Introduction
Internal audit functions (IAF) face risks that need to be managed actively in order for it to meet the Purpose of Internal Auditing in the Global Internal Audit Standards (GIAS) and Internal Audit Code of Practice (principles 1, 6 and 30). The application of risk management practices to the IAF helps the chief audit executive (CAE) not only to manage key risks but will also complement quality control, quality assurance, and continuous improvement initiatives, all of which are included in the mandatory requirements of the GIAS.
This guidance will not be providing detail on the risk management process itself, but instead highlight the key features specific to internal audit in its application.
Risk Management in internal audit
Just as we see in good risk management practices, internal audit should apply the same requirements. The production of an internal audit risk register itself is not the end, but a way of documenting the risk management taking place within the internal audit function (IAF). It can also be used to continue to manage and consider risk, through regular reviews, but also as part of decision making.
Documenting the Risks, Controls and their Evaluation
A good risk register should include:
Objective: This may be a strategic objective from the IA Strategic Plan, or a general purpose objective for the internal audit function.
Risk Statement: Description of the risk to achieving the internal audit objective, for example ‘insufficient resources’. Risk statements should be detailed and allow for mapping individual controls to the risk. Each risk should have a unique reference and may be categorised to identify themes and areas needing attention.
Causes: A description of the various causes of the risk materialising, for example ‘recruitment freeze in place for replacing vacant roles’. This may not be every cause, but should include the most significant.
Impacts: The various impacts should the risk occur, for example ‘unable to complete the internal audit plan’. There can be numerous impacts, some more significant of others. The impacts can actually be other risks too, reflecting the domino effect of risk.
Inherent Risk Severity Rating: Assessment of the risk's impact, likelihood and velocity. The matrix used for this can be the same as for risk assessing other parts of the organisation, one provided by risk management, or one designed specifically for internal audit. It should consider the different categories of impacts such as financial, compliance (with GIAS and the Code of Practice), delivery of the internal audit plan and so on.
Mitigating Controls: Actions put in place by IA Management to manage the risk. Each risk must be mapped to one or more controls. Controls should be linked to relevant parts of the GIAS or regulatory requirements. Quality risks, such as incorrect audit opinions or untimely reports, can be included. Controls should be assessed for design adequacy and operational effectiveness. For example, ‘Audit Committee approves financial budget for internal audit’ (GIAS Essential Condition).
Control Owner: Person responsible for the control, such as the CAE or for the above example the Audit Committee. A control owner should be specified for each control, responsible for confirming the control's accuracy and results. The control owner is also responsible for any actions resulting from the control assessment.
Control Operator: The person performing the control can be different to the roles performing the control. Here, while the CAE may be the control owner of the quality assurance process over internal audit engagements, it is operated by the Internal Audit Manager / Lead.
Residual Risk Severity Rating: The same assessment method as inherent, but this time taking into account the design of the controls. For example, considering whether the Audit Committee approving the financial budget over-ride a recruitment freeze put in place organisation wide and therefore whether the risk assessment is different as a result.
Control Results and Actions: Controls need to be assessed for their ability to mitigate risks. If more action is needed, it should be documented separately to track progress. Remember these actions should be SMART (covering who, what, why, when, and how). Differentiating control results can help prioritise remediation efforts. Once these actions have been completed, then the risk assessments need to be revisited – has the action had the desired effect and moved the residual risk to within the audit committee’s risk appetite?
What is important when moving through this process and creating the risk register is that each component must serve a purpose to avoid unnecessary administrative overhead. The risk management process should be formally documented within the internal audit manual and responsibilities clearly assigned for development and ongoing maintenance.
Developing the risk register
There are a variety of ways of developing the risk register and there is no ‘one-size fits all’ solution. Some CAEs prefer to do this on their own, and then consult with their team, others will workshop this with their team, some will delegate to an audit manager which can provide a great development opportunity. There are as always pros and cons to whichever way is chosen, and therefore it is important that the CAE understands and mitigates those.
The right method can depend very much on the size of your internal audit function, but also it’s maturity level. In a small IAF can you really spare a day long workshop for the entire team to develop the risk register, but similarly in a very large team this can be completely impractical because there are too many voices. In a team where there is potential conflict within the culture then a workshop can also create more tensions.
However, where a CAE does this in isolation, are they in touch with the real internal audit processes being operated and therefore able to assess the risks using real data and information? Is their independence compromised because they own the control framework in place?
Update and Maintenance
Regular review and monitoring of action status against risks are key. The risk register should be reviewed at least every six months. The risk register owner ensures the completeness and accuracy of risk statements, controls, and actions. A single individual should oversee the risk register to prevent duplication and drive remediation efforts ideally, however the activities can be completed collaboratively, particularly where internal audit teams are large or dispersed as the risk assessments can vary from team to team.
Audit Planning and the Audit Committee
The risk register is a valuable tool for informing the internal audit strategy and therefore audit planning, resource requirements, and identifying skills gaps. The HIA must communicate and interact directly with the board (audit committee) and ensure the risk register is on the agenda for discussion as part of the internal audit strategy work, but also intermittently as the risk assessment can help support the internal audit plan and annual internal audit report of performance.
Top Tips
- Align the risk register content with the internal audit function's objectives and strategy. This in turn is aligned to the organisation’s strategy. This will ensure that not only do the risks align to the audit committee’s risk appetite for internal audit, but also the risk appetite of the organisation as a whole.
- Scale the risk register to the internal audit function's size and complexity. There is no ‘one size fits all solution’ and a risk management process which is taking too many resources away from delivering the internal audit plan, is not adding value.
- Assign a single owner for managing the risk management process. Responsible for oversight and maintenance, but delegating and collaborating with other members of IAF as appropriate.
- Document and follow the risk management process. Role model good risk management in the organisation and make sure that the risk register production itself is not the end goal.
- Avoid duplication. The risk register, QA&IP, and other quality management documents/processes can overlap, so keep sight of the boundaries and remember to cross reference where appropriate.
Conclusion
A risk register helps manage internal audit function risks systematically and robustly. It drives holistic risk management across internal audit and demonstrates that internal audit follows the same good practices recommended to management.