ICAS ICAS logo

Quicklinks

  1. About Us

    Find out about who we are and what we do here at ICAS.

  2. Find a CA

    Search our directory of individual CAs and Member organisations by name, location and professional criteria.

  3. CA Magazine

    View the latest issues of the dedicated magazine for ICAS Chartered Accountants.

  4. Contact Us

    Get in touch with ICAS by phone, email or post, with dedicated contacts for Members, Students and firms.

Login
  • Annual renewal
  • About us
  • Contact us
  • Find a CA
  1. About us
    1. Governance
  2. Members
    1. Become a member
    2. Newly qualified
    3. Manage my membership
    4. Benefits of membership
    5. Careers support
    6. Mentoring
    7. CA Wellbeing
    8. More for Members
    9. Area networks
    10. International communities
    11. Get involved
    12. Top Young CAs
    13. Career breaks
    14. ICAS podcast
    15. Newly admitted members 2022
    16. Newly admitted members 2023
  3. CA Students
    1. Student information
    2. Student resources
    3. Learning requirements
    4. Learning updates
    5. Learning blog
    6. Totum Pro | Student discount card
    7. CA Student wellbeing
  4. Become a CA
    1. How to become a CA
    2. Routes to becoming a CA
    3. CA Stories
    4. Find a training agreement
    5. Why become a CA
    6. Qualification information
    7. University exemptions
  5. Employers
    1. Become an Authorised Training Office
    2. Resources for Authorised Training Offices
    3. Professional entry
    4. Apprenticeships
  6. Find a CA
  7. ICAS events
    1. CA Summit
  8. CA magazine
  9. Insight
    1. Finance + Trust
    2. Finance + Technology
    3. Finance + EDI
    4. Finance + Mental Fitness
    5. Finance + Leadership
    6. Finance + Sustainability
  10. Professional resources
    1. Anti-money laundering
    2. Audit and assurance
    3. Brexit
    4. Business and governance
    5. Charities
    6. Coronavirus
    7. Corporate and financial reporting
    8. Cyber security
    9. Ethics
    10. Insolvency
    11. ICAS Research
    12. Pensions
    13. Practice
    14. Public sector
    15. Sustainability
    16. Tax
  11. CPD - professional development
    1. CPD courses and qualifications
    2. CPD news and updates
    3. CPD support and advice
  12. Regulation
    1. Complaints and sanctions
    2. Regulatory authorisations
    3. Guidance and help sheets
    4. Regulatory monitoring
  13. CA jobs
    1. CA jobs partner: Rutherford Cross
    2. Resources for your job search
    3. Advertise with CA jobs
    4. Hays | A Trusted ICAS CA Jobs Partner
    5. Azets | What's your ambition?
  14. Work at ICAS
    1. Business centres
    2. Meet our team
    3. Benefits
    4. Vacancies
    5. Imagine your career at ICAS
  15. Contact us
    1. Technical and regulation queries
    2. ICAS logo request

Internal Audit: Understanding the risk assessment of the internal audit universe

  • LinkedIn (opens new window)
  • Twitter (opens new window)
By Steve Bruce CA

29 May 2018

Main points

  • Risk assessments are the foundations of an effective internal audit department although common pitfalls should be considered.

  • Robust risk assessments will help inform which internal audits should be performed and when, including the most appropriate audit products to use and required skillsets.

  • Risk assessments should be dynamic and updated as and when key new information is available - not simply left to an annual refresh.

This article is the second in a series with the aim of stimulating discussion and providing insight for Audit Committees, executive management and internal auditors about the internal audit cycle.

Why risk assess your internal audit universe?

The previous article titled Internal Audit: Understanding the audit universe and the journey to risk maturity discussed if internal audit should establish an internal audit universe or place reliance on an enterprise-wide risk assessment process. This article will focus on where internal audit has decided to create and maintain their own audit universe.

Internal audit assesses the risk of each auditable entity within an internal audit universe to help determine the priority and therefore timing of when the internal audit should occur. This risk assessment is not only based on current known information within your organisation but also the external environment e.g. evolving regulations, emerging risks. From this, a quarterly, semi-annual, or annual Audit Plan can easily be produced by internal audit.

What is the most effective way to risk assess an audit universe line?

The internal audit profession has no standard approach other than to be appropriate regarding the size, complexity and risk profile of your organisation. Each internal audit department will develop their own unique methodology and approach to assess the risk of auditable entities and ultimately produce an Audit Plan. Although the process of risk assessment is subjective, a consistently applied risk assessment framework does need to be applied. Typically, a documented risk assessment for each auditable entity may include:

  • Background information such as business objectives, organisational structure etc.
  • Financial information - revenue and costs.
  • System architecture.
  • Results of previous audits including any key findings and open issues.
  • Scope of the auditable entity i.e. clearly state which key business processes and IT systems are in scope to avoid duplication, or worse, avoid anything ‘falling through the cracks’, and
  • Detailed risk assessments of each risk category (see table below).

The table below provides an illustrative example of a detailed risk assessment for an auditable entity (each organisation will define and use different risk categories):

Note: A few internal audit departments assess at the inherent risk level and do not consider the control environment in their risk assessment.

The documented risk assessment needs to clearly justify the assessment of each risk category above e.g. Why is Impact rated as Medium risk for the Operational risk category? Your internal audit department should have developed quantitative and qualitative criteria to help determine this. Additionally, internal audit may develop an ‘algorithm’ or formula to calculate the overall residual risk score for each auditable entity.

