Risk assessment is a recurring, systematic process for identifying and evaluating events (i.e., possible risks and opportunities) that could affect the achievement of strategic objectives, positively or negatively. An Internal Audit risk assessment is an evaluation of risks related to the value drivers of the organization, covering strategic, financial, operational, and compliance objectives. The assessment considers the impact of risks to stakeholder value as a basis to define the audit plan and monitor key risks. This enables the coverage of Internal Audit activities to be driven by issues that directly impact stakeholder value, with clear and explicit linkage to strategic drivers for the organization. Leading organizations will:
- Complete an Internal Audit risk assessment annually. For risk assessment to be recurring and systematic, it must be performed consistently. This allows Internal Audit to identify, capture and update risks while aligning those risks with the organization’s strategic objectives.
- Incorporate all organizational processes in risk assessment, including financial, operational, compliance and information technology. This allows Internal Audit to truly focus on the highest risks without limitation to a specific department, group or category of risks (e.g. limiting to Finance department only).
- Integrate other risk assessment processes with the Internal Audit risk assessment. Consolidating the results of all risk identification processes (e.g. Enterprise Risk Management risk assessment) with the Internal Audit risk assessment provides a complete risk profile of the organization and potentially better deployment of Internal Audit resources toward those areas of highest risk.
While many public and private organizations under $400 million in annual revenues do not have an Internal Audit department, it is no longer feasible for these organizations to fly blind. It is critical to have a systematic process to identify risks and evaluate the severity of these risks to the business.
This post was contributed by Sargon Youmara, a Partner with Vonya Global. Sargon is a CPA, an Internal Audit specialist, and a member of the IIA Chief Audit Executive Roundtable. He has led many companies through Sarbanes-Oxley compliance and managed hundreds of internal audits. He is one of the few in the Internal Audit profession to create a working methodology to implement the Internal Audit Capabilities Maturity Model, a framework for evaluating the effectiveness and maturity of an Internal Audit Department. He consults with Audit Executives on the effectiveness of Internal Audit, is a sought after speaker for Internal Audit conferences, and was a participant in the original PCAOB roundtables. If you would like to contact or connect with Sargon directly you can find his profile on LinkedIn:http://www.linkedin.com/in/syoumara.