Internal audit has always played a critical role in risk management. As senior leaders in departments from IT to finance scope and tackle risks, internal audit helps ensure that these risks have been well handled.
In today’s world, effective risk management has become increasingly critical to business success. Security breaches threaten regulatory compliance and customer trust. Compliance issues threaten exorbitant fines and legal expenses. Meanwhile, supply chain disruptions and vulnerabilities can cause efficiency to plummet and operating costs to balloon.
What if you knew immediately which issues were the most important, and you could identify and remediate these issues before they escalated?
Internal audit can play a powerful role here, too — with the right approach.
Proactive Versus Reactive Guidance
Traditionally, internal audit has taken a reactive approach to risk management: reviewing and analyzing data, evaluating governance processes and internal controls and so forth. But the department’s oversight role makes it well positioned for proactive risk management as well.
Diligent outlined the situation in a blog about proactive vs. reactive governance. “Reactive governance means acting to address an issue or resolve a problem before it becomes a crisis. Proactive governance means acting to avoid ever having problems in the first place.”
Proactive governance exists when a board is made aware of a risk’s magnitude, the probability of the risk’s occurrence and the best course of action to pursue for risk evasion.
Here’s why such an approach is so vital for internal audit today and how internal audit teams can make the shift.
A Fresh, Forward-Looking Approach
Traditionally, internal audit teams carry out audit plans within a strict time frame. This means an audit plan may not necessarily cover the most recent or pressing threats to the organization, like an emerging cyber attack, supply chain vulnerability or development in the geopolitical or economic landscape.
With a risk-based approach, by contrast, the audit team addresses and reports on risk throughout the audit lifecycle, so their organization’s senior management is equipped for informed decisions as events happen, not after the damage has been done. And this is just one of the many benefits.
“Risk-based auditing puts the risk universe at the center of the auditing strategy,” writes Ideagen, which provides software to companies in highly regulated industries.
Through connecting internal audit activities more closely to ongoing risks, and on a more continuous basis, organizations can more effectively allocate their finite attention and resources to the issues that matter most. Meanwhile, internal audit expands and elevates its own role: keeping the organization aligned on risk management strategies, ensuring consistent communication and evaluation and providing proactive guidance.
It’s a win-win for audit teams and the organizations they serve. By delivering more thorough, regular, forward-looking reports, internal audit teams gain more support from leadership. Organizations, in turn, are more cognizant of evolving threats, more resilient in the face of uncertainty and more likely to achieve their business objectives.
Putting Risk-Based Auditing Into Practice
Making the shift to risk-based auditing may seem daunting, particularly given the complexities of audit, business operations and today’s risk landscape. But there are many steps internal audit teams can take to make the transition easier.
For optimal business value, proceed in an incremental and strategic fashion. Look at your projects, IT systems, business functions, departments and assets. Where would a risk-based auditing approach be large enough to have a noticeable impact and most likely to contribute to overall organizational goals?
Look at your vulnerabilities: From fraud and collusion to cyber attacks and natural disasters, where does your focus area have potential issues in terms of compliance and security? Scan the environment, conduct research and talk to people, including your board, management and key process owners. Then assess the likelihood and impact of the risks in question: financial, reputational, operational and beyond.
Look at your controls: Even with established controls for managing key risks like fraud and compliance issues, overly complex workflows, manual or non-existent processes, evolving updates and employee turnover can cause red flags and remediations to slip through the cracks. Assess these controls for deficiencies. Even more importantly, understand how controls are designed and used, so you can assess their effectiveness in risk identification and mitigation.
Assess and document risk regularly: Particularly compared with tick-box audits that only happen once a year, frequent risk-based assessments can accomplish many things. You can see how well employees understand and comply with regulations, know where knowledge gaps require more education and keep risk and compliance at the top of everyone’s minds, for example. You can also achieve more insightful and actionable high-level visibility across the organization.
Ongoing documentation and reporting provide multiple advantages as well. Audit teams have thorough records for tracking activities and planning improvements, and organizations have tangible evidence for demonstrating compliance should an issue occur.
Risk-based auditing is the way of the future, for both internal audit teams and the organizations they serve. “Not only are examiners expecting to see completion of an internal audit plan, but examiners are also expecting to see a risk-based approach on how you determined your coverage,” writes advisory firm CliftonLarsonAllen.
“Risk-based audits are invaluable at a time of uncertainty,” Ideagen declares. Furthermore, “with senior management also closer to this process and understanding how audit’s recommendations support their business objectives, they are more likely to appreciate the true value of internal audit and take greater ownership of risk.”
Ready to Start the Shift to a Risk-Based Approach?
The right technology can help, automating the audit lifecycle from end to end and making it easier to systematically define and assess specific risks and controls. Learn more about Diligent’s risk-based auditing solutions today.