Internal audit and risk management are members of the same family. They share similar DNA. As in life, there are many opportunities for adding value through cooperation between these functional family members.
As you would expect there are similarities in appearance and behaviour. However, like any family, there are important differences. These differences need to be taken into account when organising how to structure the interactions between the two functions. Both functions report to management. However, Internal audit is usually framed as an “assurance function”. The function should be able to perform unbiased assessments and accurately report the results. The internal audit standards emphasise “independence”.
Of course, no one is ever truly independent. The internal auditors, like everyone else, are employees who rely on their jobs. They are subject, like everyone else (and perhaps more so) to the political spotlight. To paraphrase the old joke: “There are bold auditors and there are old auditors”.
The key issue for an internal audit department is being able to recognise and avoid structures and processes that limit their objectivity. As an example, reporting to an executive who is being regularly audited can affect the auditor’s objectivity (for obvious reasons). Another example would be the internal auditor’s designing, implementing or operating key controls that they are then required to audit.
In contrast, Risk Management usually works closely with management. These risk analysts may assist management in their day-to-day risk management activities. In reality, the two functions often sit under the same umbrella and report to the same executive who, not unreasonably, expects the functions to cooperate effectively to maximise their joint value.
For practical purposes, the question is: how should Internal Audit structure its interactions with Risk Management to the benefit of both functions (and the company) without fatally compromising its objectivity?
Use a risk based methodology
It might seem obvious but maximising the opportunities for collaboration are best achieved if Internal Audit uses a risk focus in its audit planning and execution. This focus is achieved if Internal Audit:
- Develops Risk Profiles. A “risk profile” is simply a ranked list of the operational and financial risks (usually negative events) that the areas in scope are exposed to. The risk profiles should form the basis for Annual Planning and the performance of individual audits.
- Measures the levels of exposure through diagnostics. A risk becomes an exposure when its likelihood is greater than zero. There are many ways to assess exposure through gathering data (either manually or through the use of technology).
A useful analogy is an insurance broker dealing with a new client. He or she will gather data – such as value at risk, location and condition of the asset, records of related criminal activity and the past history of claims – before recommending a policy and level of cover.
The sharing of “risk data” can improve the accuracy of risk assessments for both Internal Audit and Risk Management.
- Ensures that “control” is broadly defined. A broader use of the term “control” increases the opportunities for meaningful dialogue with Risk Management. As an example, if an area is exposed to staff injury then key operational controls may include wearing Hi-Vis clothing, training and pro-active supervision. Risk Management may already be gathering related control design and compliance data.
Gavin Steinberg is the CEO of Satori Group and industry expert in Data Analytics, Budgeting, Forecasting and Financial Consolidation, and Continuous Control Monitoring. Gavin’s passion is helping companies to see the value that can be achieved through automation, understanding their data and bringing this to life through visual communication and assurance.