Internal audit's own risk assessment

Internal auditors regularly make recommendations about risk management but when’s the last time you listened to your own advice? Internal audit faces its own uncertainties which need to be managed: budget cuts, organisational restructure and mergers. In addition to the impact of working arrangements on providing assurance with the potential for permanent hybrid arrangements and ambiguity over an end to social distancing measures.

This piece provides you with the tools to get started on creating your own risk register, or updating an existing one, and will hopefully stretch your thinking.

What is risk identification?

Risk identification is important because it helps you make better decisions...decisions about what to do, what to prioritise and what’s no longer relevant. It enables the internal audit team to meet the needs of the organisation by delivering high quality assurance and advice on the subjects that makes a real difference.

Internal audit doesn’t own risk….

It’s an inherent human flaw to avoid talking about hard to address risks!

Even for audit leaders…..

But all leaders must own risks relevant to their operations; internal audit is no exception.

Everyone has a responsibility to identify risks and take responsibility for the risks which are assigned to them. While internal audit must never take responsibility for organisational risks, they must take ownership of their own risks.

We have strategic goals and audit outcomes, processes to achieve them, standards to abide by and behaviours and values that define our professionalism. Uncertainty is part of life: things that stand in the way of success (threats) and things that can help us excel (opportunities).

Internal audit has its own unique risks to achieving its objectives. They should be documented, managed and shared (with the audit committee) just like any other function is expected to do.

The audit committee together with…