Focus on what matters

Lessons from a former auditor, Part II

Before I’ve focused on the fundamental concepts of how internal auditors can better focus on implementing a risk-based audit approach. This time, I’d like to revisit a few of the key concepts that I discussed, while also weaving in some of my own experiences, trials, and tribulations to help make those points a bit stickier.

Concept 1: The IIA Standards are Packed with Risk Guidance

Every internal auditor (hopefully) is quite familiar with the IIA Standards, more formally known as the International Standards for the Professional Practice of Internal Audit. These are the guide points for the profession and anyone who practices should know them and strive to live them. In developing the webinar content, I went to the primary IIA Standards document and searched the term “Risk” and my search returned 60 results, with 13 more in the glossary. What I also found was that the concept of “risk” is placed in multiple contexts. Combing through the Standards reminded me of my time studying for the Certified Internal Auditor (CIA) certification exam. I was a few years into my career and knew that this would be a good way to strengthen the capabilities I was developing.

Back in college (and shortly thereafter) I sat for the CPA exam, and that muscle memory served me quite well in this instance. While the exam requires a pretty broad knowledge base, a big part of it is rooted in understanding the IIA Standards. So as you can imagine I read them, read them again, studied them, read them backwards, fell asleep on them and then studied them some more. I figured that knowing the foundation on which everything else was based would set me up for success, and wouldn’t you know it, I was right! What I learned in the process is that the IIA Standards are chock-full of valuable information, particularly about how auditors should consider and evaluate risk. From my search, I noted the following items of particular interest:

  • 1220.A3 Due Professional Care states that auditors must remain alert to Risks impacting the organization’s objectives
  • 2010 Planning requires that the CAE establish a risk-based audit plan to determine the audit department’s priorities
  • 2100 Nature of Work instructs IA to evaluate and contribute to the improvement of the risk management program using a risk-based approach
  • 2120 is actually called RISK MANAGEMENT and it stipulates that IA must evaluate the effectiveness and contribute to the improvement of risk management processes
  • 2400/2500/2600 Series focuses on how you communicate the overall risk posture, including situations where management chooses to accept identified risks.

Like I said, understanding the foundation helped me translate what I was doing from an abstract concept to something more meaningful. This leads me to my next concept…

Concept 2: Internal Audit Is Well Positioned to Lead by Example

I am what you might call a late bloomer. It took a while but I finally feel like I’m coming into my own with this whole “being a professional” thing. I share this because in my early days as an internal auditor I didn’t really grasp the concept of why we were doing what we did, let alone how we were helping drive a risk-focused culture in our organization. I realize that some of this comes with age and experience, but this is one of those classic cases of, “I wish I knew then what I know now”—oh, the audit reports I could have written!

Kidding aside, I do think it’s important for every person to find meaning and purpose in what they do. This doesn’t just apply to internal auditors or business professionals. Everyone should be able to understand why what they do is important, no matter how small their part may seem. Everything is contextual, and when placed in the proper context everyone’s contributions are vital.

Even though I didn’t realize it at the time, I was a key member of teams that were key components of organizations striving to meet their goals. In hindsight, I realize that there were things I was doing that were helping us accomplish those goals.

We started by working with the Board and management to understand from their perspective the risks and opportunities that mattered to them. Their perspective served as a foundation for understanding how we could best assist them in measuring and managing risk.

We then had our Audit Universe against which we performed regular risk assessments, allowing us to lend an independent yet informed perspective regarding what mattered to the organization and where our time was best spent.

Finally, we would go deep by performing project-level risk assessments so we could define the specific risk areas that were present within those areas that we were responsible for evaluating. This ensured that every sample tested, every conclusion reached and every issue noted was aligned with something that was meaningful to our stakeholders.

Now that I’ve used hindsight to see that I was playing my part to drive a risk-focused culture, I can apply foresight to determine where internal audit is headed in terms of contributing to the overall effectiveness of Risk Management in their organizations.

Concept 3: Internal Audit Evaluates the Effectiveness of Risk Management Programs

One thing the IIA has been pretty clear on in recent times is that internal audit is expected to not only consider the risks impacting the organization but also to evaluate the overall effectiveness of the organization’s own risk management program and processes. While this guidance is relatively new and still open to interpretation, internal audit is well-positioned to provide this oversight and they can do this most effectively by following the same approach that they follow in any other situation:

Understand the underlying methodology that drives the risk management program. If there is no underlying model supporting their efforts, internal audit can direct management to an approved approach such as ISO 31000 or COSO ERM.

When risks are identified and measured, there should also be a clear set of actions being taken to respond to those risks. Internal audit can evaluate the appropriateness of these response procedures.

As with any audit or evaluation, communicating results to leadership is key. It is important that they understand the value of these practices, including the critical nature of any gaps or exposures in the program

From a personal standpoint, since working in the GRC software world, I have come to appreciate how seemingly disparate units within any organization are inextricably linked. There is no “black box” that your process feeds into and disappears. Helping everyone see how what they do impacts those around them is a key step in instilling a risk-focused culture in an organization, and internal auditors can help drive this point home in their daily work.

About the author


Jason Rohlf
Vice President at Onspring
20 years internal audit & GRC experience