Internal Audit is uniquely positioned as the only team with purview across all business functions and the independence to provide unbiased insights into the organization’s risks. With the advances in risk assessment technology, internal auditors can gain new perspectives and provide better assurance to their organizations by using dynamic risk assessments.
At the most recent Audit & Beyond conference, a group of panelists discussed technology-forward transformation to modernize the company’s internal audit function. In this informative session, Marissa Carducci, Principal of Product Solutions, Financial Services, AuditBoard, and Megan Duggan, Risk Consulting, EY and EY-AuditBoard Alliance Leader, discussed why the dynamic risk assessment is so vital to the company’s internal audit function and steps that organizations can take to get started.
Multidimensional View of Risk
During the conversation, Megan Duggan explained the benefits of starting with a multidimensional view of risk. In most risk assessments, the organization is represented as a flat, hierarchical structure with risks impacting each area. While this model has been around for decades, risks do not exist in a silo. Megan points out, “With a multidimensional view of risk, we can understand the interconnectedness of risk throughout the organization. The internal audit team can visualize each risk as it rolls up at the organizational level, and they can drill down to the entity level.” With a macro and micro view of each risk, key stakeholders can see the impact of each risk on their parts of the organization.
One way to provide this level of understanding is through tailored digital reporting. By sharing a comprehensive view of risks through persona-based digital reporting, the team delivers critical information to people when and how they need it most. Marissa Carducci provided a simple roadmap for maturing the risk assessment process. She said, “Start with the quantitative data you can access and capture qualitative information. Next, turn qualitative data into quantitative data that can be mapped into the assessment by associating the data to each risk. Finally, weight your inputs with custom scoring models that provide the flexibility to mature over time.” Marissa’s essential advice was to get started now and not let the fear of complexity prevent your progress.
Starting and Maturing a Dynamic Risk Assessment
Finally, Megan Duggan from EY synthesized the conversation by discussing starting and maturing a dynamic risk program. She echoed Marissa’s sentiment – just get started. She said, “Use whatever operational data and key performance indicators (KPIs) are available and assign thresholds to these metrics. Then, map the metrics to the risk universe and turn these into the first key risk indicators (KRIs).” Once you have the data, turning it into a KRI means you can use it again, increasing the return on data acquisition investment.
Over time, the process matures into a continuous monitoring process that the first or second line of defense can absorb. The organization can realize several benefits from this approach, including:
- Increased productivity
- Identifying emerging risks within the organization
- Improved insights into the organization
- Better assurance through integrated risk management
- Cross-team collaboration
While each organization is unique, internal audit leaders can adapt the same approach to fit their circumstances.
Continuous Assurance for Shifting Risk
The conversation during this session highlighted challenges faced by all modern organizations. The risk landscape is shifting and changing constantly, and traditional risk assessment approaches built on simplistic organizational hierarchies are no longer sufficient. Internal auditors need to understand the interrelated nature of risks across business functions by incorporating a dynamic, comprehensive, data-driven approach to provide continuous assurance. Otherwise, we are stuck in a siloed view of risks and missing the bigger picture.
Learn more about Dynamic Risk Assessment solutions powered by AuditBoard and EY here.