GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

NOAH GOTTESMAN

ABOUT THE AUTHOR Leveraging his background in internal audit and internal controls, Noah Gottesman provides industry thought leadership as well as real world client experiences for Thomson Reuters Accelus. Prior to joining Thomson Reuters Accelus, Noah was a Senior Manager with Ernst & Young, LLP (EY)s Advisory Services Risk and IT Risk practices, where he spent the last thirteen years serving a variety of global clients on their internal audit and internal control needs. He performed risk-based nancial, operational, and compliance audits across multiple processes or cycles including: budget and planning, contract / subcontract, order-to-cash, collections and receivables, revenue recognition, supply chain, procure to pay, payroll, nancial reporting. Noah Gottesman
Thomson Reuters Accelus

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

CONTENTS
A TYPICAL INTERNAL AUDIT SCENARIO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 REVIEW STANDARD INTERNAL AUDIT PROCEDURES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 LISTEN TO MANAGEMENT: THE REAL OPPORTUNITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 LAY THE FOUNDATIONS: THE IMPORTANCE OF A ROBUST METHODOLOGY . . . . . . . . . . 6 KNOW YOUR COMPANYS RISK APPETITE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 GET INTO THE DETAILS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 PLAN FOR SUCCESS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 UNDERSTAND THE BUSINESS AND ITS CULTURE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

As the COSO Internal Control Integrated Framework (2013) states, risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives. Yet many in-house internal audit functions look at the annual internal audit risk assessment process as a check-the-box activity, required mainly to be in compliance with the IIA professional practices framework. Typically, a three or ve-year review cycle for the entire organization is already in place, and the annual internal audit risk assessment barely scratches the surface: It is merely used to justify minor modifications in the risk-based internal audit plan. Yet the internal audit risk assessment presents an often missed opportunity for internal auditors to understand their organizations evolving objectives and implement a more dynamic risk-based approach to the internal audit process. Lets take a look at a typical scenario played out every day and see if we, as uninvolved by-standers, can audit the process and see it if falls short in any way. A TYPICAL INTERNAL AUDIT RISK ASSESSMENT SCENARIO In advance of this years risk assessment, the internal audit department reviewed and revised their risk assessment process and the various preparation materials for management participants. The preparation materials included a list of key management participants with their preferred contact method, a list of internal audit risk assessment questions, an announcement letter explaining the importance of the annual risk assessment process, and a presentation that provided examples of benecial insight received from the previous years risk assessment. During the risk assessment, the internal audit staff rigorously captures each management remarks in an effort to record each detail, be it quantitative or qualitative. As the scribe, the internal audit staff is responsible for note taking, while the internal audit director asks management a series of questions from the annual list of internal audit risk assessment queries. The internal audit director conducts the interview in a way that illustrates both their tremendous understanding of the business and their ability to not get bogged down in the details. The individual representing management, on the other hand, usually provides general responses highlighting a few generic risks inherent in their business, but not enough for one to actually audit. One of those general responses was around an increase in the organizations credit risk exposure. REVIEW STANDARD INTERNAL AUDIT PROCEDURES Does the above description raise any red ags? If not, consider if you agree with the below points and then review the scenario as auditor. Internal Audit Risk Assessment Red Flags: I t is not clear who benefits from this risk assessment process: Internal audit, management, etc.  The annual list of internal audit risk assessment questions sounds great, however upon further review, they are probably too narrowly focused on what internal auditors want to hear. Rather than a prepared list of detailed questions for a meeting with management, have bullets based on enterprise risk management themes.  The internal audit director may be immensely knowledgeable about the company, the industry, and other key demographics, but the director didnt do enough to plan for this meeting.  The internal audit director should have a thorough understanding of the organizations culture. Part of that organizations culture is demonstrated in their willingness to identify ERM risks.  The director should have also understood a bit more about the organization and the individual from management.

