GET YOUR INTERNAL AUDIT RISK

ASSESSMENT RIGHT THIS YEAR

NOAH GOTTESMAN

ABOUT THE AUTHOR

Leveraging his background in internal audit and internal controls, Noah Gottesman provides industry
thought leadership as well as real world client experiences for Thomson Reuters Accelus. Prior
to joining Thomson Reuters Accelus, Noah was a Senior Manager with Ernst & Young, LLP (EY)s
Advisory Services Risk and IT Risk practices, where he spent the last thirteen years serving a variety
of global clients on their internal audit and internal control needs. He performed risk-based financial,
operational, and compliance audits across multiple processes or cycles including: budget and
planning, contract / subcontract, order-to-cash, collections and receivables, revenue recognition,
supply chain, procure to pay, payroll, financial reporting.
Noah Gottesman

Thomson Reuters Accelus

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

CONTENTS
A TYPICAL INTERNAL AUDIT SCENARIO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
REVIEW STANDARD INTERNAL AUDIT PROCEDURES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
LISTEN TO MANAGEMENT: THE REAL OPPORTUNITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
LAY THE FOUNDATIONS: THE IMPORTANCE OF A ROBUST METHODOLOGY . . . . . . . . . . 6
KNOW YOUR COMPANYS RISK APPETITE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
GET INTO THE DETAILS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
PLAN FOR SUCCESS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
UNDERSTAND THE BUSINESS AND ITS CULTURE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

As the COSO Internal Control Integrated Framework (2013) states, risk assessment involves a
dynamic and iterative process for identifying and assessing risks to the achievement of objectives.
Yet many in-house internal audit functions look at the annual internal audit risk assessment process
as a check-the-box activity, required mainly to be in compliance with the IIA professional practices
framework.
Typically, a three or five-year review cycle for the entire organization is already in place, and the
annual internal audit risk assessment barely scratches the surface: It is merely used to justify minor
modifications in the risk-based internal audit plan. Yet the internal audit risk assessment presents
an often missed opportunity for internal auditors to understand their organizations evolving
objectives and implement a more dynamic risk-based approach to the internal audit process. Lets
take a look at a typical scenario played out every day and see if we, as uninvolved by-standers, can
audit the process and see it if falls short in any way.
A TYPICAL INTERNAL AUDIT RISK ASSESSMENT SCENARIO
In advance of this years risk assessment, the internal audit department reviewed and revised their
risk assessment process and the various preparation materials for management participants. The
preparation materials included a list of key management participants with their preferred contact
method, a list of internal audit risk assessment questions, an announcement letter explaining the
importance of the annual risk assessment process, and a presentation that provided examples of
beneficial insight received from the previous years risk assessment.
During the risk assessment, the internal audit staff rigorously captures each management remarks in
an effort to record each detail, be it quantitative or qualitative. As the scribe, the internal audit staff
is responsible for note taking, while the internal audit director asks management a series of
questions from the annual list of internal audit risk assessment queries. The internal audit director
conducts the interview in a way that illustrates both their tremendous understanding of the business
and their ability to not get bogged down in the details. The individual representing management, on
the other hand, usually provides general responses highlighting a few generic risks inherent in their
business, but not enough for one to actually audit. One of those general responses was around an
increase in the organizations credit risk exposure.
REVIEW STANDARD INTERNAL AUDIT PROCEDURES
Does the above description raise any red flags? If not, consider if you agree with the below points and
then review the scenario as auditor.
Internal Audit Risk Assessment Red Flags:
It is not clear who benefits from this risk assessment process: Internal audit, management, etc.
The annual list of internal audit risk assessment questions sounds great, however upon further
review, they are probably too narrowly focused on what internal auditors want to hear.
Rather than a prepared list of detailed questions for a meeting with management, have bullets
based on enterprise risk management themes.
The internal audit director may be immensely knowledgeable about the company, the industry,
and other key demographics, but the director didnt do enough to plan for this meeting.
The internal audit director should have a thorough understanding of the organizations culture.
Part of that organizations culture is demonstrated in their willingness to identify ERM risks.
The director should have also understood a bit more about the organization and the individual
from management.

