As a CAE for many years, I would develop my plan based on an assessment of the organization’s risks that I would complete. The process would typically include:
· Building an "inventory" or list of risks to assess, organized in categories such as Strategic, Compliance, Financial, Operational, IT, Ethics and Fraud, External, etc.
· Meeting with senior management in each HQ and operating area to obtain their views on which are the more significant risks, and how they should be assessed (using a simple low/medium/high scale for both likelihood and impact).
· Adding our own internal audit assessment of risk levels (considering factors such as the history of control failures, the experience level of management and key staff, etc.).
· Reviewing the resulting matrix or heat map with the CEO and CFO.
· Building the periodic audit plan to address the more significant risk areas, focusing especially on those where we believe we can add value.
· Meeting with the audit committee to discuss both the risk assessment and the audit plan.
In hindsight, I missed an opportunity and may have been guilty of reinforcing "wrong" behavior.
I believe it is management’s responsibility to identify and assess risks to the organization. Although I later added chief risk officer responsibilities, for the first 10 years or so as CAE only internal auditing provided the board (or committee of the board) with an enterprisewide assessment of risks.
On reflection, I wish I had pressed management to take responsibility for the risk identification and assessment process. I missed the opportunity to advocate for risk management. But, at least I made them "own" the assessment in the last few years.
Does your internal audit function provide the board (or audit committee) with the only enterprisewide assessment of risks it reviews? Are you enabling management to "shirk" its responsibilities by doing this?
I am interested in your views on this.