Young female architects working together in architecture studio
ComplianceMay 09, 2023

Five opportunities to enhance your risk assessment

The Institute of Internal Auditors (IIA) released their 2023 Risk in Focus report that examines the top risks and provides several key observations. From cybersecurity and data security to talent management, artificial intelligence, and environmental sustainability, this list further cements the need for internal audit to be aware of, identify, and plan for those risks that directly affect their organizations the most.

Audit teams across the industry are continually seeking opportunities to fine-tune and enhance their risk assessment and audit planning strategies to better manage the dynamic nature of a rapidly changing risk environment. As a good practice, they are identifying and managing any major changes to their strategic risk profile while, at the same time, implementing formal processes that identify and report on any new and emerging risks. Major, external events — including financial crises, war, and political elections — often have a significant impact on a risk profile. But audit teams are also spending time identifying macro risks, such as systemic and macro-economic considerations, that are often evaluated in preparation of the audit plan.

For those that may be new to the industry, it’s important to understand how assessing risk plays a key role in the internal audit process. The focus must be on both current and anticipated practices in three related and interdependent audit functions — risk assessment, audit planning, and reporting on these activities to management and the audit committee. The following are five opportunities that may be considered to help strengthen and refine your risk planning and assessment process:

  1. Sharpen your focus on cyber risk management
  2. Move to a more continuous risk assessment process
  3. Make your audit planning more agile
  4. Expand input from other risk-related functions
  5. Enhance your risk assessment planning techniques

TeamMate+ Audit

Audit management

The world’s leading audit management software - empowering audit departments of all sizes.

1. Sharpen your focus on cyber risk management

One of the greatest technology-related risks is cybersecurity, an area receiving significantly increased focus from internal auditors and their organizations. And for good reason. The potential loss of sensitive or confidential data through a data breach could be devastating to the security, and dramatically affect the positive reputation of a company.

Recognizing the potential impact of cyber risks and their relevance to internal audit risk assessments, it’s not surprising that internal audit teams have changed their risk assessment processes to increase their focus on cyber issues.

Ransomware, as just one example, represents a growing threat. A ransomware attack can have a massive impact on your ability to conduct business, with the fallout significantly affecting customers, investors, and public confidence in your organization. Given the severity of ransomware, the internal audit team should have a seat at the table in helping reduce these threats and other cybersecurity risks. And even though internal auditors aren’t responsible for choosing cybersecurity software and establishing employee training, they can still provide assurances over IT practices and controls.

It is important to determine whether you have the right skills and knowledge to keep up with mounting cyber and other IT risk challenges and to take the necessary steps to find such resources if you do not. Internal audit should consider the organization’s ability to monitor, identify, and isolate potential cyber-attacks, as well as understand the various roles and responsibilities when it comes to this level of crisis management.

2. Move to a more continuous risk assessment process

Given the dynamic nature of risk in today’s business environment, auditors are moving away from a once-yearly assessment of risk in favor of a more continuous or periodic approach to risk assessment.

Internal audit teams that actively leverage technology and adopt the benefits of an Audit Management System (AMS) is one way to facilitate their continuous monitoring and risk assessment initiatives. Activities like documenting risk ratings and rationales, documenting the sign-off process, and employing enhanced visualizations to display audit reports to stakeholders all serve to better capture and monitor risks.

The challenge that internal audit teams are facing when it comes to a continuous risk assessment approach, and the questions they should be asking themselves: “Is our current approach to risk assessment aligned with the dynamic nature of our risk environment? Are we utilizing the tools and technology that are designed to assist us in this process?” If the answer to either question is no, then active planning needs to occur to ensure that your organization’s future risk assessment strategies are met.

3. Make your audit planning more agile

Consider ways to inform and enhance your audit planning process more regularly. Review your audit plan throughout the year to ensure that it is current and up to date with the changing risk landscape of your organization. It’s one thing to update your risk assessment, but adding sufficient agility and flexibility to your audit activities will allow you to respond in a timelier manner and be better aligned with your organization’s risk profile.

Audit leaders are advocating the benefits of quarterly audit reviews to keep up with the changing risk environments. Updating your audit plan every few months is a solid opportunity to address overall changes to the company’s risk profile. These added assessments also help to better position audit teams and ensure that any significant risks that arise will help determine if additional audit planning is necessary.

4. Expand input from other risk-related functions

It is becoming more and more common for both internal audit teams and enterprise risk management to share risk information and knowledge. One of the key benefits of this practice is the ability to strengthen risk assessments by increasing input and involvement from other functions across the organization. The stronger the input into the risk assessment process, the stronger the coordination and alignment of risk assessments with other risk-and-control units.

Often, the areas that provide the most input into the internal audit risk assessment process typically fall into the categories of Enterprise Risk Management (ERM), Compliance, Technology, Finance, and Legal. Although this may be a challenge to fully embrace and enhance knowledge-sharing and coordination between risk and control functions, the benefits cannot be overstated. The results from this sharing environment often result in being better equipped to identify, evaluate, and implement new and evolving plans to mitigate and manage risk.

5. Enhance your risk assessment planning techniques

The techniques being employed to conduct risk assessments continue to evolve in terms of technologies deployed, sophistication, and expansion beyond the traditional dimensions of impact and probability. Technology is being used more fully to support the risk assessment process and as a medium to store risk-related data. The application of data mining and data analysis, as well as the use of risk dashboards and other visual techniques, continues to gain traction as internal auditors seek to increase the frequency and effectiveness of their risk assessment processes.

Consider including the following in your risk assessment process:

  • Comparison with risks identified in prior assessments
  • Feedback or data from units outside internal audit relating to significant risk issues or incidents
  • Monitoring of Key Risk Indicators (KRIs)
  • Data or statistical analysis
  • Comparisons with the organization’s stated risk appetite
  • Assessing the impact of innovative or disruptive technologies
  • Comparisons with risks disclosed by peers or competitors
  • Alignment with the organization’s public financial reporting risk disclosures
  • Scenario analysis
  • Use of forecasting or other types of risk modeling
  • Stress testing against major economic assumptions 

In addition to enhancing the risk assessment process, internal auditors should also be focused on enhancing their results reporting. Although many auditors continue to rely almost exclusively on Microsoft Word, Excel, or PowerPoint, many more are actively searching for or already utilizing new approaches to risk reporting, including heat maps, risk dashboards, and combined reporting with an ERM function. What's more, internal audit teams have incorporated data visualization tools, such as Microsoft Power BI, as key enablers to add visual impact to their risk-reporting efforts and to convey key messages in a more understandable and digestible manner.

It should come as no surprise, stakeholders respond to clarity. They value and appreciate when end-of-audit reports are concise. An internal audit team needs to provide risk assessments and audit planning processes that are thorough, professionally managed, and provide key stakeholders with the information required to better assess the risks the organization may be facing. There is much to be gained when an internal audit function and its key stakeholders share a collective understanding of the major risks facing an organization and the best ways to address them.

TeamMate+ is a global expert solution for end-to-end audit management that helps auditors and audit leaders execute and manage the audit workflow. No other tool has the depth or functionality that TeamMate+ has in terms of risk, planning, resource management, engagement management, analytics, issue tracking, and reporting.

Subscribe below to receive monthly Expert Insights in your inbox

For auditors who are challenged to improve audit productivity while delivering strategic insights, TeamMate provides expert solutions, delivered with premium professional services, to auditors around the globe and in every industry.
Back To Top