4 Risks to Consider When Internal Audit Planning (article)
In light of recent political events and digital and physical attacks, risk management has become high on executives’ radars when it comes to controlling their organizations. While the oversight of risk is the responsibility of every department, Internal Audit is often charged with leading the effort. Internal Auditors have the opportunity to increase the risk coverage and cost savings that they provide to their organizations by incorporating the following four risk factors into their internal audit plans.
Recent cyber-attacks like “WannaCry” and newly passed regulations in states like New York have moved cybersecurity to the top of internal audit’s priority list. Cybercrime can lead to financial and reputation losses for organizations so it is important for Internal Audit to be on the forefront of testing information technology controls and continuously monitoring cyber risk tolerance. Building relationships with the Chief Information Officer and Chief Information Security Officer can help auditors learn the cyber pathways in and out of the organization and understand what IT teams need to protect them. Having protocols in place to handle internal and external impacts in the event of an attack helps limit loss, protect employees and stakeholders, and return operations to normal in a timely manner. Internal Auditors can help drive cybersecurity as a key strategic focus area in their organization’s risk oversight.
Incorporating protective measures against external threats, like hackers, is just one factor to consider when internal audit planning. With a new White House administration and with changes in political leadership come changes to business as a whole. President Trump aims to decrease regulations, renegotiate trade deals, and scale back federal government funding. Deregulation could reduce or eliminate requirements that have been costly and time-consuming for compliance, but it is important for Internal Auditors to consider repercussions before scaling back their resources. Executives should evaluate what risks these regulations were designed to mitigate, and what their company’s overall risk tolerance for these areas would be if they reduced compliance resources. It is probable that many currently regulated areas are core to your organization’s operations and profitability, so protecting your organization in these areas will still remain important. If there is an opportunity to scale back resources, it is important to plan for how those newly available resources will be reallocated. Conducting an annual risk assessment can help Internal Audit assess the current, most pressing threats to their organizations so that your plan and resources are concentrated on the areas of most concern to your business.
Third Party Vendors
Your company’s risk mitigation strategy is only as strong as the third-party vendors on which you rely. Outsourcing core functions of your business can offer both cost savings and efficiencies. However, you are ultimately responsible for the activities you outsource and the security of shared information so each vendor has the potential to damage your business. If Internal Auditors can anticipate those potential risks, they can lead their organizations away from harm if an incident occurs from the vendor’s end. Vendor risk occurs at every stage of the procurement cycle, so conducting a risk assessment to identify, weigh and prioritize all risks across that life cycle will allow you to channel Internal Audit resources to the most significant areas of risk. Employing a top-down, risk-based approach to procurement ensures that the right level of attention is provided to control vendor risk. These actions could save your company’s money, reputation, and time.
Before finalizing your internal audit plan, consider using data to deliver better results. Organizations across the globe are learning how to analyze captured big data, and Internal Audit can use this type of analysis to strengthen its role within the organization. Data analytics highlight meaningful information through the inspection, cleansing, transformation and modeling of an organization’s own data. Internal auditors can use its results to advise management on risk reduction, compliance, and assurance coverage improvements. While deploying data analytics can help you make stronger predictions and recommendations for management, Internal Audit needs to remain flexible. In the earliest scoping phases, you will need to include questions related to processes, business operations and data elements to properly create an analytics-specific query. Over time, the amount of information generated through data requests will accumulate, and this may cause those initial questions to change. The strongest data analytics programs will account for additional information, higher-volume data requests and lessons learned from previous queries. Remaining flexible and refining your process as you go drives the strongest results.
Flexibility Is Key
Stagnant internal audit plans open your organization up to unplanned risks wreaking havoc on your business. Taking risk areas like cybercrime, new government officials and procurement into consideration will help your Internal Audit department plan to address the risks of today. Understanding that your risk environment is always in a state of flux and evaluating your internal audit plan regularly to account for changes will help you plan to address the risks of tomorrow. For more tips on internal audit planning, please contact us.
Copyright © 2017, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.
CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly-traded and privately-held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).