera, he founded SOFT GRC, an advisory services and professional development firm. Goldberg has more than 15 years of audit experience, including five years as a chief audit executive/audit director at two diverse companies. He is a noted author, accredited as the professional commentator on the publication BNA Tax and Accounting Portfolio, Internal Auditing: Fundamental Principles (Accounting Policy and Practice Series), and coauthor of Sawyer’s Internal Auditing.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2012 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.