Earlier this week I watched a webinar put on by the Audit Director Round­table, a great resource for internal auditors, titled Enter­prise Risk Audit Planning.

If you follow me on Twitter, you might have seen this:

@neilmcintyre: IT problems for Audit Director Round­table delay the start of the Enter­prise Risk Audit Planning webinar

The problem was that the large group attempting to log in to the presen­tation were jamming the confer­encing phone system. It was sorted out within 10 minutes of the scheduled start time. Good problem to have, really.

I was intro­duced to ADR when I joined the world of internal audit in May 2008 and have been taking advantage of the site’s features ever since, such as case studies, internal control question­naire (ICQ) templates, audit department bench­marking tools and example audit work plans.

Today’s webinar was valuable to me because it focused on how five companies’ internal audit groups are dealing with the challenge of providing assurance over strategic risk. This is a topic that I have championed in my capacity as an internal auditor, and the companies in the webinar were actually walking the walk.

Some of the highlights:

• One group enabled management to better identify and assess complete risk infor­mation by devel­oping a tool that required them to drill down from higher level risks to their lower level compo­nents. What I liked in particular about the tool was that it discouraged the tendency to choose medium likelihood and medium impact (what they called “midpointing” although I’d never heard the term) by making those assess­ments lead to a “signf­icant” rating.
• Another group credited management for its efforts in identi­fying processes which were well-controlled versus those that were less well-controlled, by tailoring the assurance strategy to the former. Simply the act of identi­fying a poorly-controlled process would spur management to implement the necessary controls, at which point the process would migrate to the well-controlled side.
• Yet another group maps the principal risks identified at a high level to each applicable business process to ensure adequate coverage. Internal audit focuses on the processes involved in executing on the strategic prior­ities, to provide assurance that those risks are well-controlled.

I enjoyed the webinar because it took what can be a challenging theoretical problem and showed examples where leading internal audit groups are concretely addressing the concerns of management over the key risks driving the perfor­mance of the business.

How are you imple­menting practices like these to provide assurance over the risks that primarily drive enter­prise value?