9 minute read 28 Feb 2019
Five characteristics to disrupt

Five characteristics to disrupt the internal audit risk assessment process

By Lisa Hartkopf

EY Americas Risk Markets Leader

Strategic leader in transforming internal audit and controls. Generates energy and passion that can be leveraged in authentic ways to enable others to recognize their talent and potential. Mother.

9 minute read 28 Feb 2019
Related topics Risk

Forward-looking internal audit functions should adopt five characteristics to focus more closely on results and value to the organization.

As organizations look to manage their expanding risk profile, it is becoming increasingly complex for internal audit functions to evaluate and monitor the breadth of the risks through traditional risk assessment activities. Historically, internal audit (IA) functions have had limited access to technology to leverage in completing the risk assessment, thereby resulting in a significant manual effort to gather and process the necessary data. As a result, many risk assessment processes may not be reaching their full potential in analyzing risk and providing value to the IA function and the organization as a whole. 

Forward-looking IA departments are disrupting their IA risk assessment process — they are not satisfied with the status quo, and they want better information and greater insight to drive their audit strategy and plan. 

These organizations’ departments are using technology to quantitatively assess and evaluate the risks and are innovating how they engage with key stakeholders. They are focused on aligning with the company’s strategic priorities and objectives, providing insights to the business and delivering value that impacts the organization in new and different ways. 

Leading IA risk assessments exhibit five primary characteristics within their IA risk assessment process: innovation, interaction, impact, information and insight.

1. Innovation

What will a leading-class risk assessment process look like in one year? Two years? Ten years? There is no one answer. Change will continue, requiring IA departments to innovate and deploy new processes, new technologies and new ideas. Challenge your IA teams to think about new and innovative ways to achieve a task or perform an activity that can help drive efficiency, effectiveness or greater value (or whatever objectives you are trying to achieve). To activate an innovation culture, the entire IA department needs to fully embrace the ideas and principles behind it – common innovation programs focus on three key principles: evaluation, incubation and execution.  

  • Innovation in practice

    Senior leadership at a multi-billion dollar global technology company gave IA a call to action: “As the business changes and adapts to an evolving industry, how will IA innovate and evolve to remain relevant and effective?” 

    The company was undertaking a significant multiyear transformation around its business model, portfolio and technology systems, and senior leadership needed IA to transform with them. 

    The team implemented a Collaboration Hub, which brought the department leaders together throughout the year to collaborate. The Collaboration Hub was a resounding success as it brought the team together under one common vision and charted its course for the next three to five years. It produced a reimagined IA risk assessment process, where the team identified exciting new ways to capture, evaluate and synthesize data on a real-time basis to drive better identification and evaluation of risks across the organization. The audit plan that was developed eliminated low-value rotational audits and instead included audits that were closely aligned to the top enterprise risks facing the company.

2. Interaction

When IA is able to drive meaningful and consistent interaction with key stakeholders across the organization and bring its own point of view on emerging risks, the result is a more thought-provoking dialogue and business discussion. When IA has a better understanding of the organization’s priorities, business objectives and risk profile, the result is a more targeted and valuable audit plan for the organization.

More frequent engagement (vs. a point-in-time or annual process) provides IA with greater insights and the opportunity to respond in a more timely manner to current and emerging risks and challenges.

  • Interaction in practice

    In one organization, IA was challenged with providing an IA plan that was responsive to the changing risk profile of the business. Under IA’s previous point-in-time risk assessment approach, a 9–12-month gap could exist between the IA risk assessment activities and the start of an audit. This gap resulted in changes to both internal and external risk factors, which impacted the relevance of individual audits. 

    A more interactive and iterative risk assessment approach was implemented using a 12 month rolling internal audit plan. IA shifted from conducting annual management interviews to engaging in a more dynamic and iterative meeting cadence with the key stakeholders and evaluating risks through the use of tools and technology. This adjusted approach included a monthly risk assessment meeting supported by monthly or quarterly conversations with key stakeholders across the organization.

    The impact of the new approach was significant. Key risks are re-evaluated and prioritized on a quarterly basis, contributing to a more flexible response to the business while also increasing the overall efficiency of the audit process. The frequent dialogue increased IA’s knowledge of the business and sharpened IA’s focus to allow for more impactful discussions and audit activities.

3. Impact

Exceptional interviews are driven by insightful, probing questions that expose the human element of risks and uncover the root causes.

Behavioral-based risk assessment questions examine how employees act in response to risks and controls and provide a common language to discuss and understand the impact the human element can have on the overall risk environment. These questions key in on two influencing forces — organizational and individual — that explain behaviors and their impact on outcomes.

  • Impact in practice

    The IA team at a large energy company was challenged to obtain more specific and impactful information from its risk assessment interviews. The historical process and approach had proven to be of little value, and the team was not getting at the root cause of risks and did not understand why certain risks were more prevalent than others. 

    The IA team executed risk assessment interviews and leveraged behavioral-based questions.

    The candid and more impactful feedback obtained drove better conversations and insights during the risk assessment process. The risk assessment interviews identified new risks (as well as root causes), requiring additional focus and attention by IA and management of the organization. These risks were discussed with executive management and resulted in an IA plan that was more responsive to the risks facing the organization.

When IA risk assessment activities proactively identify root causes and trends, the impact of the risk assessment becomes exponentially greater. 

