The Institute of Internal Auditors recently issued two new practice advisories related to risk management. The first practice advisory, titled “Using the Risk Management Process in Internal Audit Planning”, deals with coordinating internal audit activity with risk management. The second practice advisory, titled “Assurance Maps”, centers on identifying and addressing any gaps in the risk management process.

Using the Risk Management Process in Internal Audit Planning

This Practice Advisory describes the relation between internal audit functions and risk management functions within an enterprise.  It notes that internal audit activity should be consistent with the risk management process. In organizations where a risk management process is already in place, internal audit can utilize the information obtained by risk management to plan audit activities and determine how to properly allocate internal audit resources. The Practice Advisory highlights that internal audit should focus on areas of high inherent risk, high residual risk, and key controls in the organization.

The Practice Advisory reminds readers of the importance of these factors.  Inherent risk is the susceptibility of information to a material misstatement without considering internal controls. Residual risk, also known as current risk, is the risk that remains after management has taken action to reduce the impact and likelihood of an event. Key controls are those that help to manage and reduce risk within an entity’s risk appetite. Based on these assessments, internal audit can determine which activities to include in the audit activity plan. In areas with the greatest risk exposure, internal audit may perform assurance, inquiry, or consulting activities. In addition, internal audit can use risk assessments to identify any controls that inefficiently reduce risk.

In order to coordinate internal audit activity with risk management, risk identification within an organization must be clearly documented. Some organizations have developed risk registers that document risks based on inherent and residual risk ratings. Despite the method, organizations should have a process that systematically identifies high-risk areas. Since internal audit cannot review all these risks, those not chosen for the internal audit plan should be reported separately to the board. These most often include high inherent risk rankings where the residual risk remains largely unchanged. Internal audit should also periodically include some lower risk items in their activity plan to ensure these risks have not changed.

The Practice Advisory also reminds internal audit functions that they should consider many factors of the risk management process when developing the internal audit plan. Inherent risks and residual risks must first be identified and assessed. Internal audit must also verify any existing mitigating controls, contingency plans, or monitoring activities that are linked to risks. In addition, internal audit needs to confirm that risk registers are systematic and that the risks are properly documented. When completing the internal audit plan, the areas requiring the greatest amount of focus are unacceptable current risks, controls on which the organization are most reliant, areas with a large differential between inherent and residual risk, and areas with high inherent risk. Coordination between internal audit and the risk management process is key to efficiently managing risk within an organization.

Assurance Maps

The second Practice Advisory focuses on the need for assurance related to the risk management activities in the organization.  Assurance improves the quality of information for decision makers through an objective examination of governance, risk management, and control processes within an organization. The board is responsible for ensuring that there are no gaps or overlaps in the assurance process. There are three types of assurance providers: those who report to management, those who report to the board, and those who report to external stakeholders. Since there are multiple assurance providers, these providers need to share information in order to create a more efficient assurance process. 

Assurance mapping facilitates the identification of any gaps in the risk management process. It is a streamlined approach that maps the assurance coverage against risks in an organization. Significant risk categories are often used as a framework for assurance mapping. In many organizations, each significant risk has a risk owner or person responsible for coordinating assurance activities for that risk. Assurance mapping allows these risk owners to identify if numerous different departments or individuals are repeating assurance activities. It also highlights the need for additional assurance activities for risks with inadequate coverage.

The Practice Advisory notes that the chief audit executive (CAE) plays a key role in assurance mapping. It is their responsibility to understand the independent assurance requirements of the board and the organization. Based on the level of assurance that internal audit provides, the board must be certain that all risks are being managed effectively. Some organizations require an overall opinion from the CAE. In that case, the CAE must understand the assurance mapping process before expressing an opinion on assurance. In other organizations, the CAE can act as the coordinator of assurance activities to ensure an efficient process. In either situation, assurance mapping is an effective way of coordinating risk management and assurance coverage within an organization.

Click below to read the full practice advisories.