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

H
 ow willing are members of management in providing open and honest communication?
What are the best modes to request and receive that type of communication?
W
 hat changes have occurred directly or indirectly around this individual within the past 90
days, year, or year?
W
 hen did they join the organization? How long have they been in this role? Who are their
direct reports? Who do they report to within the organization?
Are they directly or indirectly associated with any of the internal controls over financial
reporting?
The risk assessment is the time when the focus should be on the details, especially if the
individual representing management is either new to the risk assessment process or is providing
responses that are too general.
The internal audit risk assessment is a rare opportunity to demonstrate how the proverbial (internal
audit) special sauce is made. A successful risk assessment procedure will involve the following
actions:
FIVE WAYS TO TURN RISK ASSESSMENT PRINCIPLES INTO POSITIVE ACTIONS
1

Obtain a thorough understanding of the different perspectives of relevant

stakeholders, including management. Seeking additional input can help to provide
a more holistic internal audit risk assessment

Identify trends or consistent patterns in regards to organizational objectives, strategic

plans, and risks

Identify inconsistencies and/or anomalies in the perspectives to determine whether

follow-up activities should be suggested

Analyze the results of the above and assess whether enough information has been
captured to determine appropriate next steps
If necessary, seek additional information immediately or over time to determine
whether refinements need to be made to the internal audit plan of activities

Reference, cross-reference, and reconcile whether the above perspectives were included in the current or future internal audit plan of activities or no plan of further activity.

For no plan of further activity items document why and what is preventing further follow-up. This
list should be reviewed throughout the year in conjunction with audit findings and various root cause
analysis.
LISTEN TO MANAGEMENT: THE REAL OPPORTUNITY
A precondition to risk assessment is the establishment of objectives, linked at different levels of the
entity. One of the keys to planning and executing a successful internal audit risk assessment process
is to use the activity as a way to listen to management on what is most important for them in the
upcoming year. The internal audit risk assessment is one of the most valuable exercises available to
provide multiple layers of management with the opportunity to share their perspectives of the
organization, of the strategic plans, and the various objectives that they outlined with executive
management and even the board. Another way to look at this risk assessment process is that it
provides internal audit with an opportunity to see how the organizational culture and governance
operate.

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

The definition of organizational culture has evolved over the years to take on a broader definition
that involves the soft touches: values, beliefs, behaviors, actions, and decisions at all levels of
the organization. It is both the management style and leadership of the most junior manager to
executive management and the board. The impact of organizational culture is immense when it
comes to the organizations governance and control environment.
In the scenario outlined here, the internal audit director does not recognize the real opportunity
to meet with an individual from management to discuss their agenda. While everyones time is
valuable, a one-on-one discussion with a manager allows internal audit to gain insight into how
this individual operates, understands, and responds to their superiors. It also provides the chance
for internal audit to see how the organizations strategic plan, annual objectives, and personnel
objectives align for a particular member of management. Finally, it provides internal audit with
clarity on the effectiveness of the organizational culture and governance processes.
Could organizational culture and governance be included in an internal audit risk assessment
survey or some type of group discussion? Yes, however this would require further planning,
interaction with the participants, and other additional activities.
LAY THE FOUNDATIONS: THE IMPORTANCE OF A ROBUST METHODOLOGY
A good deal of planning involves either an organizations assessment methodology or approach.
Too often the thought processes behind organizations assessments are inconsistent, thus creating
confusion for the participants, reviewers, and result recipients. The following outlines some of the
basics that should be part of a robust organizational assessment methodology:

Definition for the types of assessments and

general guidance on when and how each
should be used.

Clearly defined and referenced objectives,

roles, and communication channels for pre
and post organization assessments.

