The all-important link between audit maturity and risk management
25 February 2019
Many internal audit departments have been asking themselves the question: "am I on the right path towards achieving my goals?" Over the years, internal audit has changed from an exercise in box ticking and reporting faults, to put a much stronger emphasis on risk management. As the pace of technical, business and political innovation increases, so too does the rate at which the risk environment an organisation faces.
Whilst a rapidly changing risk environment can be extremely daunting, particularly when driven by technological risks such as cyber-attacks, data security breaches and other types of IT threats, it is in fact technology that can support Internal Audit in adopting a risk-based approach and ultimately increasing the audit department’s level of maturity.
Early maturity audit teams have traditionally relied on manual systems, including spreadsheets and word processing applications, with reporting and communication on an infrequent or ad hoc basis due to the effort required. They are, therefore unable to track and respond to changes within the underlying risk profile of the organisation, particularly in adapting the audit plan.
This itself increases organisational risk by:
The IIA internal audit maturity model provides a reliable and comprehensive scale that allows you to assess the overall maturity level of your audit team and identify actions you can take to advance by improving in some of the key areas and characteristics they have specified. By their definition, internal audit departments can be at a variety of stages of maturity:
Initial: no stable system in place, critical information missing, no validation of results or focus on quality
Repeatable: moderate system in place but not totally reliable, effective reporting and documentation is lacking
Defined: stable and reliable system in place, audit methodology and processes are clearly defined, documented and standardised
Managed: audit processes are highly effective, including data integrity, automated reports, continuous monitoring, and clear communication
Optimised: continuous audit and monitoring processes in place, reliable data analytics able to demonstrate high level of quality, dynamic approach to emerging leading practices
An alarming number of internal audit teams find themselves stuck in the Initial or Repeatable stage, because they lack the resources, capabilities or know-how to be able to identify and understand the risks to their business, and take the necessary steps required to mitigate them and progress to the Defined, Managed or Optimised stages. It is important to note that Audit Maturity is a journey – no audit department can go from Repeatable to Defined overnight, and no audit department can realistically skip a level. In order to make meaningful and lasting improvements, audit departments need to honestly evaluate where they are at on the scale, and make incremental changes to their methods.
An audit department that could be defined as being in the Initial stage may want to identify and assess their organisation’s key risks, including the impact and likelihood of those risks. They may also want to map those risks to their organisational structure, so they can see which areas of the business are most at-risk. This requires at the very least a Defined level of maturity, which an audit department at the Initial stage can only begin to consider once they’ve made improvements to the level of the Repeatable stage. Similarly, an audit department in the Repeatable stage may be able to perform some basic risk assessment but lack the proper documentation necessary for effective reporting.
By casting a critical eye over key aspects of the audit methodology and process, as well as the system in place to manage work and data, audit departments put themselves in a much better position to be able to enhance their audit maturity quickly and drive value to the rest of the business. Audit teams everywhere need to be considering how to adopt a sustainable, risk-based approach to internal audit, which is crucial to ensuring cohesiveness and clarity within your internal audit department and the organisation as a whole. By taking such an approach, it becomes much easier to manage work, and in turn delivers vital benefits, such as:
- Greater understanding of your organisation’s most critical risks
- Consistency and control over reporting risk to the Board
- Assurance that your people are aware of risk and act accordingly
- A robust audit management system you can rely on.
Learn more about how you can improve your audit department’s maturity level with our free whitepaper Level Up: Risk-Based Auditing