Public sector organizations are under increasing pressure to identify all risks they face: social, ethical and environmental as well as reliability of reporting (financial or otherwise), compliance, and operations (including performance and value for money). In addition, they must be able to explain and demonstrate how they manage these risks to an acceptable level.
Auditors play a critical role in this evolving and increasingly complex landscape. As an organization’s independent and objective line of defense, auditors provide reasonable assurance on the effectiveness of governance, risk management, and internal control, including how management achieves risk management and control objectives.
At the core, government audit functions have three typical objectives:
• Provide independent and objective assurance to key stakeholders on governance, risk management and internal control;
• Identify and address emerging risks and avoid surprises for government entities; and
• Foster public trust in government.
With these objectives come risks that could impede their achievement. Below are five key emerging risks that could negatively impact the value that public sector audit provides.
Inability to identify emerging risks
No surprises means NO surprises. If risks are popping up and key stakeholders are caught off guard, opportunities are being missed. Gone are the days of creating audit plans that cover two to three years, or even one year, in advance. Public sector auditors must audit “at the speed of risk.” By employing various methods of continuous risk assessment, auditors must have the flexibility to adjust their audit plan as new risks are identified or as the likelihood and impact of risks change.
In fact, in the IIA’s 2015 Pulse of Internal Audit report, 46 percent of respondents indicated that they were only moderately, slightly or not at all confident in their ability to assess risks continuously. Fifty-two percent, meanwhile, agreed that internal audit’s biggest challenge in continuously assessing risks is its ability to identify emerging risks and incorporate these into the audit plan.
Misalignment with stakeholder expectations
Stakeholder expectations shift as their understanding and perception toward risks change. With this comes changing expectations of the role of the audit function. While some auditors are still focused on financial and accounting risks, stakeholders are becoming more concerned in areas such as reputational risk, program performance and cybersecurity.
If auditors are not adjusting their plans to align with stakeholder expectations, they are risking being perceived as not adding sufficient value to the organization. In a 2014 survey, KPMG reported that only 40 percent of Audit Committee members believe internal audit has the skills and resources to be effective in the role they envision.
Inadequate assurance on key risks
Success with providing adequate and accurate assurance on key enterprise risks originates with the risk assessment. Is it comprehensive, collaborative and dynamic? At the engagement level, success is dependent on assessing risks during engagement planning, deploying the right resources with sufficient knowledge and experience, and communicating and coordinating with audit clients throughout the engagement. Success culminates with an effective quality assurance and improvement program ensuring that the audit function is adhering to professional audit standards in its practices.
Lack of adequate resources
When audit departments are understaffed or under-skilled, risk assessments and audit plans tend to be limited to what can be achieved with those limited resources. In high performing audit functions, staffing, resources, and, ultimately, the audit plan are driven by enterprise risks, not the other way around. Chief Audit Executives (CAE) need to allocate resources based on risks and articulate the specific impact of staffing shortfalls to key stakeholders. CAEs should also consider a strategic approach to staffing the audit function including succession planning, training plans, co-sourcing, outsourcing, and rotational programs.
Lack of expertise to address key risks
Auditing specialized risks requires specialized expertise. No audit function can address every risk with equal acumen and as the focus continues to shift away from traditional accounting and financial risks to a variety of emerging risks, it is critical that auditors understand and address their existing capabilities. Auditors should start by identifying existing competency gaps, then framing a knowledge management strategy to address the gaps. Most importantly, auditors should avoid areas where they lack the necessary competence to perform an effective audit. Instead, maintain your credibility by bringing in the expertise you need through new hires, co-sourcing, or outsourcing.
Government auditors are the guardians of public trust and play a critical role in ensuring government agencies have implemented effective governance, risk management, and controls to mitigate risks to an acceptable level. To foster this public trust and be perceived as valuable to the organization, auditors must be aware of and manage risks that threaten effective services.
IIA International Conference, July 5-8 in Vancouver, B.C.: www.theiia.org