As internal auditors we recommend an inventory of risks and mitigating activities to any organisation we provide assurance over, to help them manage their risks in a structured and transparent way. Internal audit functions also face risk, and as outlined in Implementation Guidance 2120, internal audit has a responsibility to actively manage its own risks, including risks relating to the audit opinion and those associated with running the function.
An internal audit risk register helps the head of internal audit (HIA) manage key risks and should be seen as a complementary tool to quality control, quality assurance and continuous improvement initiatives. This guidance will explain how the risk register tool can be utilised to help manage risk holistically, and serve as an umbrella for monitoring the various types of audit risk.
Similar to the broader organisation, internal audit also has a risk appetite threshold. Often, this threshold emerges organically as part of the risk register development, through discussions to determine the actions to be taken as a result of the identified risks. This discussion and dialogue between those involved in the risk register development is key, however a fully defined risk appetite threshold is not necessary prior to the start of the exercise. The audit committee, under delegated authority, determines the risk appetite for internal audit services.
A risk register serves one primary purpose, which is to provide a central repository for all identified risks to the internal audit function so they can be transparently managed in a sustainable fashion, helping the function to meet its objectives. These objectives (and therefore also the content of the risk register) should be aligned to the strategy of the function.
The maturity of the organisation and the internal audit function will also impact the risk register; a new internal audit function or one with a new HIA is likely to have a different set and number of risks than a function which has been established for a number of years. The risk register will also be affected by the size and complexity of the organisation the internal audit function sits in.
Before embarking on the development of a risk register, it is therefore key that the HIA takes a holistic look at the risk management tools already in use within the organisation to avoid duplication, inconsistency and maximise efficiency.
The same principles apply to internal audit as for the broader organisation as to what constitutes a good risk register.
Minimum content should include:
Additional components are possible and can be added, however each component of the risk register needs to serve a purpose for the internal audit function to avoid unnecessary administrative overhead associated with risk monitoring.
It is recommended that the risk register process is formally documented since it is likely that more than one person owns content, which will help avoid confusion around roles and responsibilities. A single individual needs to be responsible for ongoing maintenance, however the internal audit function should identify and allocate ownership for each mitigating control to the person closest to the control operation – unless the internal audit function is very small, these responsibilities are not likely to sit with the same person.
The minimum components are outlined below in more detail.
Note: In an environment of high change, it may be more efficient and generate a better outcome to have separate risk registers for each project above a certain size, eg if it has its own governance body, as this will enable more granular consideration of the specific risks associated with the project. For smaller or more mature/stable internal audit functions, a single risk register will suffice.
A risk register is to management of the internal audit function what a risk and control matrix is for the management of an individual audit – an overview of the key risks and the controls that mitigate those risks, enabling the reader to understand at a glance where the gaps are. The starting point is therefore identification of the detailed risks facing the function. All key risks should be included, but the internal audit function should recognise that these risks may change over time – for instance non-delivery of a major business change project may be a temporary risk, whereas lack of suitably skilled staff may be an area that requires ongoing attention.
The risk statements need to be at a level of granularity that allows for mapping of individual controls to the risk, as this will help to determine if control gaps exist. While content will vary from internal audit function to internal audit function, typical examples include lack of appropriate or insufficient skills to execute the audit plan.
Each risk should also have a unique reference if the risk register is large. Additionally, each detailed risk statement may also be allocated to a risk category if the risk register is substantial in size and/or if the internal audit function has management information reporting needs from its content. Ideally the taxonomy used by internal audit will be the same as that of the organisation, however if this is not possible (eg due to the immaturity of the 1st and 2nd lines of defence), a mapping between the two should be made available. Categorisation may help with identifying themes and areas where dedicated attention is needed but should at all times be aligned to the value the internal audit function will get from including this as required content.
Each risk must be mapped to one or more controls that seek to mitigate the risk. A unique reference code can be included for each control if the register is large or has a number of owners. Each control can also be linked to the relevant part of the IPPF or regulatory requirement, where applicable, especially if there is no separate Quality Assurance and Improvement Programme (QA&IP) that performs the same function (see Standard 1300 for more on QAIP).
Quality risks can also be included in the risk register, such as the issuance of incorrect or unsubstantiated audit opinions, or untimely report issuance. If quality-related risks are included, it is recommended that the relevant controls are the existence of, a formally documented methodology and specifically its quality control requirements, and/or a QA&IP, with each of these components containing the full detail of additional internal controls – this helps to avoid duplication between the risk register, the methodology (and other procedure documents) and the QA&IP.
A control owner should be specified for each control. This is the person who is closest to the control operation day-to-day. The owner is responsible for confirming the ongoing accuracy of the control description and the control results (at a frequency agreed within the internal audit function, though it is recommended that this is at least annually. The control owner would usually also be the person responsible for any actions as a result of the control assessment.
Each control needs to be assessed for its ability to mitigate the risk it is mapped to. While there are many ways in which this assessment can be performed, a traditional way is to perform both a design assessment (to determine the extent to which the control mitigates the risk on paper, either on its own or in conjunction with other controls) and an assessment of operational effectiveness. It would generally be expected that the standard methodology of the internal audit function would be applied for this exercise.
If the results show that additional action needs to be taken, for instance as a result of a missing control, this needs to be clearly documented as a separate step to enable tracking of progress against the actions so that the control results can improve over time. Some risks have a greater impact than others if they materialise, so it may be helpful to differentiate the control results where these are negative and/or where remediation resources are stretched. This impact assessment can then be used as a way to prioritise where remediation efforts should be made first.
Regular review and monitoring of the action status against a risk is key, and a regular review of the document to ensure that the appropriate risks and actual controls have been captured should be integrated into the business as usual function, rather than being seen as a separate standalone exercise that takes place at set intervals. Typically, this review should take place no less than every 6 months to prevent the document from becoming outdated.
The risk register owner is responsible for ensuring that the control owners review the completeness and accuracy of the risk statements, the controls, the control results, and that the appropriate action is being taken for any gaps/weaknesses – including the pace of remediation.
A single individual should be made responsible for the risk register to ensure the document is reviewed holistically, to prevent duplication and help drive the appropriate remediation efforts across the function. This is particularly important in larger organisations where actions might overlap and the risk register owner can help with action co-ordination and timing. As part of the maintenance process, the control owners should also be encouraged to consider QA&IP results to ensure these are aligned with the risk register.
The risk register along with other tools is a good source of information to assist the HIA in informing planning, resource requirements ie capacity and capability, the budget and to identify skills gaps where co-sourcing may be required.
Attribute Standard 1111 says that the HIA must communicate and interact directly with the board (audit committee). Whilst there may be many opportunities to communicate and interact with the audit committee, the HIA should ensure that the internal audit risk register is on the agenda for discussion, so that the audit committee are aware of the risks faced by the internal audit function, and how they are being addressed.
Risk register owner: John Smith
* Separate columns can be added to provide a full control description, if necessary
A risk register will help to manage the risks to the internal audit function systematically and robustly. By focusing on key risks to the function, it is a mechanism that helps drive holistic risk management across internal audit. It also helps show that internal audit is part of the organisation and follows the same good practice which internal audit teams recommend to management through its internal audits.