Does your internal audit team get external audit involved in the risk assessment process? If you’re not fostering a collaborative relationship with external audit during your risk assessments, you could be missing out on opportunities to improve efficiencies, save costs, and increase the strategic value of your audits. In this article, you’ll learn about the benefits of increasing transparency and collaboration with external audit during the risk assessment process, as well as three concrete ways to boost external audit confidence in internal audit’s risk assessments.
When internal audit teams are conducting risk assessments in their organization, they engage with many different stakeholders including the CFO, the audit committee, executives, and department leaders across the company. One stakeholder that tends to get overlooked during the risk assessment process is the external auditor.
With an increased push towards risk-based auditing, more and more scrutiny is being placed on the initial risk assessment that drives the audit plan from a traditional internal audit standpoint and the scoping from a SOX standpoint. Understandably, it is becoming more common for external auditors to question the completeness and analysis behind the internal audit team’s risk assessment. Without transparency into the methodology, process, rationale behind scoping decisions, or documentation, external audit tends to have reservations about the reliability of the assessment.
So, why isn’t internal audit doing more to get external audit involved in the risk assessment process? For some teams, there is a perception that external audit is just looking to increase the scope of their engagement and, by extension, their billing. Others question whether external audit really adds that much value to the risk assessment process.
In practice, internal audit can benefit in some simple ways by working more closely with the external audit team during the risk assessment process. Discussions early on can help mitigate the risk that external audit identifies a gap late in the year when there is little or no time to remediate. It also enables both parties to leverage the work performed by one another and, in turn, reduce unnecessary costs. Fostering a more collaborative relationship can strengthen confidence in the work performed by internal audit as well. Crucially, by presenting a united front with external audit, internal audit teams can gain trust from the audit committee and ensure they are providing informed updates throughout the year.
Here are three steps that internal audit professionals can take during the risk assessment process to increase transparency and collaboration with their external audit partners—and ultimately bolster confidence in their work.
1. Document the Rationale Behind the Scope and Risk Ranking
It’s essential that internal auditors be clear and thorough in their documentation regarding the rationale behind scoping for processes and risk rankings. What analysis went into that high, medium, or low ranking? Carefully documenting qualitative and quantitative factors that drive scoping and risk ranking decisions will increase the chances that external audit is better able to assess and interpret the team’s work.
For example, it generally isn’t enough to simply document that the Accounts Receivable process is in scope this year because it was in scope last year and revenue is steady. Comments about an uptick in PCAOB findings related to revenue controls or specific commentary regarding key clients or revenue streams would give external auditors confidence and visibility into the assumptions involved in making the scoping decision.
It’s also important to clearly communicate the rationale behind the risk ranking. If 60 percent of the organization’s revenue is driven from only three territories, then it would stand to reason that Accounts Receivable in the remaining territories would be considered low risk. In general, the internal audit team should be specific regarding the current conditions of the business and the function that drove the risk ranking for each process.
2. Assess New and Emerging Risks
On an annual basis, some internal audit teams will simply roll forward the risk assessment they have conducted the year before, which is likely identical to previous years. While this process may be a great starting point, the question remains: what are internal audit teams doing to address new and emerging risks?
Internal audit may be overlooking an opportunity to increase their strategic relevance in the organization by having a risk assessment process that evolves along with the shifting needs of the business. In addition to seeking out market research regarding emerging risks for the organization’s particular industry, internal audit should actively facilitate feedback from executives and department heads, often as part of a larger Enterprise Risk Management (ERM) strategy. With this input, teams can track changes to risks over time, and gain insight into new risks a particular division might be facing due to changing market conditions. Focusing on identifying emerging risks can help to ensure that internal audit is assessing the right issues, and give more confidence to their external audit partners.
3. Solicit Feedback from the External Audit Team
Getting external audit involved earlier in the risk assessment process and soliciting their feedback can not only strengthen the strategic value of the work, but also create efficiencies throughout the year. Taking it a step further, leveraging industry-specific benchmarked risks provided by your external auditor can go a long way to help increase their reliance, since their methodology has been woven into the assessment. It can decrease the time spent by external audit on areas that may not be relevant or in line with their expectations. Having a dialogue with external audit during the risk assessment phase can also help the internal audit team start considering factors that may come up later in the year.
For example, if external audit were involved with risk assessments from the beginning, they could provide insight into what the PCAOB is going to focus on over the next 12 months—giving internal audit appropriate runway to start pre-assessments on business units that might be coming into scope over the next few years. Without such transparency early on, the chance for surprise findings late in the year increases.
Internal audit teams have a lot to gain by improving the transparency and collaboration with external audit during the risk assessment process. Whether your team implements a more methodical documentation of the rationale behind their scope and risk ranking, puts a mechanism in place for identifying new and emerging risks, or solicits feedback from the external audit team earlier in the process, all these measures can boost the strategic value of—and confidence in—internal audit’s risk assessment.