Connected Risk Quick Start Guide for Internal Audit and Controls Leaders

Risk doesn’t often stay isolated in silos. Changes in one area of the business can create risk in another and still require support from another. Risk management is a team sport, requiring business leaders to work together with many different functions to achieve success.

A connected risk approach aims to address the gap between rising risk management demands and limited resources by dismantling silos, fostering alignment across teams, enhancing collaboration and information sharing, unifying data, and automating essential processes. Organizations can strengthen business resilience in a dynamic risk environment by empowering internal audit, InfoSec, risk management, and compliance leaders to advance connected risk across the business while enabling leadership to make better risk-informed decisions. 

In this article, we break down the crucial first steps to get started with connected risk, including: 

• a vision for internal audit and controls leaders who step forward to advocate for connected risk across the enterprise
• foundational projects to tackle first
• connected quick wins internal audit is well-suited to initiate
• key partners to reach out to along the way. 

Our aim is to offer best practices and projects that will position you to successfully spearhead a connected risk approach in your organization. 

Check out the other articles in our Connected Risk Quick Start Guide series for fellow key roles in information security, compliance, and risk management — and download the Connected Risk Report for the full findings from AuditBoard and Ascend2’s survey of 514 GRC professionals in the U.S., UK, and Ireland about their approaches to connecting risk management data, people, processes, and technology across the enterprise.

Snapshot: The Forward-Thinking Internal Audit & Controls Leader

The modern, progressive internal audit and controls leader is focused on more than just their audit and control responsibilities. Depending on the organization, this leader’s role often involves a combination of SOX, information security controls testing, managing corporate activities, and ERM. The leader accomplishes these activities as efficiently as possible while proactively allocating resources to the areas that matter most to the business. 

Progressive audit leaders’ audit plans reflect the organization’s top risk profile, and their audit and SOX processes are efficient and agile. This leader has successfully built the business case for purpose-built technologies — e.g., audit management solutions, data analytics, AI, etc. — to support and drive their audit, risk, and control activities and has implemented these solutions. 

Within the company, this leader advocates for the value of strong risk management and controls and champions the message that better controls equal better business performance. 

Due to the CAE/controls leader’s multiple responsibilities, risk-forward audit plan or controls program, and history of being seen as a vocal leader for risk and controls, this leader is best positioned to drive their organization’s connected risk strategy.

Foundational Internal Audit and Controls Projects to Tackle Before Connected Risk

Internal audit and controls’ history of helping with risk work and testing controls positions them well to help drive connected risk. But before they can do so, they should focus on two key areas.  

Optimize SOX & Other Controls Activities: If your internal audit function is responsible for SOX and other controls, are you doing everything you can to ensure the team performs its responsibilities as efficiently as possible? Are you proactively seeking ways to automate processes and reduce time spent on heavily administrative activities? As our two-article series explains, you can uplevel your function’s SOX approach by focusing on six core tenets. 

Optimize Internal Audit Activities: According to AuditBoard’s report, Internal Audit’s Expanding Role: The Foundation for Connected Risk, only 13% of internal audit functions believe they have a well-optimized internal audit process. Are you tracking the effectiveness of your audit plan? Are you aligning your audit activities to your organization’s top risks, and are you able to pivot when necessary? 

Connected Risk Quick Wins for Internal Audit and Controls

Win 1: Consolidated Issue Tracking Processes in Your Organization. Audit subjects often find themselves rehashing the same findings with several different teams, which can lead to stakeholder fatigue. Therefore, consolidating issue management processes found in information security, compliance, internal audit, and risk remediation plans with ERM should be an easy sell because it reduces duplicative efforts across different teams. Internal audit is a natural candidate to lead due to its independence and pre-existing expertise in the issue management process. 

Win 2: Unified RCM. Establishing a universal risk and controls matrix is foundational for connected risk activities, and the simplest way to start is by identifying all the areas within the business that have documented controls. Due to internal audit and controls’ involvement, the connected risk leader should lead the process of identifying and formally consolidating the common data points, e.g., description, frequency, control type, etc, into a common controls library. Risks may be less formally documented than controls; mapping controls to business risks can, therefore, be an exercise that helps formally document and create a universal risk register. 

Win 3: Link ERM Risks to Audit Planning. While internal audit and ERM have traditionally performed separate risk assessments, a connected risk leader will ensure that internal audit has access to ERM’s risk assessment outputs to link audit activities to the business’s top risks. Risk assessments performed assessing an audit universe will also have risk assessments performed by a risk universe reconciled to each other. This shared visibility enables the audit team to include a unified view of the business’s top risks in their audit scoping.

Take Action: Identify Partners Across the Organization

Who else in your organization has documented controls? Who manages their own issues? Who performs their own risk assessments? IT, InfoSec, Compliance, Legal, and Privacy are all possible answers. 

These are the people with whom internal audit and controls teams should partner first due to their inherent understanding of risk and control activities. Obtaining these partners’ buy-in should not be too difficult because internal audit and controls seek to improve their processes and create efficiencies that will affect their teams by offering to lead the charge.  

Consider sharing the other articles in our Connected Risk Quick Start Guide series with your fellow risk stakeholders in information security, compliance, and risk management — and download the Connected Risk Report for the full findings from AuditBoard and Ascend2’s survey of 514 GRC professionals in the U.S., UK, and Ireland about their approaches to connecting risk management data, people, processes, and technology across the enterprise.