I have been asked the following questions about relying on a risk assessment performed by the risk management function. Here are the questions and answers:
QUESTION #1.
Who conducts the annual risk assessment used for establishing a risk-based plan to determine priorities of the internal audit activity? and
QUESTION #2.
Is this a risk assessment the Internal Audit Department develops, or do you use a risk assessment developed by Risk Management or Enterprise Risk Management or another business unit in your organization?
ANSWER TO 1 & 2
If an organization has a qualified and effective risk management function that is already performing an annual risk assessment, it should use this as the primary basis for developing its audit plan. Risk management’s assessment – which if done correctly is blessed by senior management and the board – should be a major input into the intern audit plan development. It would be foolish for internal audit to re-do a completely new risk assessment.
The risk based audit plan would then use risk management’s risk assessment as a major input to determining the audit projects for the year. Internal audit still needs to consider the identification of audit projects that relate to the high risk areas identified in the risk assessment in order to develop its audit plan.
The reality is most organizations do not have this luxury so internal audit is often left to do the annual risk assessment.
QUESTION #3.
Does it impair independence or violate auditing standards to use a risk assessment developed by another party to determine your risk-based audit work plan? Why or why not?
ANSWER TO #3
It is not an independence issue to use work performed by others. The standard requires the internal audit activity to be independent – that the internal audit activity reports at an appropriate level within the organization. Individual auditors must be objective (wording from standards included below).
The standards state “The internal audit activity’s plan of engagements must be based on a
documented risk assessment, undertaken at least annually.” (2010.A1) but it doesn’t say who must perform the risk assessment.
In fact, the standard do suggest that “The chief audit executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization.” (2010 Interpretation) If there is already a risk management function in an organization that internal audit has determined is effective, based on assessing the function, I believe the internal audit activity should rely on the risk assessment performed by the risk management function.
Here is the full wording from some of the relevant standards.
1100 – Independence and Objectivity
The internal audit activity must be independent, and internal auditors must be objective in
performing their work.
1110 – Organizational Independence
The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.
1120 – Individual Objectivity
Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.
2010 – Planning
The chief audit executive must establish a risk-based plan to determine the priorities of the
internal audit activity, consistent with the organization’s goals.
2010 – Interpretation:
The chief audit executive is responsible for developing a risk-based plan. The chief audit
executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.
2010.A1 – The internal audit activity’s plan of engagements must be based on a
documented risk assessment, undertaken at least annually. The input of senior
management and the board must be considered in this process.
2010.A2 – The chief audit executive must identify and consider the expectations of
senior management, the board, and other stakeholders for internal audit opinions and
other conclusions.