Tips for Success: Effective Risk Assessment and Internal Audit Planning for Public Sector Organizations
Author: Lori Daniels, Manager, Risk Advisory Services
Contributor: Nick Stone, Partner, Risk Advisory Services
Risk Assessment: two simple words that help shape an organization’s internal audit plan, but also have the power to increase anxiety and stress levels for many public sector internal auditors. As practitioners, we rely too much on how we have always done it, overthink the process, or make it too labor intensive. So, let’s step away from the complicated tools, models, and rating scales and take a moment to consider how to simplify the task at hand. With four simple strategies, risk assessment can be more simple and effective.
Get to Know Your Organization
A properly structured risk assessment forces internal audit to get to know the entity at a level that goes beyond the organizational chart. It enables a holistic view of departments, divisions, and functions, including how they depend on, how they support one another, and the detailed activities performed to meet organizational objectives.
Building the risk assessment to model the full organization ensures a complete audit universe is created, which drives focus and allows risk to be better understood and articulated by (and with) management. Modelling the full organization in your risk assessment requires an up-front investment as internal audit gathers strategic plans, budgets, and operational information about each area to understand and build a solid foundation from which to assess the organization’s risk.
Clarify Your Purpose and Objectives
A risk assessment is required to fulfill performance standards defined within both the Institute of Internal Auditors’ Internal Audit Standards and by many state statutes. The risk assessment is the foundation for the internal audit plan, but it can do much more. It aligns internal audit to the mission and vision of the organization, establishes a shared risk perspective across the organization, communicates risk perspectives to senior management, boards, and committees, and identifies emerging risks.
Define Your Risk Factors
Oftentimes, internal auditors jump straight to a High – Medium – Low (or numerical) risk scoring process without first taking time to clearly define the risks being assessed. Resist the urge to dust off the prior year’s assessment; instead, work collaboratively with senior leadership to define the risk criteria aligned with your objectives and define what those High, Medium, and Low ratings mean relative to your organization. Consider risk factors that go beyond the typical materiality and regulatory measures. Perhaps your organization is facing significant technology changes, has a decentralized structure, or has unique funding sources that should be assessed as stand-alone criteria.
Instead of using specific risk events that negatively impact the ability of the organization to achieve its objectives, use risk factors as a proxy for risk events to increase the efficiency of the assessment process and help you develop risk perspectives more quickly. A few example risk factor definitions to get you started:
- Complexity: Complexity as a function of technical knowledge, experience, subjectivity, and judgment involved in performance of stated activity
- Centralization: The concentration of control of an activity or organization under standard policy, procedure, and process.
- Change: Change in personnel involved, new classes of transactions, or business systems.
- Level of Effort: A subjective measure of effort used to perform an activity or function (which is an interesting comparison perceived risk)
- Control Maturity: Perceived formality and rigor of control in place over risks relevant to the initiation, authorization, processing, recording and/or reporting activities evaluated.
Risk factors should be curated and tailored to meet the objectives of each organization and the desired outcome of a risk assessment. When assessing risk factors in lieu of more formal risk events, you are able to avoid the pitfalls and inefficiencies common to some risk assessment methodologies.
Even with the well-known expectation on internal audit to perform risk assessments across their organization, many still struggle with the most effective way to get it done. The good news is there are some simple steps internal audit departments of all sizes can take to make their next risk assessment a successful one:
- Discussions are not intended to be a deep-dive, but rather a high-level approach to establish an understanding of the organization and develop shared views of risks as measured against agreed upon risk factors. Save the detailed, process-level topics for the audit projects that ultimately become part of the internal audit plan as supported by the risk assessment results. Getting too far into the weeds here may derail your progress and make it difficult to stay on track.
- Design your risk assessment format to evaluate risk factors and rate their impact on your organization’s operations. Define those factors in a manner that is clearly understood and communicated to all stakeholders. Choose risk factors or criteria that contribute to or influence the level of risk within departments or divisions across the organization.
- The risk assessment format should be collaborative and facilitate open discussion about the organization and its risks. Don’t build the audit universe in secret and then expect full participation. Senior leadership, and at least one or two levels down in the organization, should be involved in the defining of the risk factors and rating scale. Drawing on their knowledge and perspective is key.
- Keep focused on the key risks to your organization’s mission, vision, and business objectives. You’ll likely uncover some emerging risks that may require separate evaluation outside of the internal audit plan to develop the appropriate risk response and plan of action. Involving the organization’s Enterprise Risk Management (ERM) function, if one exists, in these discussions will further enhance these efforts.
- Explore risk assessment technologies that modernize the process. There is no one-size-fits-all tool. Your organization may work best using spreadsheets or databases, or you may wish to explore one of many other options in available in the marketplace to take your assessments to the next level. There are numerous tools available including those that span voting/polling, formal risk taxonomies, risk and control mapping, and self-assessments. A few specific technologies we are exploring include AuditBoard, Galvanize High Bond, and HyperProof. There are many other GRC options on the market that may help formalize your risk assessment process.
Cherry Bekaert’s Risk Advisory practice has assisted state agencies and local governments using this approach to refine their existing process or implement it for the first time in their organization. In our experience, we have seen success as we work side by side with management to establish the foundational components (risk universe, risk factors, risk ratings), perform the assessment through a series of workshops where open dialogue is encouraged and necessary, and validate the perspectives gleaned from the process to develop an audit plan that truly does align internal audit with the organization. Such alignment increases the entire organization’s ability to effectively protect public assets, drive compliance, and increase taxpayer confidence.
With a clearly defined responsibility to assess risk across the organization and the additional pressures to defend its credibility and relevance – internal audit’s need for a successful risk assessment process is increasingly important. Taking action to sharpen this tool should therefore be a top priority for every chief audit executive, especially in the public sector.
How Can We Help You?
For assistance or questions regarding the development of mature risk assessment and risk management methodologies, or evaluate a special project in a cost-effective manner, please contact Nick Stone, Partner and Leader of the Firm’s Risk Advisory practice or Lori Daniels, Manager in the Firm’s Risk Advisory practice.