Internal Audit and Risk

My business partner John and I spend a lot of time talking to Internal Auditors. We ask many questions, gathering feedback to make sure our services are invaluable to more and more of you. In turn, we are asked a lot of questions, as existing and potential subscribers vet us and learn about what we offer.

In the last six months or so, the number one question we are asked is “Do you have Risk Assessments?!” Usually, the Internal Auditor asking us is busy, stressed, and in need of simple tools to tackle this huge task. Bottom line: Yes, we provide a comprehensive suite of documents which auditors can follow to survey leaders, control responses, summarize risks, and ultimately assess risks to build a risk-based audit plan.

But where does Internal Audit’s risk responsibility begin and end? That’s a much bigger subject! Let’s go deeper into the concept to truly understand our role in the risk arena.

What is Internal Audit’s actual risk responsibility? Read on!

Risk and Internal Audit Standards

Sometimes it’s best to start with the Standards. When it comes to risk management, you don’t get far into IIA guidance for risk to come up… It’s in the IIA’s own definition of Internal Auditing!

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.  It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate the effectiveness of risk management, control, and governance processes.

IPPF Standard 2120 – Risk Management helps us establish our risk responsibility.

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

Interpretation 2120.C3 helps draw an important boundary.

When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks.

We’ve established that the IIA considers us responsible for evaluating risk management, leading to its overall improvement, but refraining from performing risk management duties. Internal Audit is directly responsible for communicating the risks it uncovers, and the risks that leadership has decided to accept. Enter IPPF Standard 2600 – Communicating the Acceptance of Risks:

When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board.

So, communicating excessive risk taking is an essential responsibility that belongs to Internal Audit.

Relax… You are Already a Risk Expert!

While risk management is not your role or responsibility, there are risks present in almost everything you do as an Auditor. You probably ask yourself “what could go wrong?” every time you start the planning process for a new audit or project. Then, you make sure your audit steps are sufficient to identify problems. You communicate effectively when you find issues, or learn that old issues have not been addressed, and have a process in place for getting the right information into the right hands.

Even more basic than this, before you started auditing professionally, you were a risk expert. Learning how to drive a car is a basic risk assessment exercise; purchasing insurance is basic risk management. Travelling, exercising, buying a house, getting married, grocery shopping, and every other task big and small has a risk/reward element. You’ve been assessing and managing risks your whole life, and the skill set to handle all of your risk responsibilities as an auditor is second nature at this point.

Tools from The Library

In order to fulfill your risk obligations, The Audit Library has tools that can help. For a more detailed guide, subscribers can download our Risk Suite Overview & Instructions document. Our “Audit Risk Suite” category of documents contains the following:

  1. Annual Risk & Planning Survey – This document should be sent to every responsible leader, for every line item in your audit universe. The leader rates their risk, alerts Internal Audit to new initiatives and products, and gives their overall risk perspective.
  2. Risk & Planning Survey Control Log – This is a simple spreadsheet to control survey responses. Follow up with leaders, and document all key dates, to ensure full participation.
  3. Audit Risk Assessment Template – The preparer inputs all of management’s responses to the risk surveys, and an overall risk rating auto-calculates. The auditor preparing the assessment then considers the overall rating, documents whether they agree or disagree, determines their own rating, and records their reasoning.

Completing this suite of documents sets the foundation for your annual audit plan. You can read an entire post about Internal Audit planning, budgeting, and time-tracking here. In short, higher risk areas take priority when allocating Internal Audit resources.

As I stated earlier, risk plays a role in almost everything an auditor says and does. When you write up draft audit issues, you consider the risk exposure if they are not addressed. When you prepare for your Audit Committee meetings, you consider the current risks to the company, and make sure you can speak to them. Having a solid foundation, in the form of a comprehensive risk-based audit plan, is absolutely critical.

Risk Management is NOT Audit’s Responsibility!

The IIA has done us a huge favor, and clearly outlined that corporate risk management is the responsibility of your company’s leadership and Board of Directors. Your job is to understand risk, evaluate risk, and communicate when risk taking has become excessive. Let me illustrate with an example.

Say you are the Chief Audit Executive at a financial institution. During your annual risk survey of management, the Chief Lending Officer rates all their categories as low. That’s interesting. You disagree and include a comprehensive lending function audit into your annual risk-based audit plan. You discover that standards have been relaxed, loan defaults are up, and the budget for Loss Management is being cut. When you discuss this with the Chief Lending Officer, they say there’s no risk there. They reject all of your audit findings, despite your pleas for them to take this seriously. You realize it’s time to go to your Audit Committee, CEO, and Board to escalate the issue.

To some, this sounds like a complete disaster. I say… “Good job Auditor!”

You have appropriately responded to the risk of loan defaults. You performed an audit, despite management’s attempt to dissuade you. You diligently tested and completed your audit steps, resulting in meaty issues being reported. Then, you got the responsible leader to put down on paper that they are assuming risks any reasonable person would find unacceptable. You followed your process, stayed in bounds, and now the decision makers can intervene.

My example was obvious on purpose. The risk of loan defaults does not belong to Internal Audit, it belongs to Lending, Loss Mitigation, Risk Management, the C-Suite, and the Board. None of these individuals report to you, but you have their ear, and a platform to help make needed changes. Bravo, take a bow!

… Unless it is!

In my reading of the Standards, they assume a Risk Management function is in place at your company, separate and apart from Internal Audit. In the real world, this is not always the case. I have a handful of clients who serve both Internal Audit and Risk Management roles at their companies, making the audit-risk relationship really complicated! Sometimes Internal Auditors report directly to Risk Management.

If you are one of these Auditors, also responsible for Risk Management, first I would like to congratulate you. Your company has determined that you are a reasonable, professional, and highly competent person. Now, I’d like to take you out for lunch and let you vent, because certainly you spend a lot of time and energy balancing tasks that are often at odds!

The best advice for those in this situation is to draw boundaries. Always know which hat you’re wearing when you talk to others, perform tasks, and speak on behalf of your company. This arrangement is not ideal, but I’m a realist. Not every company can afford separate Internal Audit and Risk Management functions, so do your best with what you have.

Risks Audit MUST Manage

There are Audit risks lurking all around. While they aren’t always as obvious as loan defaults, they are real, and they are your responsibility. Here are some examples:

  • Unqualified or underqualified Internal Auditors
  • Lack of Internal Audit resources
  • Misallocated Internal Audit resources
  • Internal Auditors who are not independent or objective
  • Ineffective Internal Auditors
  • Ineffective Audit Committee members

In order to help mitigate some of the risks Internal Audit must manage,  consider adding or continuing the following actions:

  • Pursue higher education programs and professional certification
  • Complete Continuing Professional Education (CPE) courses
  • Advocate for resources at your company
  • Network online and in person (LinkedIn, professional events, etc.)
  • Follow industry publications to keep up with news and emerging ideas
  • Recruit superior Audit Committee members, train them, and cultivate their skills

If you feel you are lacking in any of the areas described, take heart. We can all do better. Truly great Auditors are never satisfied with where they are; they are always learning, thinking, and improving.

Thank you for reading! Now tell us what you think. Are you ever confused by your risk responsibilities, or asked to take on risk duties you believe are inappropriate? Leave a comment and tell us about it!

Share on facebook
Share on twitter
Share on linkedin