A version of this article was previously published in the 2023 edition of the Callahan Credit Union CPA Guide.
For credit unions, internal audit plans have historically been handled by one department performing a specific process—as opposed to taking a more holistic approach to how operational frameworks and related controls are evaluated.
As the risk landscape for financial institutions evolves, more external risk factors emerge in addition to already pressing internal risks. These can include higher interest rates, cybersecurity incidents, regulatory changes, market volatility, and natural disasters.
Discussed below is a macro approach for identifying the organization’s audit universe, assessing risks within the business lines, and building an internal audit plan that provides more value to the institution.
What Internal Risk Factors Do Credit Unions Face?
Besides these new external factors, credit unions also face numerous internal risks, including those that come with the additional expectations of a remote workforce and compliance costs. As member bases become more diverse, the audit’s role within the organization can also become more complicated not only in effectively performing its protective function, but also how it can add value to the business.
Additionally, regulatory agencies have increased expectations regarding information reporting related to how risk assessment aligns with the institution’s enterprise risk profile.
What Is the Value of an Internal Audit Plan?
Beyond identifying process deficiencies, an internal audit can help you comply with operational procedures and regulatory requirements, or to simply help assess your internal controls related to finance, operations, or compliance.
An internal audit plan can help streamline operations, promote stakeholder confidence, identify gaps, and detect fraud for your organization. Start with a holistic view of risks and identify how those risks could impact each business line, then form an internal audit plan to help internal auditors:
- Provide useful insights to management
- Improve methods for protecting information and data assets
- Identify competitive advantages or operational efficiencies that could be achieved by the organization
How to Develop a Risk Assessment Approach
Risk-based internal auditing links planned internal audits to the organization's overall risk management framework.
Through the audit risk-assessment process, an internal audit function identifies and evaluates the impact and likelihood of the different risks in an organization and informs how well internal controls mitigate these risks.
Risk assessment should be a recurring, systematic process for identifying and evaluating events that could impact strategic objectives positively or negatively.
An internal audit risk assessment is an evaluation of risks related to the value drivers of the organization—covering strategic, financial, operational, and compliance objectives.
It’s also used for considering how risks impact stakeholder values, which helps define the audit plan and determine the key risks to monitor.
Four key parts of the risk assessment process are to:
Identify Risks
Identify the nature and scope of the business units within the institution—a necessary step in creating the risk universe, which refers to the total population of risks with each business unit and provides the basis for risk rating exercises.
Below are some key steps of the risk identification process.
Read Your Annual Financial Statements Notes
Executive management should list and describe the significant risks that could impact the company’s ability to meet strategic objectives and financial goals. Each of these risks should be captured and included in the risk universe.
Risk identification may also include conversations with executive management. The risks identified should align with strategies and objectives, which in turn should focus on identifying each business unit.
Understand and Assign Key Risks to Each Business Unit
After all business units have been identified, the next step involves understanding and assigning key risks to each. If done effectively, the risk assessment will produce actionable strategies that make meeting objectives more likely.
Example of business units can include:
- Accounting or finance
- Lending
- Deposits
- Treasury services
- Branch operations
- Risk management
- IT
Measure Risk Impact and Likelihood
Assess and quantify applicable internal or external risks within each business unit, including impact and likelihood.
The risk universe can be used to populate a risk assessment survey. Multiple levels of management will assist in completing the assessment by rating each risk on two criteria, risk impact and likelihood.
Risk Impact
Risk impact criteria includes:
- Financial loss
- Reputational damage
- Regulatory exposure
- Security
- Environment
- Employee
- Customer
- Operations
Senior leadership should determine impact levels to agree on the rating definitions of high, medium, and low.
Risk Likelihood
Risk likelihood is based on how probable it would be for an identified risk to occur.
Risk events are typically rated using qualitative terms—such as frequent, likely, possible, unlikely, and rare—and can be determined by either percent probability or frequency.
Risk Likelihood Versus Risk Impact
Risk likelihood and risk impact should be treated mutually exclusively. While the risk itself could potentially cause a significant impact, that doesn’t automatically make its occurrence more likely.
The institution should determine risk likelihood definitions following the same procedure as risk impact to create agreed-upon definitions.
Risks can be categorized as internal or external:
- Internal Risks. These risks are fully within the institution’s control and exist at every level of the institution, department, team, or project. For example, internal control maturity, policy and procedure accuracy, changes in products, and turnover at key management positions.
- External Risks. Conversely, these risks are beyond the institution’s control and include interest rate risk, credit risk, reputation risk, compliance risk, and legal risk.
The data from the risk assessment survey provides the information necessary to complete a first pass at risk rating and comparative ranking. This will form the basis of the next step—the management interviews that provide an opportunity to validate or refine the risk ratings.
This dialog with management provides important commentary on the risk ratings. The interviews also offer the opportunity to uncover specific areas of concern that may not be obvious from the survey. These can include fraud, conflicts of interest, ethics policy violations, and projects the internal audit should consider.
An effective internal audit risk assessment would ideally analyze the key risk functions for an organization and the key risks within them to prioritize the auditable business units within the audit universe.
The risk rating of each business unit usually determines the frequency of the internal audit engagements in more traditional audit plans.
By planning and executing internal audit assignments around risk, the internal audit function can communicate to the board regarding the risk management process and their relationship with the defined organizational risk parameters.
Implement Risk Assessment Report
The internal audit plan should be developed around the strategic needs of a protecting an organization from identified risks.
The internal audit risk assessment report summarizes the steps completed, presents the risk ratings, and describes any findings resulting from the assessment. Executive management can use the report to help with decision-making, while department management can use the findings to improve risk mitigation strategies.
The report also helps in designing an internal audit plan that aligns with the highest risks. The audit committee and executive management typically want an internal audit focusing on the highest risks of the company.
The risk assessment allows the internal audit to create a plan that aligns with the strategic objectives, meeting the needs and expectations of the board, executives, stakeholders, and shareholders.
The internal audit function uses the results of the audit risk assessment to create a risk-based internal audit plan that focuses on the business areas with the most significant risk exposure, while also giving low-risk areas adequate audit coverage. After the audit risk assessment is complete, the audit committee puts the plan into action.
It’s important to consider the expectations for completion within a given year while being flexible enough to address emerging risks during the year.
Monitor for Changing Business Environments and Emerging Risks
Changing business environments necessitate that risk be assessed at least annually, if not continuously, as it’s easy to ignore the unknown.
Examples of recent emerging risks include cybersecurity, pandemic or disaster response, and economic and financial distress. Because there’s little existing literature or data, emerging risks are difficult to assess, making it harder for the internal audit function to assist and add value.
Risk assessment is a recurring, systematic process for identifying and evaluating the potential risks and opportunities that could impact achieving strategic objectives. An annual risk assessment exercise could be considered the bare minimum.
Your organization’s audit plan should always be adaptable to the changes in the operating landscape of the organization.
Rolling audit plans are becoming the norm, as thorough planning alone is no longer enough for the internal audit function to add value.
We’re Here to Help
For guidance on building an internal audit plan and conducting a risk assessment, contact your Moss Adams professional.
You can also visit our Financial Services Practice or our Financial Services Consulting pages for additional resources.