Corporate Law

Need for audit risk assessment: how to conduct it


Some internal audit services face a number of challenges when conducting audits. Mainly, it is a lack of time and limited resources. It is therefore difficult to cover all important areas of auditable business processes in a short period of time without losing quality and maximizing audit benefits.

Many business processes that are being subjected to audit are cross functional when they involve multiple business units. Thus, a more detailed analysis of each unit (or sub-process) requires additional resources.

In order to successfully start an audit, it is advisable for the internal auditor to focus not on a consistent assessment of the performance of individual subdivisions (or sub-processes) but on the identification of the risks inherent in the process that is subjected to an audit as a whole. After such a definition of risks it is necessary to assess them and identify the most serious risks, that is, which can significantly affect the business. The identification of the most important risks and spheres can be based on the results of audits conducted in the past years, observations of the internal audit service, risk management data, additional data from audit subjects, etc.

Risk assessment also promotes transparent communication and effective dialogue with internal audit clients (CEOs, managers, board directors, shareholders, and auditees) to address issues such as: «Where’s the risk?» «Where is the priority?», «What should we pay attention to first?» or even the reports stating that there is no risk in sight.

The risk analysis is based on the standards of the Institute of Internal Auditors (IIA) provides for risk analysis. This analysis is one of the methods using a risk-based approach.

The following is a list of manuals and standards that describe the risk assessment methodology:

Standards and guidelines:

International Standards for the Professional Practice of Internal Auditing:

2100 – The essence of the work of the internal audit. Internal audit is an evaluation exercise and should contribute to the improvement of corporate management, risk management and control processes in the organization using a consistent and systematic risk-based approach.

2210 – Objectives of the audit assignment. The objectives should be defined for each audit procedure.

2210.A1 – The internal auditor must make a preliminary assessment of the risks that are being subjected to audit. The objectives of the audit task should not conflict with the results of its evaluation.

Additional guidance from the Institute of Internal Auditors:

«Audit task planning: Definition of objectives and scope» (August 2017; «Engagement Planning: Establishing Objectives and Scope»).

During the planning stage, the creation of an audit algorithm and risk assessment, it is very important to communicate the information correctly to the auditors. It should be clear, systematized, unambiguous and understandable to both the manager of the internal audit and the internal clients. Such practical tool used to systematize the necessary data is, for example, the risk and control matrix. Such a matrix could be conducted throughout each audit and be an important addition to the audit report.

The matrix consists of three main blocks, which are filled in the following sequence:

  1. Probable risk. The auditor compiles a list of risks inherent to the business process as a whole and assigns them in order of priority (significance and impact on the business).
  2. Control Procedures. During the audit process, it is determined which manual and automated control procedures (reports, regulations, inventories, reconciliations, distribution of authority, «second set of eyes» etc.) are performed by departments to reduce the chance of risk emergence. Design and performance control data and its execution is being evaluated.
  3. Residual risk. Based on the results of testing of the effectiveness of control procedures during the final part of the audit, a quantitative (or qualitative) assessment of the value of residual risk is carried out based on the assessment of «probability – impact».

Based on the experience of practising auditors, it can be concluded that the risk and control procedures matrix is a fairly practical tool for both internal auditors and internal clients. The matrix helps the auditor to make recommendations to improve ineffective controls or to address the causes of weaknesses identified during the audit, while keeping risk considerations in mind.

The matrix is discussed during the transfer of audit results to business process owners and other internal clients, as the assessment of the internal control system of the process subjected to audit directly depends on the number of residual risks and their significance. Thanks to the matrix, the internal client can see the «whole set» of all the risks and control of their process on virtually one sheet, and then discuss with the auditor the amount of residual risk, missing and excessive controls, as well as control procedures, that require improvement. Then, form an effective algorithm of measures to eliminate the revealed shortcomings.

In addition, open and transparent communication with internal clients («being on the same page») is the key to increase the value of internal audit and success in general.

Have a question?
Ask
a specialist!

This approach also contributes to raising the level of risk-culture of the company.

