Key Takeaways:
- Many state and local governments still approach internal audit risk assessments with a narrow, accounting and/or compliance-focused lens — leaving them vulnerable to emerging threats like cybersecurity, digital disruption, and workforce challenges.
- A modern risk assessment should go beyond finance to cover a broad range of risks, combining data, executive and senior management input, and informed judgment to build a clear, actionable audit plan.
- By rethinking how you assess risk, you can turn internal audit into a strategic driver of resilience, accountability, and long-term success for your government.
State and local governments navigate a complex web of service delivery, public accountability, and financial obligations. This operating environment can be strengthened through the second and third lines of defense, including internal audit. However, many internal audit functions still focus narrowly — concentrating on accounting and compliance. That limited view might leave you vulnerable to the most disruptive risks ahead.
Cybersecurity threats. Human capital issues. Fraud, waste, and abuse. Business continuity and service delivery continuity. Digital transformation. These are no longer hypothetical concerns — they're realities shaping how governments operate. To truly safeguard your organization, it's time to broaden your risk horizon and rethink how you approach internal audit risk assessments.
Why a Broader View of Risk Matters Now
Internal audit plays a critical role in identifying where your organization is vulnerable and where it's thriving. But too often, risk assessments are rooted in yesterday's threats. The Institute of Internal Auditors' "Risk in Focus" report paints a clear picture: the top risks projected by 2028 aren't limited to financial reporting or policy compliance — they include cybersecurity, digital disruption, regulatory change, human capital, business continuity, and market changes.
If your current risk assessment process is overlooking areas like technology implementations, talent shortages, or reputational threats, you're not getting the full picture. And that means your audit plan may be missing the very areas that need your attention most.
What Makes a Strong Risk Assessment?
At its core, a good risk assessment involves more than ticking boxes. It should be dynamic, forward-looking, and grounded in both data and professional judgment. Here's how to rethink your approach:
1. Understand Your Risk Universe
Your risk universe should go beyond accounting and finance. A strong assessment covers a broad landscape of risk categories, including:
- Operational
- Technology and cyber
- Strategic
- Compliance
- Human capital
- Reputation
- Fraud
- Public services
- Governance
- Safety
These areas are just as critical as your accounting and finance-related risks. The key is to build an audit universe that reflects your organization's full risk profile — from billing errors in your tax collection system to gaps in emergency preparedness.
2. Build Your Audit Universe with Intention
Your risk assessment process should start with understanding your organization inside and out. That means:
- Reviewing org charts, budgets, and annual financial reports
- Conducting surveys and interviews with key stakeholders
- Documenting key functions, strategic initiatives, and capital projects
The goal is to build a living document — an audit universe — that's functional, relevant, and tied to your organization and risk landscape.
For example, when assessing information technology-related risks, traditional areas of focus might include IT general controls (such as access controls), cybersecurity, and IT governance. By broadening the risk universe, you might also include department and functional-level risks (such as technology risks specific to an airport or police/sheriff department), IT strategy, large IT system selection and implementation efforts, data privacy, artificial intelligence, third-party risk management, and more.
3. Address What You Might Be Missing
Even strong internal audit teams can fall into patterns. But in our experience working with government clients, we're seeing a few risk areas consistently overlooked:
- Digital disruption and AI: Are you ready for rapid changes in tech?
- Human capital and organizational culture: Do you have the talent to run the organization today and into the future?
- Business continuity: Do you have a plan and has it been tested?
- Strategic planning: Are day-to-day actions and decision making tied to long-term goals?
- Capital projects: Are you managing large-scale efforts with adequate oversight?
Take time during your assessment process to scan for these gaps. Addressing them now could help you prevent a costly surprise later.
4. Make It Both Art and Science
Risk assessment isn't just about crunching numbers — it's a balance between structured scoring and informed judgment.
Use both quantitative (e.g., likelihood and impact scales from 1–10) and qualitative (e.g., low/moderate/high risk) methods to rate risks. The resulting score (likelihood x impact) gives you a sense of where to focus.
But remember, numbers alone won't tell the full story. Talk to department heads. Ask about upcoming initiatives, funding concerns, and staffing realities. The insights you gather will shape a more accurate, actionable audit plan.
Assessing and scoring risk is key to identifying how internal audit can add value.
5. Use Risk Assessment to Drive Action
A risk assessment isn't just a list. It's a tool to drive internal audit strategy.
Once your risks are scored and prioritized, use the data to create a risk-based audit plan. This should guide your audit activities for the year, aligning internal audit efforts with your organization's top priorities.
Risk Management Is Everyone's Business
Risk isn't something internal audit owns alone. It's shared across departments, leadership teams, and service areas. By broadening your perspective and harmonizing your risk-related activities — whether it's internal audit, enterprise risk management, or strategic planning — you build a stronger, more resilient government.
Risk will never disappear. But with a clear view of the landscape and a strong internal audit foundation, you can face the future with confidence.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
