Mon, Jun 3, 2024
Enhancing Internal Audit Functions in a Dynamic Risk Environment

Internal auditors help protect organizational assets and reputations and improve business operational outcomes. As risks continue to grow and become more complex, internal audit functions will continue to be under pressure to ensure proper oversight in a dynamic risk environment.

The growth of complex risks has led to organizations hiring more internal auditors. According to the 2024 North American Pulse of Internal Audit survey, chief audit executives are currently more than twice as likely to increase staff (26%) than to decrease staff (13%). Even more significant is that 36% of internal audit functions will increase their budget in 2024, while just 13% will decrease them.

To best utilize your growing internal audit tools to improve operational outcomes, consider the following internal audit best practices.

Perform a Thorough Risk Assessment

Given today’s dynamic risk environment, it is important to perform a thorough risk assessment. Even if one was completed in the past year, take the time to review the findings to ensure that they are still current.

Before the assessment starts, determine the scope, including key controls that will be tested. Understand the resources and people you will need, such as experts in the subject matter. Review your assessment plan with senior leadership to obtain buy-in and ensure that all people needed to complete the assessment can participate as needed.

Most risk assessments follow similar steps:

  1. Identify potential threats and hazards. These can range from natural disasters to system outages and cyberattacks. Ask yourself, if one of these threats or hazards materialized, what impact would it have on the business? Where is the organization vulnerable?
  2. Evaluate internal controls that are already in place. Internal controls are processes and procedures designed to minimize risk. An example of an internal control is using a password to access IT systems. Review the policies and procedures for each control to determine effectiveness, and check with stakeholders to be sure they are familiar with the controls where they perform activities.
  3. Determine the potential impact of a threat or hazard. Perform an impact analysis for each threat and vulnerability identified. Determine the likelihood of occurrence and categorize threats and vulnerabilities as having either a high, medium or low impact on the organization. This exercise will help prioritize risks when developing remediation plans.
  4. Determine mitigations and prioritize remediation. Create a high-level view of what mitigating each risk looks like. Will it involve people? Technology? Money? This information, together with the impact level (high, medium or low), will enable you to set initial priorities that can then be reviewed with business leaders.

Create a Risk Register and a Risk Management Dashboard

Once a risk assessment is completed, you will want a way to capture the data you have produced so you can both track the status of those risks and show senior leadership the potential impact if risks should occur.

Long used by project managers, a risk register identifies and categorizes risks and enables the tracking of risks through their remediation plans. The risk register will contain the information you created in the risk assessment, namely:

  • Detailed descriptions of each risk
  • The likelihood of occurrence
  • The potential impact if the risk occurs
  • A summary of the proposed mitigation, as well as a separate column for any proposed remediation date

Once all risks are documented, create a risk management dashboard to raise awareness of the assessment's findings. Placing risks in a dashboard is an effective way to communicate them to employees and senior leadership. The idea is to create a single view that shows how these risks could impact the business.

Start by using the likelihood and impact data to create a heat map. A popular dashboard, a heat map uses colors—typically red, yellow and green—to show potential impact and likelihood. Other dashboards to consider include a risk trend chart, which shows the status of risks over time, and a risk portfolio chart, which shows risks alongside other characteristics, such as how they might impact different parts of the business.

Meet Regularly With Business Leaders

Regularly review the following with business leaders and senior leadership:

Risk Management Dashboard: Ensure that internal audit regularly meets with the business to review ongoing risks and new ones introduced via the risk management dashboard. Be sure to update the dashboard based on feedback so audit plans can be adjusted. Pay close attention to the mitigation plans. Make sure they are reasonable and strive to improve operational outcomes.

Internal Audit Plans: Before starting any audits that will review key controls or determine if approved mitigation plans are having an impact, meet with business stakeholders to review the scope of the audit. This may include the following:

  • Key steps in the internal audit process, including the controls to be reviewed
  • The personnel and SMEs that will need to be included in the audit
  • Draft questions

Be sure to get the appropriate stakeholder approval, especially to obtain the time of any personnel or experts in the subject matter needed to complete the audit.

Audit OutcomesEngage business leaders to review outcomes. While outcomes may include how mitigations that are now in place have reduced risks, use this opportunity to discuss how internal audit outcomes are driving business goals that align with business strategies. Position internal audit procedures as the primary business function that helps the organization achieve business objectives by actively managing risks.

Best Practices When Planning and Conducting Audits

Consider the following internal audit best practices when planning for and conducting audits:

Run through a pre-audit checklist

Before any work begins, run down the following checklist:

  • Is the audit a part of an approved audit plan?
  • What risks does the audit address?
  • What does the audit schedule look like?
  • Are all team members/experts in the subject matter needed to complete the audit available during the audit schedule?
  • Were these controls or processes audited previously? If so, what was the outcome?
  • If there were any nonconformities, have they been remediated?
  • Are there policies, standards or regulations involved? Do they need to be reviewed?

Review risks and identify areas that need to be audited

Review the current risk register and risk management dashboard. Make sure the risks that are in scope are clearly stated at the beginning of your audit plan. From there, describe the departments using written procedures or regulations in scope for review. Additionally, list all activities, functions and controls that will be reviewed.

Be sure to highlight areas that are complex or may have a higher rate of errors or noncompliance.

Define audit finding threshold levels

Define the audit finding threshold levels in the audit plan. Examples of these are:

  • Observation: This type of finding describes areas of concern or areas that may need to improve. Observations point out things that may turn into a nonconformance over time.
  • Low Severity: These findings are generally minor issues that pose minimal impact. Remediations are often minor improvements as opposed to urgent fixes.
  • High Severity: These findings, while representing significant risk that requires immediate attention, will have a limited impact. An example can be noncompliance with an internal policy.
  • Critical Severity: These findings describe a severe problem that poses both an immediate and significant threat to the organization. Examples of these are violations of regulations or laws, security breaches, or issues that may cause significant financial losses.

Create audit objectives and schedule

Describe the expected outcomes of the audit and prepare a schedule. Be sure to describe a summary of activities that will occur each day. Before finalizing the schedule, be sure all people who need to be involved on certain days are available—obtain a commitment in writing, if possible. Assign roles to all involved, and make sure that everyone can carry out their duties.

Hold a kickoff meeting

Schedule an audit kickoff meeting well before the audit. This will give people and departments the time to gather documentation and prepare staff as needed. Make sure those gathering documentation agree to a start date for the fieldwork in the kickoff meeting. Following an internal audit template can help streamline the strategic planning needed.

Agree upon checkpoints during the audit, including informing senior leadership of progress or reporting on any preliminary findings.

Document preliminary findings

The observations and insights that auditors gain during the audit process should be recorded as preliminary, as this will contain things observed, analyzed and concluded at a particular time. This is valuable context for those in potential nonconformance to understand. It will also hold auditors accountable for their work and conclusions.

Preliminary findings will facilitate discussion among auditors and stakeholders to agree upon the threshold level of each finding, its scope and potential impact. This will also lead to remediation plans that can be accepted by all stakeholders.

The final report, typically shared with senior leadership, will now contain agreed-upon, finalized observations and findings with realistic remediation plans.

Learn more about internal audit best practices by exploring these related resources on KnowledgeLeader:

Topic Spotlight: Internal Audit

Internal Audit Policy

Strategic Internal Audit Plan

0 Comments