Effective Risk Mitigation: Integrating Assurance and Internal Audit

The areas of risk identification and mitigation have exploded for organizations since the turn of the new millennium. Cyber threats, financial exposure, reputational integrity — all are areas of focus by boards and stakeholders looking for efficient and effective solutions.

An integrated risk-based approach to assurance driven by internal audit and applied to governance, risk management and internal controls delivers efficiency by supporting informed decision making and effective resource allocation. It helps to ensure the organization is focusing its assurance and audit efforts of either key risk exposures or key controls/mitigation strategies. Benefits include a clear view of vulnerabilities, opportunities and value drivers.

Yet many organizations fail to implement an integrated approach or do so ineffectively. The following steps will help your organization reach the level of assurance and risk mitigation required to succeed in today’s complex business environment.

GETTING THERE

A successful integrated approach starts with a robust organizational risk assessment. This enables internal audit to focus on areas of highest risk and greatest value to the organization when planning its risk-based internal audit plan. 

Understand the Risks: Start by reviewing and understanding your organization’s strategic priorities. Know what the organization wants to accomplish and by when. When your objectives are specific, achievable, realistic and have an associated timeframe, you can better assess the risks to the organization and what could prevent it from being successful. Through this exercise, understand not only the key risk exposures the organization is challenged by, but also the critical controls that help to mitigate the risk exposures. Internal audit’s focus should be ensuring management is addressing key exposures, as well as ensuring critical controls are designed and operating effectively.

Establish a Plan: Based on the risk assessment, develop a robust one to two-year internal audit plan to ensure the areas of highest risk and of critical importance – the areas that provide the highest value – in your organization are addressed. These internal audits may be a combination of compliance, consulting, value for money, internal controls, forensic or program reviews.

Collaborate and Coordinate: Most organizations have separate compliance, reporting and assurance functions which operate discretely from risk management (and internal audit). By connecting and collaborating with these assurance and compliance functions, internal audit can be the main conduit in coordinating the various assurance and compliance activities and avoiding duplicate reviews. This increases overall audit and compliance efficiency and reduces audit fatigue. An integrated assurance approach also ensures critical risk exposure are covered off either through internal audit or other assurance functions. Developing a comprehensive view of assurance activities across all providers (including internal and external audit) linked clearly to organization-wide risks drives a robust plan for risk mitigation across the organization.

EXTERNAL ASSURANCE PROVIDERS

In addition to integrating internal assurance and audit functions, coordinating with external audit can save time and reduce costs to an organization. Internal audit engagements can be aligned with external audit allowing external auditors to leverage the work of internal audit in the areas such as internal controls over financial reporting or testing of IT controls.

For instance, organizations who receive grants from third parties can leverage an integrated audit approach (led by internal audit) focusing on grant and funding requirements being met either in support of or in advance of an external compliance audit. While this reduces the costs associated with an externally provided compliance assessment, it also decreases both the demands on management having to work with an external compliance auditor and eliminates the element of surprise if internal audit has already identified any unmitigated exposures or gaps and management is already actively addressing these. In that vein, internal audit can work with departments to ensure they know what the grant agency’s compliance requirements are, that an appropriate system of controls is in place and operating effectively and prepare for any external audit requirements in advance.

BENEFITS

In doing so, internal audit furthers its reputation as a trusted advisor of senior management providing the analysis and insights needed to minimize risk, and more effectively deploy resources.

For more information, contact Maggie Kiel, National Leader, Governance and Risk, at 403.537.7624 or [email protected]