4. Expand input from other risk-related functions
It is becoming more and more common for both internal audit teams and enterprise risk management to share risk information and knowledge. One of the key benefits of this practice is the ability to strengthen risk assessments by increasing input and involvement from other functions across the organization. The stronger the input into the risk assessment process, the stronger the coordination and alignment of risk assessments with other risk-and-control units.
Often, the areas that provide the most input into the internal audit risk assessment process typically fall into the categories of Enterprise Risk Management (ERM), Compliance, Technology, Finance, and Legal. Although this may be a challenge to fully embrace and enhance knowledge-sharing and coordination between risk and control functions, the benefits cannot be overstated. The results from this sharing environment often result in being better equipped to identify, evaluate, and implement new and evolving plans to mitigate and manage risk.
5. Enhance your risk assessment planning techniques
The techniques being employed to conduct risk assessments continue to evolve in terms of technologies deployed, sophistication, and expansion beyond the traditional dimensions of impact and probability. Technology is being used more fully to support the risk assessment process and as a medium to store risk-related data. The application of data mining and data analysis, as well as the use of risk dashboards and other visual techniques, continues to gain traction as internal auditors seek to increase the frequency and effectiveness of their risk assessment processes.
Consider including the following in your risk assessment process:
- Comparison with risks identified in prior assessments
- Feedback or data from units outside internal audit relating to significant risk issues or incidents
- Monitoring of Key Risk Indicators (KRIs)
- Data or statistical analysis
- Comparisons with the organization’s stated risk appetite
- Assessing the impact of innovative or disruptive technologies
- Comparisons with risks disclosed by peers or competitors
- Alignment with the organization’s public financial reporting risk disclosures
- Scenario analysis
- Use of forecasting or other types of risk modeling
- Stress testing against major economic assumptions
In addition to enhancing the risk assessment process, internal auditors should also be focused on enhancing their results reporting. Although many auditors continue to rely almost exclusively on Microsoft Word, Excel, or PowerPoint, many more are actively searching for or already utilizing new approaches to risk reporting, including heat maps, risk dashboards, and combined reporting with an ERM function. What's more, internal audit teams have incorporated data visualization tools, such as Microsoft Power BI, as key enablers to add visual impact to their risk-reporting efforts and to convey key messages in a more understandable and digestible manner.
It should come as no surprise, stakeholders respond to clarity. They value and appreciate when end-of-audit reports are concise. An internal audit team needs to provide risk assessments and audit planning processes that are thorough, professionally managed, and provide key stakeholders with the information required to better assess the risks the organization may be facing. There is much to be gained when an internal audit function and its key stakeholders share a collective understanding of the major risks facing an organization and the best ways to address them.
TeamMate+ is a global expert solution for end-to-end audit management that helps auditors and audit leaders execute and manage the audit workflow. No other tool has the depth or functionality that TeamMate+ has in terms of risk, planning, resource management, engagement management, analytics, issue tracking, and reporting.