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

H  ow willing are members of management in providing open and honest communication? What are the best modes to request and receive that type of communication? W  hat changes have occurred directly or indirectly around this individual within the past 90 days, year, or year? W  hen did they join the organization? How long have they been in this role? Who are their direct reports? Who do they report to within the organization?  Are they directly or indirectly associated with any of the internal controls over financial reporting? The risk assessment is the time when the focus should be on the details, especially if the individual representing management is either new to the risk assessment process or is providing responses that are too general. The internal audit risk assessment is a rare opportunity to demonstrate how the proverbial (internal audit) special sauce is made. A successful risk assessment procedure will involve the following actions: FIVE WAYS TO TURN RISK ASSESSMENT PRINCIPLES INTO POSITIVE ACTIONS
1

Obtain a thorough understanding of the different perspectives of relevant stakeholders, including management. Seeking additional input can help to provide a more holistic internal audit risk assessment Identify trends or consistent patterns in regards to organizational objectives, strategic plans, and risks Identify inconsistencies and/or anomalies in the perspectives to determine whether follow-up activities should be suggested Analyze the results of the above and assess whether enough information has been captured to determine appropriate next steps I f necessary, seek additional information immediately or over time to determine whether renements need to be made to the internal audit plan of activities

2 3 4

Reference, cross-reference, and reconcile whether the above perspectives were includ ed in the current or future internal audit plan of activities or no plan of further activity.

For no plan of further activity items document why and what is preventing further follow-up. This list should be reviewed throughout the year in conjunction with audit ndings and various root cause analysis. LISTEN TO MANAGEMENT: THE REAL OPPORTUNITY A precondition to risk assessment is the establishment of objectives, linked at different levels of the entity. One of the keys to planning and executing a successful internal audit risk assessment process is to use the activity as a way to listen to management on what is most important for them in the upcoming year. The internal audit risk assessment is one of the most valuable exercises available to provide multiple layers of management with the opportunity to share their perspectives of the organization, of the strategic plans, and the various objectives that they outlined with executive management and even the board. Another way to look at this risk assessment process is that it provides internal audit with an opportunity to see how the organizational culture and governance operate.

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

The denition of organizational culture has evolved over the years to take on a broader denition that involves the soft touches: values, beliefs, behaviors, actions, and decisions at all levels of the organization. It is both the management style and leadership of the most junior manager to executive management and the board. The impact of organizational culture is immense when it comes to the organizations governance and control environment. In the scenario outlined here, the internal audit director does not recognize the real opportunity to meet with an individual from management to discuss their agenda. While everyones time is valuable, a one-on-one discussion with a manager allows internal audit to gain insight into how this individual operates, understands, and responds to their superiors. It also provides the chance for internal audit to see how the organizations strategic plan, annual objectives, and personnel objectives align for a particular member of management. Finally, it provides internal audit with clarity on the effectiveness of the organizational culture and governance processes. Could organizational culture and governance be included in an internal audit risk assessment survey or some type of group discussion? Yes, however this would require further planning, interaction with the participants, and other additional activities. LAY THE FOUNDATIONS: THE IMPORTANCE OF A ROBUST METHODOLOGY A good deal of planning involves either an organizations assessment methodology or approach. Too often the thought processes behind organizations assessments are inconsistent, thus creating confusion for the participants, reviewers, and result recipients. The following outlines some of the basics that should be part of a robust organizational assessment methodology:

Denition for the types of assessments and general guidance on when and how each should be used.

Overall clarity on how the results will be used, analyzed, distributed, and reported. Note: Some organizations have established certain limitations on the distribution and reporting of assessment survey results. Denition and clarity for both participants and recipients around the organizational structure(s): a. Boards, b. Committees, c. Legal entities, d. Reporting units / operating units, e. Geographies, f. Divisions / segmentation, g. Shared Service Centers / Global Service Centers, h. Products / services

Clearly dened and referenced objectives, roles, and communication channels for pre and post organization assessments.