Some internal audit services face a number of challenges when conducting audits. Mainly, it is a lack of time and limited resources. It is therefore difficult to cover all important areas of auditable business processes in a short period of time without losing quality and maximizing audit benefits.

Many business processes that are being subjected to audit are cross functional when they involve multiple business units. Thus, a more detailed analysis of each unit (or sub-process) requires additional resources.

In order to successfully start an audit, it is advisable for the internal auditor to focus not on a consistent assessment of the performance of individual subdivisions (or sub-processes) but on the identification of the risks inherent in the process that is subjected to an audit as a whole. After such a definition of risks it is necessary to assess them and identify the most serious risks, that is, which can significantly affect the business. The identification of the most important risks and spheres can be based on the results of audits conducted in the past years, observations of the internal audit service, risk management data, additional data from audit subjects, etc.

Risk assessment also promotes transparent communication and effective dialogue with internal audit clients (CEOs, managers, board directors, shareholders, and auditees) to address issues such as: «Where’s the risk?» «Where is the priority?», «What should we pay attention to first?» or even the reports stating that there is no risk in sight.

The risk analysis is based on the standards of the Institute of Internal Auditors (IIA) provides for risk analysis. This analysis is one of the methods using a risk-based approach.

The following is a list of manuals and standards that describe the risk assessment methodology:

Standards and guidelines:

International Standards for the Professional Practice of Internal Auditing:

2100 – The essence of the work of the internal audit. Internal audit is an evaluation exercise and should contribute to the improvement of corporate management, risk management and control processes in the organization using a consistent and systematic risk-based approach.

2210 – Objectives of the audit assignment. The objectives should be defined for each audit procedure.

2210.A1 – The internal auditor must make a preliminary assessment of the risks that are being subjected to audit. The objectives of the audit task should not conflict with the results of its evaluation.

Additional guidance from the Institute of Internal Auditors:

«Audit task planning: Definition of objectives and scope» (August 2017; «Engagement Planning: Establishing Objectives and Scope»).

During the planning stage, the creation of an audit algorithm and risk assessment, it is very important to communicate the information correctly to the auditors. It should be clear, systematized, unambiguous and understandable to both the manager of the internal audit and the internal clients. Such practical tool used to systematize the necessary data is, for example, the risk and control matrix. Such a matrix could be conducted throughout each audit and be an important addition to the audit report.

The matrix consists of three main blocks, which are filled in the following sequence:

  1. Probable risk. The auditor compiles a list of risks inherent to the business process as a whole and assigns them in order of priority (significance and impact on the business).
  2. Control Procedures. During the audit process, it is determined which manual and automated control procedures (reports, regulations, inventories, reconciliations, distribution of authority, «second set of eyes» etc.) are performed by departments to reduce the chance of risk emergence. Design and performance control data and its execution is being evaluated.
  3. Residual risk. Based on the results of testing of the effectiveness of control procedures during the final part of the audit, a quantitative (or qualitative) assessment of the value of residual risk is carried out based on the assessment of «probability – impact».

Based on the experience of practising auditors, it can be concluded that the risk and control procedures matrix is a fairly practical tool for both internal auditors and internal clients. The matrix helps the auditor to make recommendations to improve ineffective controls or to address the causes of weaknesses identified during the audit, while keeping risk considerations in mind.

The matrix is discussed during the transfer of audit results to business process owners and other internal clients, as the assessment of the internal control system of the process subjected to audit directly depends on the number of residual risks and their significance. Thanks to the matrix, the internal client can see the «whole set» of all the risks and control of their process on virtually one sheet, and then discuss with the auditor the amount of residual risk, missing and excessive controls, as well as control procedures, that require improvement. Then, form an effective algorithm of measures to eliminate the revealed shortcomings.

In addition, open and transparent communication with internal clients («being on the same page») is the key to increase the value of internal audit and success in general. This approach also contributes to raising the level of risk-culture of the company.

Liked the article?

Вы не можете скопировать содержимое этой страницы