Clarity around the context, intent, and

terms of the assessment.
a. A Risk assessment involves X,
b. A Security assessment involves Y,
c. A Performance assessment involves Z,
d. A Enterprise Risk assessment involves A,

Overall clarity on how the results will be

used, analyzed, distributed, and reported.
Note: Some organizations have established
certain limitations on the distribution and
reporting of assessment survey results.
Definition and clarity for both participants
and recipients around the organizational
structure(s):
a. Boards,
b. Committees,
c. Legal entities,
d. Reporting units / operating units,
e. Geographies,
f. Divisions / segmentation,

e. A Third-Party assessment involves B,

g. Shared Service Centers / Global Service

Centers,

f. A Compliance assessment involves C,

h. Products / services

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

Note: Some context, intent, and terms may be consistent across the various organizational
assessments. As a result, the value of 1 does not necessarily mean high or low. Instead, it is both
defined in an appropriate context. Context is important, as the value of 1 or high may not have the
same impact or likelihood. It depends on the nature and timing of the requestor, assessor, and
recipient of the results. Some example terms that should be defined for your organization are as
follows:
Impact

Principles

Likelihood

Inherent

Indicators

Control

Ratings

Residual

Measures

Systems

Weighting

Technology

Polices

Prevent

Procedures

Detect

Standards

Profile

KNOW YOUR COMPANYS RISK APPETITE

For a risk assessment, it is important that the requestor, assessor, and recipient of the results
are clear on the organizations perspective of risk, i.e. risk appetite policy or framework. For this
document, risk appetite is defined as the organizations approach to risk, which includes the nature
and types of risks, their potential, and the manner that they are sought, accepted, tolerated, and
managed.
How does all of the above relate to the internal audit risk assessment survey? It establishes the
governance process for all of the organizations assessments, while demonstrating executive
leadership commitment to using assessments as a way to govern the organization and its culture.
Unfortunately, too often the internal audit risk assessment survey is performed without the
foundation set out above and survey results reveal this with a limited participation / response rate
and inconsistent response results. When this occurs, it is important the internal audit department
supplement the survey with other assessment methods such as interviews, meetings, and facilitated
sessions.
Note: The use of either facilitated or reverse town hall type sessions are becoming more popular and
do allow for the best interaction when it comes to organization assessments.
GET INTO THE DETAILS
The internal audit staff and director heard credit risk exposure from the individual management
representative. Credit risk remains one of the key enterprise risk types monitored throughout the
organization. The credit rating department is reviewed annually due to its importance in establishing
credit practices and use of various models of risk. Therefore, one of the first audit activities will be the
credit rating department, to whom the announcement memo is sent for an upcoming audit activity
along with the scope and the intended objectives. Three weeks later, internal audit performs an audit
activity around credit risk exposure by carrying out a two week on-premise review on the practices
within the credit rating department. The findings seemed significant around the lack of revised
policies, procedures, and an authority approval matrix.

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

At the closing meeting, the individual from management has already reviewed the draft report and
identifies that the increase in the organizations credit risk exposure was not addressed. Internal
audit may have some significant findings, but they missed the elephant in the room'. The exposure
was not due to how the credit rating department operated, but rather about how the application
process was calculating potential credit risk. Instead of the normal application going through a
credit review process that involved credit analysis from three credit bureaus, the credit analysis was
only provided by two credit bureaus. Someone within the credit rating department had let one of the
credit bureaus contracts lapse and they had no intention to renew. The two-week audit activity did
not review the credit bureau contracts due to the following rationale documented in the workpapers:
The credit bureau contracts were reviewed in a prior year and the scope was not extended to include
third-party relationships held by the credit rating department. According to the individual from
management, the decision and the rationale for such a decision should have been reviewed by
internal audit. Why was a change in credit worthiness not part of the scope of an operational review
of the credit rating department? How did internal audit miss the change in credit worthiness of
applicants? Anyone that has ever reviewed the credit process knows that a lack of information from
a single third party could skew the approval of application. But this fact was completely overlooked
here.
PLAN FOR SUCCESS
Some will say that the authority approval matrix corresponds to the decision made by someone
within the credit rating department, however most contract lapses dont require approval. Others
may point to either the US Office of Comptroller of Currency (OCC) guidance on credit, which points
to the Bank for International Settlements and their December 2013 Basel Committee on Banking
Supervision Consultative Document entitled Revisions to the Securitization Framework. One of the
arguments for improvements to the framework is related to the mechanistic reliance on external
ratings. In the above example, the credit securitization was irrelevant as these were individual
applications. Others will defend that the internal auditors rapid response was justified as this was
deemed by management to be an exposure and in the post-financial crisis of 2008, the audit
activity was justified.
No matter what the defensive position of internal audit, the internal audit department missed a few
key opportunities to plan their risk-based activities accordingly. Firstly, the internal audit director
didnt ask enough open-ended / follow-up questions. During the internal audit risk assessment, the
following questions could have been used:
1.

