Hello! We are currently in the process of building a risk management department at the institution I work for. We are wanting to conduct an Internal Audit survey for our different departments on different areas of risk for them. We have found a format for the Survey but was curious if anyone had examples or resources for questions that you would include on the survey that goes out to all the departments? Or does your institution utilize one general survey and other departments just reply NA if it doesn't apply to their department? Just trying to gather some ideas for questions the survey. Thank you in advance for any help you have!

On our side, IA does their own, independent audit risk assessment which they use to plan their audit schedule, auditable hours, etc. As the heads of various BU's, IA doesn't request that much information from us. Occasionally they will ask for "As of" of certain KPIs and KRIs, but that's it.

Separate of the above, our ERM team sends RCSA's to each BU Head, and the RCSA's request a lot information, along with current data points for all relevant KPIs and KRIs. This information is used to complete an ERM Dashboard which is distributed at risk committee and board meetings.

Originally we had a universal RCSA and certain items would be marked as N/A when appropriate. After some regulatory criticism, the ERM team came back with tailored RCSA's to each BU. The RCSA's are very in-depth, and the ERM team will conduct periodic reviews of the responses and data we provided. It's a very in-depth process and we spend a lot of time with our CRO to make sure everyone is aligned and on the same page.

On an annual basis, I will meet with our Executive Team to discuss risk and their concerns. I might then meet individually with various members of management to discuss their concerns about risk and the various business units. This information may help me in updating my IA Risk Assessment. Plus it gives me a chance to interaction with the Executive Team as a group. Ultimately, I (Director of IA) owns the Risk Assessment but I do like to get management's input and their perspective on risk.