Choosing the right areas to audit based on risk, or scoping, is the most important aspect of an audit management program. ERM provides five steps to ensure your internal audit planning is truly risk based. The key to adding value in the internal audit process is to first determine where the biggest contributors are to the business success, also known as a risk based approach. Too often internal audits get scheduled based on a rotational basis, gut feelings or suspicions or orders from management.
- Scoping by Objectives – The best way to move your internal audit planning towards a risk based approach is to work backwards – starting with goals, to the processes that deliver on these goals, and then to the risk, controls and monitoring within the business processes that deliver on these objectives. An ERM system has a risk taxonomy that enables internal auditors to simply select a goal from a list and pull up an aggregated collection of related business process risks, controls and tests across all areas of the enterprise.
- Scoping by Business Process – Governance, risk and compliance software will allow you to have a risk assessment of the inherent weaknesses in each sub-process, allowing you to prioritize which of these risk, control and test combinations are truly key. This scoping dramatically reduces the low risk, low impact audit content in your annual internal audit planning. You’ll also have access to the risk assessments completed by the risk owners themselves, allowing audit to validate their assessments against your defined criteria.
- Scoping Resources – Connecting the most important assets to the business processes that contribute most to each strategic objective will create a risked based or prioritized short list of the people, physical assets, IT assets and vendor partners that support your corporate objectives. Typically, it is not just one vendor that causes a failure, but a collection of vendors and other resources that result in critical damage. Auditing resources in isolation is both too time consuming and too narrowly focused, missing the critical dependencies between controls and their contribution to corporate strategy. ERM systems make it easy to aggregate individual resource assessments with business process and vendor assessments, prioritizing aspects of your organizations to points of failure that require auditing.
- Risk Libraries – What are the key risks for each area to be audited? Having a robust risk library that is mapped to specific business processes, industry specific challenges, and is root cause based will guide internal auditors to identify and concentrate on the high inherent and residual risks within an internal audit plan. Why root cause based? Because a root cause approach makes it easy for auditors to match risks to controls, and to determine the effectiveness of a control over a risk. For example, the control over fraud will be different depending on the source of fraud, be it employees, contractors, systems, or unknown external rings.
- Risk Taxonomy – To have a risk based approach to internal audit planning, you need a simple and practical framework that takes complex material, breaks it down, and makes it easy for everyone in the organization to contribute to their control environment. Having a standardized set of criteria that is rationalized, aligned, and scaled to be universally applicable makes risk information available on an apples to apples basis. A Risk Taxonomy enabled approach arms the auditor with structured data and the tools to do objective process and resource based scoping.
As the last line of defense, its audit’s job to uncover deficiencies that are not being appropriately mitigated. Ensuring that your control environment is adequate and that risks to the board are well managed isn’t only best practice, but is now required by the Institute of Internal Auditors (IIA). The effectiveness of your audit program is largely based on not just how you audit, but what you choose to audit next.