Continuing this example, by using the illustrative table below the overall residual risk score for each auditable entity (750 in the above example) would result in a risk assessment of High for this auditable entity which would require this audit to be performed e.g. every twelve months.

This is just one approach to constructing an audit plan; albeit a common approach.  When developing the ‘algorithm’ or formula to calculate the overall residual risk score, some level of calibration of the initial results is likely to be required to avoid unrealistic outcomes e.g. 80% of your auditable entities scoring at High risk levels.

Additional benefits

As the above illustrative table suggests, the results of the risk assessment may also inform internal audit if a full scope internal audit is required or if some other internal audit product would be more appropriate, such as a Key control review or Continuous monitoring for lower risk auditable entities.

Additionally, the Audit Plan (and the time budgets estimated to complete each internal audit or audit product) informs internal audit and the Audit Committee on the quantity and quality of internal audit resource required to deliver the Audit Plan e.g. total internal audit headcount, split between business and IT auditors, subject matter experts to help in highly technical areas etc.

What common pitfalls should be avoided?

There are many, but some points to consider are:

  • Will you ‘double count’ the same risk across two or more risk categories e.g. the risk of breaching Anti-money laundering regulations could potentially apply to the Legal & Compliance, Reputational or Financial risk category. Perhaps pick one risk category and consistently apply this otherwise you may artificially overstate the risk score i.e. potentially auditing an auditable entity too frequently to the detriment of auditing another auditable entity;

  • Develop a consistent approach to address scenarios where internal audit intentionally addressed only part of the scope of the auditable entity. How do you track and document this? Do you consider this to mean that this auditable entity is now covered and is now not due to be audited again until the next cycle? Your Internal Audit Policy and Procedures should provide guidance on this.

  • Where an audit of an auditable entity is required by a law or regulation, should you risk assess and score that auditable entity as if it was not a regulatory required audit, or simply override the overall risk assessment score to ensure it is audited at the prescribed frequency? Regardless, the audit still needs to be carried out at the regulatory required frequency, but by adopting the former method above you can easily quantify the extra ‘burden’ of performing regulatory required internal audits.

How do you know the risk assessment is correct?

You are never sure, due to the subjective nature of a risk assessment. However, if you consistently follow your audit methodology and clearly justify your risk ratings, then an independent party would at least understand your thought process and provide the Audit Committee with the opportunity to review and challenge all the residual risk scores relative to each other.

The results of the risk assessment and the draft audit plan are usually subject to an intensive socialisation process with management and external audit. Ultimately, the risk assessment, the draft audit plan and any noteworthy comments from the management during the socialisation process, should be presented to the Audit Committee for their review, challenge and approval.

Risk assessments should be updated as and when new key information becomes available and not simply limited to a once a year exercise. Often, internal audit departments implement a quarterly continuous monitoring programme which helps to promptly identify new information, emerging risks etc.  A significant change in a risk assessment during the year could lead to a planned internal audit being no longer due in the current year and therefore deferred from the Audit Plan, or a proposed new audit to be added to the current year’s Audit Plan. Any proposed changes to the Audit Plan intra year would be expected to be presented to the Audit Committee for their challenge and approval.

Summary

An effective and consistently applied risk assessment process is critical for internal audit to develop a truly risk-based Audit Plan. The role of internal audit policy & procedures, training, and internal audit’s practice and quality assurance teams are key to achieving this. However, it’s important that your internal audit staff are encouraged to share feedback and identify any potential improvements to the risk assessment process. Risk assessments are the foundations of an effective internal audit department.

Auditing

Internal Audit: Understanding the audit universe and the journey to risk maturity

By Steve Bruce CA

17 April 2018

2022-11-mitigo 2022-11-mitigo
ICAS logo

Footer links

  • Contact us
  • Terms and conditions
  • Modern slavery statement
  • Privacy notice
  • CA magazine

Connect with ICAS

  • Facebook (opens new window) Facebook Icon
  • Twitter (opens new window) Twitter Icon
  • LinkedIn (opens new window) LinkedIn Icon
  • Instagram (opens new window) Instagram Icon

ICAS is a member of the following bodies

  • Consultative Committee of Accountancy Bodies (opens new window) Consultative Committee of Accountancy Bodies logo
  • Chartered Accountants Worldwide (opens new window) Chartered Accountants Worldwide logo
  • Global Accounting Alliance (opens new window) Global Accounting Alliance
  • International Federation of Accountants (opens new window) IFAC
  • Access Accountancy (opens new window) Access Acountancy

Charities

  • ICAS Foundation (opens new window) ICAS Foundation
  • SCABA (opens new window) scaba

Accreditations

  • ISO 9001 - RGB (opens new window)
© ICAS 2022

The mark and designation “CA” is a registered trade mark of The Institute of Chartered Accountants of Scotland (ICAS), and is available for use in the UK and EU only to members of ICAS. If you are not a member of ICAS, you should not use the “CA” mark and designation in the UK or EU in relation to accountancy, tax or insolvency services. The mark and designation “Chartered Accountant” is a registered trade mark of ICAS, the Institute of Chartered Accountants of England and Wales and Chartered Accountants Ireland. If you are not a member of one of these organisations, you should not use the “Chartered Accountant” mark and designation in the UK or EU in relation to these services. Further restrictions on the use of these marks also apply where you are a member.

ICAS logo

Our cookie policy

ICAS.com uses cookies which are essential for our website to work. We would also like to use analytical cookies to help us improve our website and your user experience. Any data collected is anonymised. Please have a look at the further information in our cookie policy and confirm if you are happy for us to use analytical cookies: