Internal Audit: Understanding the risk assessment of the internal audit universe
This article is the second in a series with the aim of stimulating discussion and providing insight for Audit Committees, executive management and internal auditors about the internal audit cycle.
Why risk assess your internal audit universe?
The previous article titled Internal Audit: Understanding the audit universe and the journey to risk maturity discussed if internal audit should establish an internal audit universe or place reliance on an enterprise-wide risk assessment process. This article will focus on where internal audit has decided to create and maintain their own audit universe.
Internal audit assesses the risk of each auditable entity within an internal audit universe to help determine the priority and therefore timing of when the internal audit should occur. This risk assessment is not only based on current known information within your organisation but also the external environment e.g. evolving regulations, emerging risks. From this, a quarterly, semi-annual, or annual Audit Plan can easily be produced by internal audit.
What is the most effective way to risk assess an audit universe line?
The internal audit profession has no standard approach other than to be appropriate regarding the size, complexity and risk profile of your organisation. Each internal audit department will develop their own unique methodology and approach to assess the risk of auditable entities and ultimately produce an Audit Plan. Although the process of risk assessment is subjective, a consistently applied risk assessment framework does need to be applied. Typically, a documented risk assessment for each auditable entity may include:
- Background information such as business objectives, organisational structure etc.
- Financial information - revenue and costs.
- System architecture.
- Results of previous audits including any key findings and open issues.
- Scope of the auditable entity i.e. clearly state which key business processes and IT systems are in scope to avoid duplication, or worse, avoid anything ‘falling through the cracks’, and
- Detailed risk assessments of each risk category (see table below).
The table below provides an illustrative example of a detailed risk assessment for an auditable entity (each organisation will define and use different risk categories):
Note: A few internal audit departments assess at the inherent risk level and do not consider the control environment in their risk assessment.
The documented risk assessment needs to clearly justify the assessment of each risk category above e.g. Why is Impact rated as Medium risk for the Operational risk category? Your internal audit department should have developed quantitative and qualitative criteria to help determine this. Additionally, internal audit may develop an ‘algorithm’ or formula to calculate the overall residual risk score for each auditable entity.
Continuing this example, by using the illustrative table below the overall residual risk score for each auditable entity (750 in the above example) would result in a risk assessment of High for this auditable entity which would require this audit to be performed e.g. every twelve months.
This is just one approach to constructing an audit plan; albeit a common approach. When developing the ‘algorithm’ or formula to calculate the overall residual risk score, some level of calibration of the initial results is likely to be required to avoid unrealistic outcomes e.g. 80% of your auditable entities scoring at High risk levels.
As the above illustrative table suggests, the results of the risk assessment may also inform internal audit if a full scope internal audit is required or if some other internal audit product would be more appropriate, such as a Key control review or Continuous monitoring for lower risk auditable entities.
Additionally, the Audit Plan (and the time budgets estimated to complete each internal audit or audit product) informs internal audit and the Audit Committee on the quantity and quality of internal audit resource required to deliver the Audit Plan e.g. total internal audit headcount, split between business and IT auditors, subject matter experts to help in highly technical areas etc.
What common pitfalls should be avoided?
There are many, but some points to consider are:
- Will you ‘double count’ the same risk across two or more risk categories e.g. the risk of breaching Anti-money laundering regulations could potentially apply to the Legal & Compliance, Reputational or Financial risk category. Perhaps pick one risk category and consistently apply this otherwise you may artificially overstate the risk score i.e. potentially auditing an auditable entity too frequently to the detriment of auditing another auditable entity;
- Develop a consistent approach to address scenarios where internal audit intentionally addressed only part of the scope of the auditable entity. How do you track and document this? Do you consider this to mean that this auditable entity is now covered and is now not due to be audited again until the next cycle? Your Internal Audit Policy and Procedures should provide guidance on this.
- Where an audit of an auditable entity is required by a law or regulation, should you risk assess and score that auditable entity as if it was not a regulatory required audit, or simply override the overall risk assessment score to ensure it is audited at the prescribed frequency? Regardless, the audit still needs to be carried out at the regulatory required frequency, but by adopting the former method above you can easily quantify the extra ‘burden’ of performing regulatory required internal audits.
How do you know the risk assessment is correct?
You are never sure, due to the subjective nature of a risk assessment. However, if you consistently follow your audit methodology and clearly justify your risk ratings, then an independent party would at least understand your thought process and provide the Audit Committee with the opportunity to review and challenge all the residual risk scores relative to each other.
The results of the risk assessment and the draft audit plan are usually subject to an intensive socialisation process with management and external audit. Ultimately, the risk assessment, the draft audit plan and any noteworthy comments from the management during the socialisation process, should be presented to the Audit Committee for their review, challenge and approval.
Risk assessments should be updated as and when new key information becomes available and not simply limited to a once a year exercise. Often, internal audit departments implement a quarterly continuous monitoring programme which helps to promptly identify new information, emerging risks etc. A significant change in a risk assessment during the year could lead to a planned internal audit being no longer due in the current year and therefore deferred from the Audit Plan, or a proposed new audit to be added to the current year’s Audit Plan. Any proposed changes to the Audit Plan intra year would be expected to be presented to the Audit Committee for their challenge and approval.
An effective and consistently applied risk assessment process is critical for internal audit to develop a truly risk-based Audit Plan. The role of internal audit policy & procedures, training, and internal audit’s practice and quality assurance teams are key to achieving this. However, it’s important that your internal audit staff are encouraged to share feedback and identify any potential improvements to the risk assessment process. Risk assessments are the foundations of an effective internal audit department.