How Does Your Firmís Risk Management Process Stack Up?
Key strategies on how to establish, maintain and structure an effective internal audit function revealed.
November 4, 2010
Today’s global economic climate has underscored the need for organizations to reconsider their operations at a fundamental level. Ever-present headlines and the resultant loss of confidence in the financial markets have created an environment in which the implementation of sound organizational governance and internal controls practices has never been more important to an organization’s success.
This article outlines an effective and efficient approach to managing risk that is scalable to the size and complexity of any organization’s structure and operations. The concepts presented in this article are rooted in accepted methodologies and industry standards.
Objective of the Risk Management Process
A well-defined, structured risk-management process enables organizations to take advantage of synergies already present but not necessarily leveraged. The foundation consists of the knowledge bases and complementary skill-sets possessed by key personnel across the organization and takes into consideration its size, locations, management and board structure. Coordinating efforts to manage the level of risk related within the organization is a critical objective of an effective risk-management process, such that coordinated knowledge sharing among the group should be greater than the sum of its component parts.
When identifying and managing risk related to information privacy, for example, focusing on the issue solely from an information technology perspective would provide limited value. Alternatively, incorporating the combined perspectives of professionals from the operations, finance, legal and human resource departments would yield a more robust analysis of the privacy-related risks throughout the organization.
When implementing a risk-management process through a formal internal audit function, a well-crafted internal audit charter is critical. It will drive the organization to think in terms of responsibility for scoping, planning and execution as well as breadth of coverage and timing.
The Internal Auditor’s Role
The Internal Auditor should take primary responsibility for coordinating and carrying out the following tasks and should report directly to the Audit Committee in order to maintain independence.
Assessing Organizational Risk
An organizational risk assessment is a structured means of assessing and rating the risks faced by an organization within the context of its financial reporting processes, operations and compliance with laws and regulations. It is designed to provide the organization with information necessary to proactively consider the implications of such risks and any actions the organization should take to mitigate those risks.
An organizational risk assessment should consider the key business and support functions of the organization and measure the inherent risks associated with those functions over a spectrum of broad, predefined risk factors, such as market and reputational risk.
Considering the evolving nature of any organization’s business environment, the global economy, technology and how such factors can significantly impact a business over short time frames, an organizational risk assessment should be conducted or updated at least annually. The organizational risk assessment drives the development of a comprehensive internal audit plan and special projects designed to address the identified risks. Critical to this process is a thorough vetting by management and the audit committee to obtain consensus regarding the deployment of resources to determine the root causes of identified risks and to mitigate those risks accordingly.
Centralizing an organization’s analysis of risk helps internal auditors facilitate the creation of a 360-degree perspective of risks faced by an organization. A structured organizational risk assessment also aids in the development of standardized measurement criteria to actively track historical risks and the impact of related remediation activities, while a decentralized approach results in an ad hoc means of addressing risk in “silos,” typically resulting in duplication of effort and the implementation of conflicting processes and controls.
Developing an Effective and Value-Added Internal Audit Plan
The internal audit plan consists of a prioritized schedule of audit activities over a predetermined period of time. Audit activities for high-risk areas should be performed before areas of comparatively low risk. The use of a multi-year plan enables an organization to avoid unnecessary duplication and to intentionally audit particular areas more than once.
The Audit Committee and management should approve the scope and approach of the audit plan that internal auditors submit ensuring an efficient use of resources.
The execution of the necessary procedures under the audit plan includes the following:
While the organizational risk assessment provides a broad perspective of risk, the procedures undertaken during internal audits provide the organization with a detailed perspective and analysis of risks at the control-activity level.
Utilizing a standardized audit-report format — including an executive summary and rating of the individual audit results as well as management’s responses to the audit findings — provides a means of facilitating consistent and transparent reporting. In addition, an overall report that summarizes the key findings from the audits should be provided to the audit committee in a timely manner. This cascading approach provides the audience with a detailed perspective through the individual reports, in addition to a global perspective through the summary report.
Remediation Activities and Ongoing Monitoring
Conclusions regarding the design and operating effectiveness of controls provide relevant information to make informed decisions regarding appropriate steps to remediate control weaknesses. The development of remediation activities may start with the audit committee, management, internal audit or any combination thereof and should be jointly approved by management and the audit committee.
The results of remediation efforts should be tracked and regularly reported to management and the Audit Committee and should be used to further the objective of mitigating organizational risk in the most effective and efficient manner.
All organizations can benefit from the implementation of one or more of these primary concepts. While the maximum benefit is obtained by a comprehensive, integrated program incorporating all of the primary concepts presented, a scaled-down approach based on an initial organizational risk assessment can also yield targeted benefits.
Laurie Scofield, CPA, is an independent consultant currently working in the New York Metropolitan area. Her risk management practice focuses on process improvement and internal control restructuring with an emphasis on technology and control automation. Scofield can be reached at (973) 223-5951. Eric S. Martinez, CPA, JD, is an audit partner at Grassi & Co. where he specializes in all aspects of accounting, including consulting and financial reporting. He has more than 20 years of public accounting and consulting experience serving clients across a wide variety of industries, including international companies. Martinez can be reached at (516) 336-2429.