global internal audit standards

Risk Management and its relevance to new Global Internal Audit Standards

The internal audit profession should now be well aware of the worldwide consultation that has been conducted by the Institute of Internal Auditors Inc regarding new standards for the profession to be introduced in 2025.

For some, if confirmed, the proposals will simply enshrine good practice, but for others and the organisations within which they work, the implications will be far-reaching, even frightening for some. In practice there is nothing new, however the underlying explanation that is provided should leave no doubt that internal audit and the assurance that it provides must be firmly rooted in understanding and helping to embed a robust risk management framework within the organisation.

Previously, there was certainly recognition of the need to focus on significant risk; this is now at the forefront of future provision with every aspect of internal audit through communication, planning, delivery and reporting reflecting on the significant risks that the organisation faces at a strategic and operational level.

Its relevance is also up-front, as the glossary refers to inherent and residual risk, therefore bringing recognition of three lines of defence theory into life and indeed into internal audit standard practice, and further suggesting that the Head of Internal Audit should lead regarding the need for effective assurance mapping within the organisations Business Assurance Framework (BAF), although it is recognised that this is not routinely accepted as best practice by many organisations albeit represents the fundamental basis upon which an Audit and Risk Committee can place reliance in order to fulfil its governance responsibilities, including providing assurance that the organisation has a robust risk management framework.

It is, though, the prominence given to the highlighting of ‘significance’ that is likely to cause most concern for internal audit professionals not only because organisations consistently struggle to agree and report upon what is or could become significant but also because internal audit has a tendency to ignore the corporate view choosing to decide what it thinks is important, often confusing significance with priority, and as a result content to either focus on what it is comfortable with reviewing or reporting on matters which management are likely to accept.

The proposals, therefore, are that the internal audit maintains an active and informed dialogue throughout the organisation, a ‘boardroom to basement’ style approach which not only ensures that the internal audit has a firm understanding of the risks facing the organisation but that the Head of Internal Audit is active in driving its routine identification, analysis, treatment and monitoring at all levels.

Implicit in this concept, of course, is that a consistent view of what is actually significant exists at every level, one which eliminates personal perception or judgement and grades impact risk in accordance with the corporate view of risk as established by the Board within the Risk Management Strategy.

This necessitates agreement on what categorisation of risk impact will be used – Reputation, Finance, People, Technology, Services, etc and how many levels of risk impact will be used – experience shows three to five being the most common, although more sophisticated models exist, with up to ten; perhaps these only seek to confuse?

Often, an even number is preferred, four usually, as this forces a decision – is the matter significant or not?

Of course, this is only half of the task as likelihood then needs to be considered; however, from an internal audit point of view, agreement with clients on potential impact through the use of the organisation’s view of impact is a major step forward as at least discussion of findings and remedial action can begin from an accepted position.

This should not be based on any single risk category; while the initial risk may relate to technology, the ultimate risk may be financial or reputational and therefore, considering risk in terms of its highest potential impact or cumulative effect must be the basis for agreement.

In some sectors, particularly where there is political influence or cultural resistance, this may be challenging, but the need for increased transparency at the Board level has never been greater, and hence the requirement for internal audit to be fully engaged.

The finalisation of internal audit opinions should then be based upon agreement of inherent and residual likelihood. Finding a mutually agreed inherent evaluation is likely to be straightforward. Could this happen if there are no controls – perhaps a yes or no is sufficient?

But could it happen here given the controls in place, or lack of or strength of them is more difficult, however this must be what drives the conclusion of the internal audit regarding is the organisation facing a significant risk.

Many teams are now choosing to plot risks and recommendations on a heat map in order to assist the discussion with management regarding the gradings within internal audit reports, and this, whether influenced by new Global Standards or through introducing common sense in discussions with management, represents a major breakthrough in the use of the term ‘significant’ in a Universally understood language.

The promotion of a deeper understanding of both the risk appetite of the organisation and the processes which the organisation utilises to identify, assess and monitor risks must be beneficial.

Fully integrating internal audit planning with the transparency provided by automating the risk management processes would be a further advantage as this would lead to alignment of the levels of assurance as well as recommendation tracking regarding what further mitigating actions were appropriate.