How can Internal Audit adapt to an evolving Risk Environment?

In today's fast-paced world, the landscape of risk is evolving rapidly, presenting significant challenges for companies and internal audit functions. In the last five years cybersecurity threats surged, the COVID-19 pandemic exposed significant vulnerabilities in global supply chains, heightened economic volatility and geopolitical tensions with higher inflation and geopolitical conflicts in Ukraine and Middle-East, as well as increased climate related disasters have shown the increased speed and complexity that organizations need to be better equipped for.

This article explores how internal audit can adapt its risk assessment processes to remain effective and relevant.

Evolution of Risk Assessment

Risk assessment has been integral to internal auditing since its early days. The traditional risk matrix, evaluating risks based on likelihood and impact, became a standard tool in the mid-20th century, largely influenced by organizations like the Institute of Internal Auditors (IIA). This approach provided a structured way to prioritize risks but had limitations in addressing complex, interconnected risks.

Even if Internal Auditors wanted to move beyond the traditional likelihood and impact, technological constraints limited more nuanced risk assessments. Early systems lacked data integration capabilities and computational power for complex analyses. Manual processes were inefficient and prone to inaccuracies.

The evolution of advanced analytics and AI have the ability to transform risk assessment capabilities through:

• Integrated Data Systems: Modern tools enable seamless data integration from various sources.
• Real-Time Analysis: AI processes vast data quickly for continuous monitoring.
• Predictive Insights: Machine learning identifies patterns and predicts potential scenarios.

These advancements empower internal audit functions to conduct continuous risk assessments, ensuring agility and responsiveness and integrating data analytics and AI into risk assessment processes offering significant potential:

• Continuous Monitoring: Real-time data analysis allows dynamic updates to risk registers.
• Proactive Management: AI-powered solutions provide cognitive risk monitoring (using AI to continuously analyze data and identify emerging risks before they materialize) and continuous assurance

Such proactive approach supports internal audit's alignment with organizational goals and objectives.

Moving Beyond the Traditional Risk Matrix

The traditional risk matrix and annual (or even quarterly) risk assessment no longer suffice in today's complex environment where risks are interdependent and change so fast. Modern risks can affect multiple areas simultaneously, such as a cyber incident impacting IT systems, production, and sales and World's connectivity and interdependency allows for changes and ripple effects that spread faster and into many areas not previously considered.

To address these complexities, internal audit should enhance the traditional matrix by incorporating parameters like:

• Velocity: Speed at which a risk impacts the organization.
• Resiliency: The organization's ability to withstand and recover from risks.
• Recovery Time: Time required to return to normal operations post-risk event
• Risk interdependencies: Understanding instances where one event triggers a series of others, can help in anticipating those cascading effects across various business areas

Leveraging current technology to adopt an interconnected view of risks, similar to a spiderweb approach, provides a comprehensive understanding of how risks interact and compound.

Insights from advanced risk assessments significantly influence internal audit planning. Understanding the evolving risk landscape helps prioritize critical areas and allocate resources effectively. This strategic alignment ensures that internal audit addresses the most pressing risks facing the organization.

Adopting a multidirectional approach that combines top-down enterprise-level assessments with bottom-up analyses fosters a comprehensive view of risks across all organizational levels.

What holds Internal Audit back?

Great, I understand it, the technology exists and we are all on board that would be great for the organization and for Internal Audit... So, why most Internal Audit functions have not done it yet? Well, there are several challenges that limit Internal Audit's ability to execute more nuanced and evolved risk assessments and matrix frameworks, such as:

1. Disparate Data Systems - One of the significant hurdles is the presence of disparate data systems within organizations. These silos make it difficult for internal audit teams to access and integrate data efficiently, which is crucial for comprehensive risk assessments. Without a unified data system, auditors struggle to gain a holistic view of risks and interdependencies.
2. Insufficient Resources and Skills - Internal audit teams often face resource constraints, both in terms of manpower and expertise. The demand for analyzing more complex data sets and incorporating non-financial information into risk assessments requires additional bandwidth and specialized skills that many teams currently lack.This shortage is exacerbated by difficulties in attracting and retaining skilled auditors.
3. Rapid Technological Changes - The pace of technological advancements presents both opportunities and challenges for internal audit functions. While new technologies like AI and data analytics offer powerful tools for risk assessment, they also require significant investment in technology infrastructure and training for auditors to use them effectively.
4. Misalignment with Key Risks - There is often a misalignment between the internal audit plan and the organization's key risks. This misalignment results in exposure gaps where critical risks are not adequately addressed in audit plans. For example, cybersecurity remains a top risk, yet some organizations fail to prioritize it sufficiently in their audit coverage.
5. Interconnected Risks - The increasingly interconnected nature of risks poses a challenge as traditional risk assessment frameworks may not adequately capture the cascading effects of one risk on another. Internal auditors need to adopt more sophisticated models that consider these interdependencies to provide a more accurate risk assessmen

Conclusion

As risks continue to evolve rapidly, internal audit functions must adapt their approaches to remain effective. The integration of advanced methodologies and technologies is crucial for navigating today's complex risk environment. However, significant challenges persist, including disparate data systems, resource constraints, and the need for specialized skills.

Internal auditors must overcome these hurdles by investing in technology and fostering collaboration across departments. Aligning audit plans with organizational priorities and embracing a more interconnected view of risks will enhance their ability to provide strategic insights.

By addressing these challenges head-on, internal audit can not only keep pace with the changing environment but also drive strategic value for organizations, ensuring resilience and agility in an ever-evolving world.

References:

1. The Role of Data Analytics in Internal Auditing - Qooling Blog.
2. Internal Audit Must Step Up the Use of Data Analytics to Drive Risk-Informed Decisions - AuditBoard.
3. How to Apply Risk Velocity to Your Audit Risk Assessment - AuditBoard.
4. Risk in Focus 2024: Hot Topics for Internal Auditors - ECIIA.
5. Internal Audit Hot Topics 2024 Risks and Opportunities - Deloitte.
6. Key Risks to Consider by Internal Audit in 2024 - KPMG.
7. The Impact of the New Global Internal Audit Standards - CohnReznick.
8. The Top Risks Internal Audit Leaders Need to Know for 2024 - Schneider Downs.
9. The Internal Auditor's Guide to Risk Assessment - The IIA