3. Impact
Exceptional interviews are driven by insightful, probing questions that expose the human element of risks and uncover the root causes.
Behavioral-based risk assessment questions examine how employees act in response to risks and controls and provide a common language to discuss and understand the impact the human element can have on the overall risk environment. These questions key in on two influencing forces — organizational and individual — that explain behaviors and their impact on outcomes.
When IA risk assessment activities proactively identify root causes and trends, the impact of the risk assessment becomes exponentially greater.
4. Information
IA functions are continually challenged with how they aggregate information from multiple sources to enable greater buy-in and stronger alignment of the organization’s key risks and related audit plan.
Risk assessments of the past focused heavily on interviewing key executives within corporate and select business units. This often takes a lot of time, and the discussions are performed in silos where information and insights are not aggregated or evaluated across the organization.
Collaboration tools help drive greater insight and feedback from a range of people across the organization. For example, a virtual collaboration platform is used to engage participants in the same room or across the globe in the IA risk assessment process, and participants can perform activities such as brainstorming, ranking voting on key risk issues.
A virtual collaboration platform can engage participants across the globe in the IA risk assessment process.
5. Insight
Data analytics and data visualization has been a hot topic for IA functions for a number of years. However, many IA functions have focused on using analytics only during the planning and execution of audits. Forward-looking IA functions are now leveraging data analytics to provide insights during the IA risk assessment process as a way to influence the nature of the audit plan and scope of specific audits.
IA functions are also using data visualization tools to aid in incorporating quantitative elements into the risk assessment process. These data sets are synthesized and visualized into “risk dashboards,” which are then leveraged to help IA functions maintain an understanding of key performance metrics, changes in the business and changes in the risk profile.
Progressive IA functions are beginning to introduce prescriptive analytics, thereby determining which decision or actions will produce the most effective results against a specific set of objectives and constraints. Tools for prescriptive analytics include optimization, business rules automation, and real-time learning decision models, which can be used on a continuous basis to identify key risks or red flags.
To drive insight, start small (e.g., analytics for a function, division or process vs. an entire business unit) and get a few quick wins with the data analytics program. For instance, identify the one or two divisions or processes where descriptive or predictive analytics can be deployed and then expand from there. Then look for ways to further advance your use of data analytics – for example expansion into other business units, increased complexity and customization.
Conclusion
When implementing the approaches and processes discussed above to disrupt the IA risk assessment process, it is important to take a broader view of risk. Not all risks are negative; for example, many of the new innovative technologies drive significant benefit to the organization and the reward of taking risk needs to be analyzed. To be successful, organizations will need to shift their focus from simply mitigating downside risk to embracing new upside opportunities.
Striking this balance requires embedding risk and controls into strategic decision making within the front-line businesses and multifaceted approaches to the portfolio of risk.
As organizations reflect on their risk assessment process and look ahead at the evolving risk landscape, there are many opportunities to adapt, evolve and innovate.
For some IA departments, these will primarily involve enhancements to the existing process, whereas other IA functions will choose to make more substantial and disruptive changes to their risk assessment process and related activities.
Observing these five characteristics can help change the IA risk assessment process from a routine check-the-box exercise to results-oriented and value-based activities delivered by a highly effective and value focused internal audit department.
Summary
The importance of internal audit risk assessments cannot be overestimated. Leading internal audit functions should disrupt their own process by adopting five characteristics that will help them bring a more innovative and value-driven IA risk assessment to the organization.