Historically, many organizations haven’t always performed a formal, comprehensive risk assessment. But in recent years, we have started to see a shift in that thinking.
A risk assessment helps you identify risks within the organization and allows management and the board of directors to develop adequate plans to mitigate those risks. A well-developed risk assessment takes an organization-wide, bottom-up and top-down approach.
While executive management should focus on key initiatives and strategic risks for the entire organization, process owners within the organization should be equally involved to give a realistic day-to-day analysis of risk within their specific business/service lines.
Risk assessments ensure your internal auditors are focused on the areas of highest risk and the areas that will provide the most value to your organization. In addition, if you are in a regulated industry and undergo regulatory examinations, at the start of that exam, you will be asked to provide the risk assessment in order to support the testing. Regulators are looking to ensure the risk assessment is adequate and appropriate for the size and risk profile of your organization, as well as how well those risks are appropriately incorporated into your internal audit plan.
How to perform a successful risk assessment
To complete a successful risk assessment, keep in mind these five objectives:
1. Document strategic goals and initiatives
Develop and document an understanding of your organization’s strategic goals and key initiatives — both short term and long term.
The broader, longer-term goals are typically developed during the board’s strategic planning meetings, while others will be developed during departmental and committee meetings. The risks associated with these goals and initiatives should be identified and analyzed to ensure they are addressed appropriately in your organization’s audit plan.
2. Document business processes
Obtain and document an understanding of the processes through which your organization conducts its business, which should include significant processes based on the overall risk to the organization.
3. Identify and evaluate key risks
Identify and evaluate the key business risks that may impact your organization and/or threaten the achievement of its strategic goals and objectives. Once identified, you should further segment the risks for each of the significant processes so that you can appropriately address them in the audit plan for current and future years.
4. Prepare a multi-year internal audit plan
Prepare and update a multi-year internal audit plan. Typically, this is completed for a three-year period and updated on an annual basis for changes within the organization.
5. Perform testing
Ensure your internal audit plan adequately tests identified risks. An internal audit coordinator is usually responsible for ensuring these risks have been appropriately identified and properly tested by the internal audit team.
Remember, the risk assessment is the roadmap for your internal audit. If you fail to address items properly in your risk assessment, you may run into other unwelcome issues down the road.
Internal audit risk assessment: Do you have everything you need?
Even if other organizations discount the importance of a risk assessment, make sure you don’t! Your risk assessment will be the driving force and the lifeblood of your organization’s risk management function.
The risk assessment should be detailed, supported and continually evolving as your organization grows and changes. It’s important to stress the last point — continually evolving — as the risk assessment is a living, breathing document and should be updated and revisited periodically, or annually at the very least.
If you have questions, or need assistance completing your risk assessment or internal audit, contact Wipfli. Our risk and audit professionals specialize in internal audit and assess your true risks to help you develop a strong, tailored internal audit plan. Contact us to learn more, or continue reading on:
3 steps to building an internal audit process
What is continuous auditing and how can you leverage it?
Internal audit: The impact artificial intelligence could have on data analytics