Internal auditors don’t have an easy job. There’s more work to be done than can realistically be accomplished, and it can be hard to figure out where an audit plan should begin.
That’s why internal auditors need to view their audit plans with a risk management mindset. Risk management is all about prioritizing. It identifies areas that require the most attention so that the necessary resources can be allocated.
How does an internal auditor apply risk management to the audit plan? It starts with a simple question: What are you trying to accomplish?
The most common goal of an internal auditor is to ensure processes and results are compliant and trustworthy, but that can mean different things depending on the type of audit. Most financial institution audits fall into one of three categories:
Internal auditors at community size FIs are often responsible for operational and compliance auditing, with outside auditors handling financial reporting. That’s good news for the internal audit department since they already have a general understanding of risk management and compliance principles.
Several audits are required by regulation, law, or contract such as the BSA, SAFE Act, and ACH compliance. A good audit program will ensure required audits are scheduled annually or as required to ensure the institution has enough time and resources.
Required audits are not the only ones that should be performed on an annual or periodic basis. Each institution is unique and will have its own sets of risks.
Auditors know they should focus their attention on areas that pose a significant risk to the institution. This information can be found in risk assessments, supervisory guidance, prior examination/audit reports, and consumer complaints. Auditors should also consider the areas that have not been audited in a while and ensure those are given the proper weight while crafting the audit plan.
Compliance officers have a great saying—if it isn’t documented, it didn’t happen. But this cannot be truer than for auditors. Audits are meant to provide higher levels of assurance. That means auditors should not solely rely on verbal attestations. Instead, they should scrupulously obtain samples and evidence to back up assessments and findings.
Risk professionals understand the importance of bringing in different perspectives—whether for determining the inherent risk of a product or conducting a control assessment. Auditors should also leverage different perspectives when it comes to getting the full picture.
When attempting to understand a department’s processes, auditors should speak to more than just the department head. Department heads are great at knowing what policies or procedures state, but it is the actual workers who can tell you what they do on a day-to-day basis (which sometimes conflicts with a written document). Speaking to more than one individual can help auditors uncover process deficiencies or outdated policies.
Related: 5 Steps for Easing into ERM
What’s new around your organization? Sometimes new products and services make it out the door before being properly vetted. As an auditor, you want to make sure you identify any new product, service, or process that may change the risk landscape at your institution and include it in your audit plan. Then, ensure controls mitigating the risks of new products and services are audited and are effective or remediated.