Clarity around the context, intent, and terms of the assessment. a. A Risk assessment involves X, b. A Security assessment involves Y, c. A Performance assessment involves Z, d. A Enterprise Risk assessment involves A, e. A Third-Party assessment involves B, f. A Compliance assessment involves C,

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

Note: Some context, intent, and terms may be consistent across the various organizational assessments. As a result, the value of 1 does not necessarily mean high or low. Instead, it is both defined in an appropriate context. Context is important, as the value of 1 or high may not have the same impact or likelihood. It depends on the nature and timing of the requestor, assessor, and recipient of the results. Some example terms that should be defined for your organization are as follows: Impact Likelihood Indicators Ratings Measures Weighting Polices Procedures Standards Principles Inherent Control Residual Systems Technology Prevent Detect Profile

KNOW YOUR COMPANYS RISK APPETITE For a risk assessment, it is important that the requestor, assessor, and recipient of the results are clear on the organizations perspective of risk, i.e. risk appetite policy or framework. For this document, risk appetite is defined as the organizations approach to risk, which includes the nature and types of risks, their potential, and the manner that they are sought, accepted, tolerated, and managed. How does all of the above relate to the internal audit risk assessment survey? It establishes the governance process for all of the organizations assessments, while demonstrating executive leadership commitment to using assessments as a way to govern the organization and its culture. Unfortunately, too often the internal audit risk assessment survey is performed without the foundation set out above and survey results reveal this with a limited participation / response rate and inconsistent response results. When this occurs, it is important the internal audit department supplement the survey with other assessment methods such as interviews, meetings, and facilitated sessions. Note: The use of either facilitated or reverse town hall type sessions are becoming more popular and do allow for the best interaction when it comes to organization assessments. GET INTO THE DETAILS The internal audit staff and director heard credit risk exposure from the individual management representative. Credit risk remains one of the key enterprise risk types monitored throughout the organization. The credit rating department is reviewed annually due to its importance in establishing credit practices and use of various models of risk. Therefore, one of the rst audit activities will be the credit rating department, to whom the announcement memo is sent for an upcoming audit activity along with the scope and the intended objectives. Three weeks later, internal audit performs an audit activity around credit risk exposure by carrying out a two week on-premise review on the practices within the credit rating department. The ndings seemed signicant around the lack of revised policies, procedures, and an authority approval matrix.

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

At the closing meeting, the individual from management has already reviewed the draft report and identifies that the increase in the organizations credit risk exposure was not addressed. Internal audit may have some significant findings, but they missed the elephant in the room'. The exposure was not due to how the credit rating department operated, but rather about how the application process was calculating potential credit risk. Instead of the normal application going through a credit review process that involved credit analysis from three credit bureaus, the credit analysis was only provided by two credit bureaus. Someone within the credit rating department had let one of the credit bureaus contracts lapse and they had no intention to renew. The two-week audit activity did not review the credit bureau contracts due to the following rationale documented in the workpapers: The credit bureau contracts were reviewed in a prior year and the scope was not extended to include third-party relationships held by the credit rating department. According to the individual from management, the decision and the rationale for such a decision should have been reviewed by internal audit. Why was a change in credit worthiness not part of the scope of an operational review of the credit rating department? How did internal audit miss the change in credit worthiness of applicants? Anyone that has ever reviewed the credit process knows that a lack of information from a single third party could skew the approval of application. But this fact was completely overlooked here. PLAN FOR SUCCESS Some will say that the authority approval matrix corresponds to the decision made by someone within the credit rating department, however most contract lapses dont require approval. Others may point to either the US Ofce of Comptroller of Currency (OCC) guidance on credit, which points to the Bank for International Settlements and their December 2013 Basel Committee on Banking Supervision Consultative Document entitled Revisions to the Securitization Framework. One of the arguments for improvements to the framework is related to the mechanistic reliance on external ratings. In the above example, the credit securitization was irrelevant as these were individual applications. Others will defend that the internal auditors rapid response was justified as this was deemed by management to be an exposure and in the post-financial crisis of 2008, the audit activity was justified. No matter what the defensive position of internal audit, the internal audit department missed a few key opportunities to plan their risk-based activities accordingly. Firstly, the internal audit director didnt ask enough open-ended / follow-up questions. During the internal audit risk assessment, the following questions could have been used: 1. who thinks there is an exposure, 2. why do they think there is an exposure, 3. how does the organization have such an exposure, 4. who else is aware of the exposure, and 5. who has taken accountability to either manage or mitigate that exposure? Secondly, the internal audit director didnt build a rapport with the management representative, but rather demonstrated internal audits willingness to accept management recommended activities to the plan. Thirdly, the internal audit department as a whole didnt connect the dots around the exposure. While the credit rating department is one of the few functions reviewed almost annually, the internal audit department didnt look holistically enough at the credit department. Specically, they analyzed the credit department as a sole entity, rather than looking at it from various angles. Those angles are as follows: The end-to-end processes that involve the credit department directly or indirectly,