4. Information

IA functions are continually challenged with how they aggregate information from multiple sources to enable greater buy-in and stronger alignment of the organization’s key risks and related audit plan.

Risk assessments of the past focused heavily on interviewing key executives within corporate and select business units. This often takes a lot of time, and the discussions are performed in silos where information and insights are not aggregated or evaluated across the organization. 

Collaboration tools help drive greater insight and feedback from a range of people across the organization. For example, a virtual collaboration platform is used to engage participants in the same room or across the globe in the IA risk assessment process, and participants can perform activities such as brainstorming, ranking voting on key risk issues.

A virtual collaboration platform can engage participants across the globe in the IA risk assessment process.
Esi Akinosho
Houston Office Managing Partner, Ernst & Young LLP
  • Information in practice

    The IA team at a global, multibillion-dollar technology services company was challenged to design an approach to efficiently gather quantitative and qualitative data from “Layer 3” and “Layer 4” management. The historical approach had proven to be too isolated to senior executives and the risks identified were at a macro level and did not enable the development of an effective IA plan. 

    Using a collaboration tool, the IA team executed a series of risk assessment with more than 100 participants from six continents, spanning business units and functions. These sessions were used to identify, qualify and rank key risks and to offer opportunities for management to provide other insights and perspectives relative to the company’s risk profile. While it would have taken several weeks for IA to go out and interview these personnel, the same interactions were accomplished in three days (at a reduced budget and with no travel). 

    The insights gathered through the collaboration tool allowed the IA team to present results to the CEO and CFO, stratified by region and risk type. The CEO considered it an “aha” moment as the results implied that certain risks (which executive management was not focused on) were of higher concern to “middle management” and presented real challenges to the organization’s strategic priorities. 

    In addition, the qualitative text inputs helped identify areas of risk that had not been identified (or considered) in previous risk assessment activities resulting in the development of a more value added IA plan. 

5. Insight

Data analytics and data visualization has been a hot topic for IA functions for a number of years. However, many IA functions have focused on using analytics only during the planning and execution of audits. Forward-looking IA functions are now leveraging data analytics to provide insights during the IA risk assessment process as a way to influence the nature of the audit plan and scope of specific audits. 

IA functions are also using data visualization tools to aid in incorporating quantitative elements into the risk assessment process. These data sets are synthesized and visualized into “risk dashboards,” which are then leveraged to help IA functions maintain an understanding of key performance metrics, changes in the business and changes in the risk profile. 

Progressive IA functions are beginning to introduce prescriptive analytics, thereby determining which decision or actions will produce the most effective results against a specific set of objectives and constraints. Tools for prescriptive analytics include optimization, business rules automation, and real-time learning decision models, which can be used on a continuous basis to identify key risks or red flags. 

To drive insight, start small (e.g., analytics for a function, division or process vs. an entire business unit) and get a few quick wins with the data analytics program. For instance, identify the one or two divisions or processes where descriptive or predictive analytics can be deployed and then expand from there. Then look for ways to further advance your use of data analytics – for example expansion into other business units, increased complexity and customization.

  • Insight in practice

    Historically, the IA function at a global industrial products company visited most of its international locations at least once every three to five years.  The IA team was challenged with how to get better insights to drive greater efficiency and effectiveness with its international audit plan. 

    The IA team developed a strategy and approach to perform data analytics on several of the core audit areas (e.g., sales, revenue, inventory, disbursements, fixed assets and payroll) as part of the risk assessment process. The results feed a “location risk profile.” The team leveraged its risk assessment interviews and other qualitative data, combined with 12 to 18 months of quantitative data, to develop a risk score for each international location.

    The resulting risk score would dictate the nature and extent of substantive or controls-based internal audit work that the team would perform (e.g., no additional testing, limited testing, on-site full testing) in a given year.

    The team is planning to leverage the three weeks saved to redeploy the IA team to other higher-risk areas across the organization. 


When implementing the approaches and processes discussed above to disrupt the IA risk assessment process, it is important to take a broader view of risk. Not all risks are negative; for example, many of the new innovative technologies drive significant benefit to the organization and the reward of taking risk needs to be analyzed. To be successful, organizations will need to shift their focus from simply mitigating downside risk to embracing new upside opportunities. 

Striking this balance requires embedding risk and controls into strategic decision making within the front-line businesses and multifaceted approaches to the portfolio of risk.

As organizations reflect on their risk assessment process and look ahead at the evolving risk landscape, there are many opportunities to adapt, evolve and innovate. 

For some IA departments, these will primarily involve enhancements to the existing process, whereas other IA functions will choose to make more substantial and disruptive changes to their risk assessment process and related activities. 

Observing these five characteristics can help change the IA risk assessment process from a routine check-the-box exercise to results-oriented and value-based activities delivered by a highly effective and value focused internal audit department.


The importance of internal audit risk assessments cannot be overestimated. Leading internal audit functions should disrupt their own process by adopting five characteristics that will help them bring a more innovative and value-driven IA risk assessment to the organization.

About this article

By Lisa Hartkopf

EY Americas Risk Markets Leader

Strategic leader in transforming internal audit and controls. Generates energy and passion that can be leveraged in authentic ways to enable others to recognize their talent and potential. Mother.

Related topics Risk