Question: What is the best way to develop a more continuous monitoring approach to our internal audit and risk assessment practices?
Answer: “Best practices say that looking at risk once a year just isn’t going to cut it,” answers Susan Ulrey, an internal audit and compliance practice leader for two CPA consulting firms.
Ulrey offers the following ways to decide what level of frequency makes the most sense regarding conducting a risk assessment:
1. Take baby steps when figuring out the frequency of conducting internal audits and risk assessments. Determine what makes sense so that you’re not burdening the management team and yourself. Taking baby steps is often the right way because you probably don’t have the resources to hire someone full-time who just monitors risks, Ulrey says.
2. Break it down into more bite-size pieces. For instance, is there something that you can do every six months or every quarter that isn’t too laborious from a time perspective? This could be as simple as conducting a focus group or sending out a questionnaire to identify risks, Ulrey notes. Or you could conduct some data mining around some key metrics within your organization.
3. Assign staffers as liaisons to different business units in your organization. For instance, you might assign someone in the internal audit/risk assessment to be the liaison who works with IT, or with billing, or with health and safety, Ulrey suggests.
The liaison could attend the other department’s staff meetings to stay current on what’s going on, Ulrey says. You can create a “two-way street,” exchanging information back and forth between the risk assessment team and the other departments in your organization.