The Professional Standards of the Institute of Internal Auditors, which are now also enshrined within the Public Sector Internal Audit Standards, require the Chief Audit Executive (CAE) to establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organisation’s goals. In order to fully satisfy this requirement it is essential that internal audit planning is aligned with the risk management process of the organisation and therefore as a result the risk appetite of the Board.
Ideally, risk appetite will be defined in terms of a series of statements which set out what the Board is not prepared to allow to occur within the organisation. These are often termed “Never Events” but may also be seen as examples of what matters most, certainly achieving financial targets perhaps also though avoiding health and safety incidents, delivering quality services or achieving green targets.
Whatever the corporate objective internal audit needs to recognise the value of “Control Risk” defined as the difference between inherent and residual risk. This is an indicator of where the mitigation process has had most effect, not necessarily in terms of reducing the impact score but certainly in terms of the likelihood that an identified business-critical risk will occur.
In internal audit planning terms, resources can therefore be directed to three key areas where:
- Control Risk is greatest this indicates a need to verify that the key controls are working as intended and that the assurances available to the Board are robust and timely,
- There is no value to the Control Risk, does this mean that the key controls have little effect and in which case the Board has to settle for the residual risk?
- The residual risk is shown as above risk appetite, often flagged as red in nature. In these areas, timely involvement in the remedial action proposed or assurance that it will achieve the desired outcomes in the timeframe stated should be invaluable to the Board.
All too often, internal audit is unable to rely upon the structure, timeliness and detail contained in the organisations risk management framework particularly at an operational level, and so invents its own assessment of risk. This may satisfy professional standards but how does it help the organisation improve the effectiveness of its own risk management process.
Embedding risk management successfully throughout the organisation depends upon guiding managers and staff regarding what matters with regard to the entirety of its operations – certainly in terms of production, service delivery and clients but also in terms of back office considerations regarding finance, technology, people or estate risks,
Much better perhaps, if the CAE were to use RiskMate’s structured approach to defining risk impact as this would provide as basis for communication with Board and Executive management regarding the inherent risks that the organisation is or may become exposed to.
Internal audit can then become a catalyst for introducing an effective three lines of control approach by:
- Identifying policies and procedures that exist in order to highlight key controls that are being relied upon and which should be tested, and
- Collecting information, as required by standard 2050, regarding the assurances that are available.
Through the use of RiskMate as an internal audit planning tool, the CAE can then influence discussions concerning not only whether the controls in place or the assurances available are adequate but also whether the Board are focusing on the most appropriate risks.
In turn this will direct internal audit resources at a strategic planning and assignment level to those areas where greatest need exists either in relation to independent assurance regarding control risk or where internal audit can assist from a consulting or advisory perspective.