Time is of the essence for a new internal audit department. Where are the fires? Hello, first risk assessment.

Introduction

Okay, so you just got hired as the Chief Audit Executive for a company that needs a new internal audit department. That’s a big deal! Now, you’re in charge of setting everything up from scratch. You’ll be creating the policies and procedures, planning resources and budgets, and performing the first risk assessment.

You’ve met with essential people and introduced yourself to the external auditors, but now you’re wondering what’s next. The answer is simple: do a preliminary risk assessment ASAP!

This is crucial because you can’t create your department and plan your approach until you know the company’s most urgent needs.

Think of it like this: you’re on a remote island, and you want to assess all the dangers. But, before you even start, you see that there is a gigantic den of venomous snakes living 10 meters away from the village’s broken fence. Yikes! You can’t waste time, say, evaluating a bridge three miles away when there’s an immediate danger right in front of you.

The purpose of this blog is to guide you through your first risk assessment as a Chief Audit Executive. Time is of the essence, so you need to act fast so management can tackle any pressing issues. Here’s how we’ll do it.

New Internal Audit Department Pre-requisites

Before you begin documenting any risks, you should perform these steps.

Gather Information

You can do some of this prior to your first day of employment. Before you even start assessing the risks, you need to gather all the information you can. This is like getting a map and compass before heading out on a hike. You want to know what you’re dealing with so you can plan your route effectively.

You can gather information by googling, SEC filings, company documents, talking to employees, and even checking out the company’s competitors.

Establish Authority

As the Chief Audit Executive, you need to make sure you have the authority to make decisions and implement changes. Secure approval and backing from the Audit Committee and executive leadership.

Build an internal audit charter that explicitly explains your duties while allowing the committee to demonstrate their appreciation of independence.

Relationship Building

Building strong relationships with key players in the company is crucial to your success.

By talking to the audit committee, executives, general counsel, and external auditors, you’ll learn more about the company’s needs and be able to spot possible risks.

Depending on the size of your organization, it should take about two weeks to finish these requirements.

Identify the Fires

Be Direct

Ask relationships about current fires: When identifying the current fires in the company, don’t be afraid to ask the people who know the most. This is like having a fire alarm that goes off in a building. If you want to know what’s going on, you have to ask the closest people to the situation. Ask the audit committee, executives, general counsel, and external auditors about any urgent issues that need to be addressed.

Identify Available Company Resources

Once you know what the fires are, it’s time to figure out the resources to put them out. You must evaluate the company’s organizational structure, financial resources, and competing priorities.

The fewer resources there are, the less management can do to mitigate risks.

Identify basic controls (or lack thereof)

The next step is to find out what controls are in place to prevent these fires from happening. Think of sprinkler systems in a commercial building. You need to identify any basic controls that are currently in place and inquire as to their effectiveness. You don’t have time to test the effectiveness at this point.

Danger Ahead

Analyze the Company’s Business Model & Strategies

Once you have a handle on the current situation, it’s time to start looking ahead. You want to be proactive about identifying potential risks. This is like a weatherman predicting a storm. You want to know what’s coming so you can prepare.

You need to analyze the company’s business model and strategies. These will help you identify potential dangers ahead. Focus on the next 90 to 120 days in the beginning – you can expand on this later.

Other Key Initiatives

Another way to identify potential risks is to look at other key initiatives the company is undertaking. If there’s a big change happening in the company, it can have a ripple effect and create potential risks. You need to be aware of other initiatives underway and evaluate their potential impact.

Evaluate the Industry Environment

The next step is to look at the industry as a whole. You need to evaluate the industry environment to see what changes may be coming and how they may impact the company.

Review Regulatory Changes and Compliance Requirements

As a Chief Audit Executive, it’s essential to keep an eye on regulatory changes and compliance requirements that may impact the company. This is like following traffic laws on the road. Just as you need to know the speed limit and stop signs, you need to be aware of any changes to regulations that may impact the company.

An example could be that the company is expanding into a new region with different regulations. In this case, it’s important to understand the compliance requirements in that region and ensure that the company is fully prepared to comply with them before entering the market.

It’s also essential to review the company’s current compliance processes to ensure they are adequate and effective. This is like getting your car inspected before a long road trip. You want to ensure everything is in good working order so you don’t run into any problems down the road.

The First Risk Assessment

If you did not find any urgent fires or dangers ahead, lucky you! You can ignore the rest and instead go work on your internal audit policies, standards, and possible audit software. You have more time to perform a more comprehensive and detailed risk assessment before presenting your findings and requests to the audit committee.

But for the rest of us…

Keep it Simple

Great, by now, you’ve identified some fires and upcoming dangers. Chances are, you know the top three or four priorities by now. The fires tend to jump out at us after so many years in the audit role. But whether they do or not, let’s document your findings. This will help with your initial request for resources.

Time to get organized and not overcomplicate this concept. Put the risks on paper, Excel, Sheets, whatever… Now include the following information for each risk:

1. Inherent risk based on likelihood and significance. I know this is subjective and oversimplified, but again, we don’t need to be super precise here.
2. Yes or No – Do we already know we’re non-compliant or otherwise significantly underprepared to mitigate the risk?
3. Regardless of the answer to # 2, assuming we have no controls in place, how long do we have to remediate before risks show their teeth and investors take notice?

Prioritize

If there are over a handful of urgent needs, good luck. Better call in some reinforcements pronto.

To make things easier, prioritize your risks. This is like triaging patients in a hospital. You want to address the most critical risks first and then move on to the less pressing ones. You need to assess the impact, likelihood, and urgency of each risk and determine which ones require immediate attention. It’s subjective. Trust your instincts and experience.

Preliminary Plan

Once you’ve prioritized the risks, it’s time to develop a short-term plan. This is like creating a blueprint for a building. You need to have a plan in place that outlines how you’re going to evaluate the company’s controls for each risk. You should include details on what you’re going to do, the LOE required, and the general timing.

Internal Audit Resourcing

What resources are needed to accomplish your plan?

It’s not your job to put out the fires. Instead, view your job as providing management with fire safety equipment and best practices. We assure the Audit Committee that management is aware of and controlling each of the critical risks.

What will it take to provide that assurance? Make sure to consider the timing – it may take more resources to provide this assurance quickly. This depends entirely on your specific situation.

Do you have many risks you need to address simultaneously? Ask the question if it makes more sense to hire employees or engage third parties. Contractors are often used in the beginning until the internal audit function is more established.

Inform the audit committee and Request Resources

All that hard work! Time to summarize the results in a pretty PowerPoint. Make sure to coordinate with leadership and the audit committee regarding expectations for resource requests.

If you’ve performed all the steps in this article and you can illustrate such in a deck – you’re good to go. One of two things will happen. Either you’ll get the resources you need, or the audit committee will acknowledge their higher risk appetite by providing you with less than you asked for.

Conclusion

Conducting a preliminary risk assessment as a new Chief Audit Executive is crucial in order to effectively create and implement an internal audit department. By gathering information, establishing authority, building relationships, and identifying current and potential risks through a variety of methods, you can ensure that the company is prepared to tackle any pressing issues and proactively manage future risks.

This process may take a few weeks, but the end result will be a well-functioning internal audit department that provides valuable insights and recommendations to management. By staying aware of regulatory changes, compliance requirements, and industry trends, the department can continue to adapt and evolve to best serve the company’s needs.