Audit planning – how do you stay ahead of the curve?
Organisations are managing evolving consumer expectations, new partnerships, dynamic ecosystems, the changing regulatory landscape, disruptive business models and competitive domains. To keep pace with these changes and disruptions and stay relevant, the internal audit (IA) function needs a more dynamic capability that is focused on giving timely insights on strategic risks. Also, IA functions need to determine how to evolve this approach to provide more dynamic and complete coverage of emerging issues and risks, and define the associated IT audit universe.
At the same time, IA has finite resources and needs to focus on the most appropriate areas, particularly relevant for IT audits, since financial services organisations continue to invest significantly in technology change.
IA needs to perform a regular risk assessment to identify focus areas and develop an associated audit plan to address these. Static risk assessment processes need to evolve to further incorporate emerging and strategic risks, streamline coverage and reduce audit fatigue.?Such traditional or static risk assessment processes can struggle to keep pace with the volume of change in businesses today.
This can be achieved by focusing on the following considerations:
Dynamic risk assessment and planning:
-?????????How often does an IA perform a risk assessment??
-?????????What processes are there to monitor emerging risks and incorporate these into the risk assessment??
-?????????How are data and technology being used to create a dynamic risk assessment process?
Flexible audit response and execution:
-?????????How do the outputs from the risk assessment shape the audit plan??
-?????????Does the approach allow for cost-effective, widespread risk coverage and clarity on the rationale for each audit??
-?????????How flexible are the range of audit response options available (e.g., standard rotational audits, risk-based projects and analytics-led reviews)?
Issue-based and data-driven reporting:
-?????????How do you ensure that reporting has robust root causes with pragmatic and sustainable solutions??
-?????????What solutions are utilised to enable more continuous reporting??
-?????????How does reporting feedback into the risk assessment process?
领英推荐
What’s new? Why now?
IA functions are uniquely positioned to understand their organisations and provide influence at the board level. There are compelling opportunities to deploy a data-driven, dynamic risk assessment process to help inform timely insights on strategic risks.
However, the nature of the ever-evolving environment in which financial services organisations operate, means that there are many other areas of emerging risk that IT IA need to be aware of. For example, the use, impact and risk of artificial intelligence-based language models such as ChatGPT has suddenly become an important consideration.
In addition, IA needs to be able to identify relevant risks on a timely basis, assess these risks and then respond and report appropriately to add value to the organisation.
What should IA be doing about it?
????Is a static, annual risk assessment process sufficient or should a more dynamic process be developed that incorporates emerging and strategic risks? IA should investigate the potential for the use of advanced governance, risk and compliance tools to assist with risk identification and assessment. A change of approach to risk assessment can allow IA to perform this on a dynamic basis and provide appropriate consideration right across the IT risk universe.
????The IA approach should center on a dynamic data-driven risk assessment, complemented by a suite of tailored responses designed to effectively and efficiently address identified risks. Critical to the approach is a foundation of constant collaboration with the business and key stakeholders to drive a better audit plan, better execution and better outcomes for the clients of IA.
????Horizon scanning of emerging risks is important to allow IA to be proactive in demonstrating how these are being considered by management. This keeps the audit planning agile and mobile, enabling more accurate and rapid decision-making.
????IA should leverage technology to evaluate risk more efficiently and comprehensively. For example, IA needs to consider the use of data analytics and automation as it provides more efficient and effective internal control oversight.
????IA needs to have the appropriate levels of skills and knowledge to obtain and utilise such data to perform risk assessments on a more continuous basis and use this to drive a more focused audit plan.
????Talent and IA operating models should shift to a diversified resource mix to align with the dynamic workforce environment while keeping pace with the organisation’s strategic imperatives.
????IA should consider performing integrated audits in the audit planning stage as it provides a holistic view that looks across both the business process, including the operational and financial aspects of the control, and the technology that underpins the business process and controls.
The analytics angle of audit planning
The use of data can be a key enabler across the IA lifecycle. For risk assessments, this would include extraction and analysis of data available in the organisation and externally, and visualising outputs to support risk quantification and prioritisation.
Considering the above aspects in the audit planning process will help organisations to build a modern IA function that meets the current needs and well into the future. Moving towards a more dynamic risk assessment, IA will provide more risk coverage and insights, making the audits more efficient and value-adding.
Disclaimer: The views reflected in this article are the views of the authors and do not necessarily reflect the views of the global EY organisation or its member firms.