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

 The end-to-end technology that is either used by the credit department or used by other departments of the business that rely on information obtained from the credit department, The end-to-end compliance process used by the credit department or used by other departments of the business that rely on information obtained from the credit department. UNDERSTAND THE BUSINESS AND ITS CULTURE None of the above angles turns the internal audit department into an investigation body or a group of organizational detectives. Instead, the above angles demonstrate how internal audit strives to understand how the overall business operates. The internal audit risk assessment is designed to aid internal audit in developing a risk-based plan of activities, by rst ensuring that the department understands how the organization operates. There is a ne balance and level of depth that internal audit needs to achieve in conducting this activity, however too often it is not deep enough. Some advisory rms advocate the use of high-level data analytics to nd such anomalies during the risk assessment process. The preventative control was still operating; the credit analysis was still received by two credit bureaus. The use of most high-level data analytics would not uncover whether the credit analysis was received by one, two, or three credit bureaus. Unless of course, the data analytics were so deeply engrained in the process that they compared the credit analysis received by multiple credit bureaus. In the above situation, the credit analysis from two credit bureaus was still being received, thus allowing a comparison to still be performed. Others will argue that a look-back analysis that reviewed historic trends could potentially identify that the current applications were either too conservative or too liberal. Regardless of the depth of either data analytic, the application process was indirectly altered by a decision of someone within the credit rating department. Since nobody knows the decision makers rationale, it is merely one member of managements perspective that there is an exposure. In summary, internal audits risk assessment often falls short as it is treated as a slightly modied tactical implementation without a review of the strategic framework. Internal audit has an opportunity to solicit the input from management as part of the internal audit risk assessment either on an annual basis or more frequently. For internal audit to be successful in their risk assessment, assurance, and advisory activities, their interactions with management need to be about building a rapport. That rapport begins with establishing a sufcient understanding of how management and organizational culture operate. With no sign of the pace of changes affecting your organization slowing down, internal audits risk assessment must be dynamic, not static, and needs to be improved from year to year, using a top down approach, beginning with management interviews and input.

GET YOUR INTERNAL AUDIT RISK ASSESSMENT RIGHT THIS YEAR

FEBRUARY 2014

THOMSON REUTERS ACCELUS The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive set of solutions designed to empower audit, risk and compliance professionals, business leaders, and the Boards they serve to reliably achieve business objectives, address uncertainty, and act with integrity. Thomson Reuters Accelus dynamically connects business transactions, strategy and operations to the ever-changing regulatory environment, enabling rms to manage business risk. A comprehensive platform supported by a range of applications and trusted regulatory and risk intelligence data, Accelus brings together market-leading solutions for governance, risk and compliance management, global regulatory intelligence, nancial crime, anti-bribery and corruption, enhanced due diligence, training and e-learning, and board of director and disclosure services. Thomson Reuters has been named as a category leader in the Chartis RiskTech Quadrant For Operational Risk Management Systems, category leader in the Chartis RiskTech Quadrant for Enterprise Governance, Risk and Compliance Systems and has been positioned by Gartner, Inc. in its Leaders Quadrant of the Enterprise Governance, Risk and Compliance Platforms Magic Quadrant. Thomson Reuters was also named as Operational Risk Software Provider of the Year Award in the Operational Risk and Regulation Awards 2013. For more information, visit accelus.thomsonreuters.com

2014 Thomson ReutersGRC00820/2-14