New survey of internal auditors lists top risk-assessment and audit-planning considerations

As internal auditors begin the process of planning audits for 2017, they are also looking to refine that planning process, which, of course, depends a great deal on risk assessment. With an intense focus on adding value, risk assessment and audit planning are as important as ever. A new survey finds that internal audit departments are reviewing those process and looking to improve risk assessment and audit planning in a few critical areas.

According to the survey, by Walters Kluwer's TeamMate Solutions unit, the top priorities include moving to a more continuous risk-assessment process and addressing strategic and emerging risks. Other "key considerations" include considering the impact of macro risk factors, sharpening the organization's focus on cyber-risks, and making the audit planning process more dynamic so it can be updated as conditions change.

TeamMate's 2016 Global Audit Technology Survey, conducted in July and August, includes views from 600 internal auditors or related professionals and focused on three related and interdependent audit processes — risk assessment, audit planning, and reporting on these activities to management and the audit committee. The goal of the survey, according to TeamMate, was to compile useful data on both current and anticipated practices in these key areas, which audit leaders around the world are seeking to fine-tune to better address the dynamic nature of their rapidly changing risk environments.

Towards Continuous Risk Assessment

According to the survey, more internal auditors say they plan to implement continuous risk assessment processes in the next two years. Indeed, many are already there. Of the 600 internal auditor survey respondents, 40 percent said they are using a combination of continuous and annual risk assessment processes. Another 9 percent currently use only a continuous risk assessment process.

Others say they intend to move in the direction of conducting a more continual assessment of risks. More than half (56 percent) of internal auditors who currently assess risk annually or periodically expect to move to a more continuous risk assessment process within the next two years, the survey finds.

In a similar vein, more internal audit departments are moving away from the rigid annual audit planning phase to doing planning on a more dynamic basis. Although the majority of respondents (57 percent) create an annual audit plan with some periodic updates, 40 percent are updating audit plans either monthly or as audit work is completed. Another 5 percent are using a rolling audit planning process and 28 percent say they will move to rolling audit planning in the next two years.

Focus on Strategic Risks

It should come as no surprise that internal audit departments are placing a lot of attention on assessing strategic risks, giving the pressure from boards and the C-suite to do so.

"The majority of our nearly 600 survey respondents report that their risk assessment processes include formally assessing the strategic risks of their organizations," says Mike Gowell, general manager of TeamMate. "What's more," Gowell adds, "70 percent of our 2016 survey respondents say they are either highly or reasonably confident that their internal audit staffs would either identify any major changes in the organization's strategic risk profile or would be informed of any such changes on a timely basis."

To this end, internal auditors are also seeking more input on risk assessment from other functions across the organization. Nearly three-fourths of respondents (73 percent) say they either coordinate or align their risk assessments with other "risk-and-control units within the organization," according to the survey. The five most common functions that provide input are: enterprise risk management, compliance, technology, finance, and legal.

Address Emerging Risks

Another important finding is the growing focus on emerging risks. More than half (55 percent) of respondents say they have a formal process to identify, assess, and report on emerging risks, and 44 percent of those provide their audit committees with a regular report on internal audit's assessment of emerging risks. More than half of the survey respondents who do not currently include emerging risks in their risk assessments plan to do so within two years.

Other Survey Themes

  • Assessment of external macro risk factors such as systemic, political, or macro-economic risks
  • Enhanced coverage of cyber-risks, identified in 2015 CBOK (The IIA's Common Body of Knowledge) data as the greatest technology-related risk facing internal auditors today.
  • Enhanced risk reporting, with 22 percent using new approaches to risk reporting, including heat maps, risk dashboards, and combined reporting with the ERM function.