who thinks there is an exposure,

2. why do they think there is an exposure,

3. how does the organization have such an exposure,
4. who else is aware of the exposure, and
5. who has taken accountability to either manage or mitigate that exposure?
Secondly, the internal audit director didnt build a rapport with the management representative,
but rather demonstrated internal audits willingness to accept management recommended
activities to the plan. Thirdly, the internal audit department as a whole didnt connect the dots
around the exposure. While the credit rating department is one of the few functions reviewed
almost annually, the internal audit department didnt look holistically enough at the credit
department. Specifically, they analyzed the credit department as a sole entity, rather than looking at
it from various angles. Those angles are as follows:
The end-to-end processes that involve the credit department directly or indirectly,

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

 The end-to-end technology that is either used by the credit department or used by other departments of the business that rely on information obtained from the credit department,
The end-to-end compliance process used by the credit department or used by other departments
of the business that rely on information obtained from the credit department.
UNDERSTAND THE BUSINESS AND ITS CULTURE
None of the above angles turns the internal audit department into an investigation body or a group
of organizational detectives. Instead, the above angles demonstrate how internal audit strives to
understand how the overall business operates. The internal audit risk assessment is designed to
aid internal audit in developing a risk-based plan of activities, by first ensuring that the department
understands how the organization operates. There is a fine balance and level of depth that internal
audit needs to achieve in conducting this activity, however too often it is not deep enough.
Some advisory firms advocate the use of high-level data analytics to find such anomalies during
the risk assessment process. The preventative control was still operating; the credit analysis was
still received by two credit bureaus. The use of most high-level data analytics would not uncover
whether the credit analysis was received by one, two, or three credit bureaus. Unless of course, the
data analytics were so deeply engrained in the process that they compared the credit analysis
received by multiple credit bureaus. In the above situation, the credit analysis from two credit
bureaus was still being received, thus allowing a comparison to still be performed. Others will
argue
that a look-back analysis that reviewed historic trends could potentially identify that the current
applications were either too conservative or too liberal. Regardless of the depth of either data
analytic, the application process was indirectly altered by a decision of someone within the credit
rating department. Since nobody knows the decision makers rationale, it is merely one member
of managements perspective that there is an exposure.
In summary, internal audits risk assessment often falls short as it is treated as a slightly modified
tactical implementation without a review of the strategic framework. Internal audit has an
opportunity to solicit the input from management as part of the internal audit risk assessment either
on an annual basis or more frequently. For internal audit to be successful in their risk assessment,
assurance, and advisory activities, their interactions with management need to be about building
a rapport. That rapport begins with establishing a sufficient understanding of how management
and organizational culture operate. With no sign of the pace of changes affecting your organization
slowing down, internal audits risk assessment must be dynamic, not static, and needs to be
improved from year to year, using a top down approach, beginning with management interviews and
input.

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

THOMSON REUTERS ACCELUS

The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive
set of solutions designed to empower audit, risk and compliance professionals, business leaders,
and the Boards they serve to reliably achieve business objectives, address uncertainty, and act
with integrity.
Thomson Reuters Accelus dynamically connects business transactions, strategy and operations
to the ever-changing regulatory environment, enabling firms to manage business risk. A
comprehensive platform supported by a range of applications and trusted regulatory and risk
intelligence data, Accelus brings together market-leading solutions for governance, risk and
compliance management, global regulatory intelligence, financial crime, anti-bribery and
corruption, enhanced due diligence, training and e-learning, and board of director and disclosure
services.
Thomson Reuters has been named as a category leader in the Chartis RiskTech Quadrant For
Operational Risk Management Systems, category leader in the Chartis RiskTech Quadrant for
Enterprise Governance, Risk and Compliance Systems and has been positioned by Gartner, Inc.
in its Leaders Quadrant of the Enterprise Governance, Risk and Compliance Platforms Magic
Quadrant. Thomson Reuters was also named as Operational Risk Software Provider of the Year
Award in the Operational Risk and Regulation Awards 2013.
For more information, visit accelus.thomsonreuters.com

2014 Thomson ReutersGRC00820/2-14