The Institute of Internal Auditors Qatar Chapter held a training session on 'Simple Risk Assessment Techniques for internal auditors' by Alaba Adedamola Awolaja from Nigeria. Alaba Awolaja, CIA, is a business professional and consultant with over a decade of banking and financial services. He is a dedicated risk management professional with a keen focus on identifying, assessing, managing, and controlling potential events that may affect entities' objectives and prevent/detecting fraud. Show 'Risk assessment is the overall process of risk identification, risk analysis, and risk evaluation. Risk assessment is at the center of a typical risk management process. Internal audit's risk assessments start by considering inherent risk, the combination of internal and external risks in their pure, uncontrolled state," said Alaba in his opening remarks. The factors that influence selecting the right risk assessment technique depend on the complexity of the problem, the degree of uncertainty, the extent of resources needed, and the quantitative output requirement. The most common techniques are Brainstorming, Delphi, Scenario analysis, Structure What If (SWIFT), Hazard and Operability Studies (HAZOP), Business Impact Analysis, Bow Tie Analysis, etc. Alaba detailed each technique on the correct usage, differentiating factors, comparative strengths, and relative benefits. Alaba elucidated various standards and practical application of techniques in real-life situations. The standards applied mainly are the International Professional Practices Framework (IPPF) from the IIA, International Standard Organization (ISO), COSO methodology, and IRM structure. "Alaba's presentation was highly useful to improve continuous risk assessments in this era of the dynamic risks to navigate the stormy and uncertain future of businesses. The insightful presentation followed a great Q&A session that was appreciated for practical inputs," said Sundaresan Rajeswar Board member of the IIA Qatar "I have seen the use of elaborate, time-consuming methodologies, including formulas, to score individual risks. Sometimes these formulas seemed better suited for a rocket launch than calculating a single risk in an audit plan. As I often coach internal auditors, simplified formulas can be just as effective as complicated ones. Professional judgment will invariably be a factor no matter how complex the process." Alaba concluded by quoting from the book 'The Speed of Risk' by Richard F. Chambers, CEO of the IIA Inc. Fahad al-Marri, Senior Vice President of the IIA Qatar, addressed the gathering. "Set personal improvement goals to improve your value as internal auditors as a new year resolution for 2021. Do write to the Chapter Board indicating the topics of interest to organize knowledge-sharing events," Fahad said. Girish Jain, Murtaza, and Murali coordinated the event that ran for nearly two hours and had a full capacity of over 100 attendees.
In order to continue enjoying our site, we ask that you confirm your identity as a human. Thank you very much for your cooperation.
The previous article titled Internal Audit: Understanding the audit universe and the journey to risk maturity discussed if internal audit should establish an internal audit universe or place reliance on an enterprise-wide risk assessment process. This article will focus on where internal audit has decided to create and maintain their own audit universe. Internal audit assesses the risk of each auditable entity within an internal audit universe to help determine the priority and therefore timing of when the internal audit should occur. This risk assessment is not only based on current known information within your organisation but also the external environment e.g. evolving regulations, emerging risks. From this, a quarterly, semi-annual, or annual Audit Plan can easily be produced by internal audit. What is the most effective way to risk assess an audit universe line?The internal audit profession has no standard approach other than to be appropriate regarding the size, complexity and risk profile of your organisation. Each internal audit department will develop their own unique methodology and approach to assess the risk of auditable entities and ultimately produce an Audit Plan. Although the process of risk assessment is subjective, a consistently applied risk assessment framework does need to be applied. Typically, a documented risk assessment for each auditable entity may include:
The table below provides an illustrative example of a detailed risk assessment for an auditable entity (each organisation will define and use different risk categories): Note: A few internal audit departments assess at the inherent risk level and do not consider the control environment in their risk assessment. The documented risk assessment needs to clearly justify the assessment of each risk category above e.g. Why is Impact rated as Medium risk for the Operational risk category? Your internal audit department should have developed quantitative and qualitative criteria to help determine this. Additionally, internal audit may develop an ‘algorithm’ or formula to calculate the overall residual risk score for each auditable entity. Continuing this example, by using the illustrative table below the overall residual risk score for each auditable entity (750 in the above example) would result in a risk assessment of High for this auditable entity which would require this audit to be performed e.g. every twelve months. This is just one approach to constructing an audit plan; albeit a common approach. When developing the ‘algorithm’ or formula to calculate the overall residual risk score, some level of calibration of the initial results is likely to be required to avoid unrealistic outcomes e.g. 80% of your auditable entities scoring at High risk levels. Additional benefitsAs the above illustrative table suggests, the results of the risk assessment may also inform internal audit if a full scope internal audit is required or if some other internal audit product would be more appropriate, such as a Key control review or Continuous monitoring for lower risk auditable entities. Additionally, the Audit Plan (and the time budgets estimated to complete each internal audit or audit product) informs internal audit and the Audit Committee on the quantity and quality of internal audit resource required to deliver the Audit Plan e.g. total internal audit headcount, split between business and IT auditors, subject matter experts to help in highly technical areas etc. What common pitfalls should be avoided?There are many, but some points to consider are:
How do you know the risk assessment is correct?You are never sure, due to the subjective nature of a risk assessment. However, if you consistently follow your audit methodology and clearly justify your risk ratings, then an independent party would at least understand your thought process and provide the Audit Committee with the opportunity to review and challenge all the residual risk scores relative to each other. The results of the risk assessment and the draft audit plan are usually subject to an intensive socialisation process with management and external audit. Ultimately, the risk assessment, the draft audit plan and any noteworthy comments from the management during the socialisation process, should be presented to the Audit Committee for their review, challenge and approval. Risk assessments should be updated as and when new key information becomes available and not simply limited to a once a year exercise. Often, internal audit departments implement a quarterly continuous monitoring programme which helps to promptly identify new information, emerging risks etc. A significant change in a risk assessment during the year could lead to a planned internal audit being no longer due in the current year and therefore deferred from the Audit Plan, or a proposed new audit to be added to the current year’s Audit Plan. Any proposed changes to the Audit Plan intra year would be expected to be presented to the Audit Committee for their challenge and approval. SummaryAn effective and consistently applied risk assessment process is critical for internal audit to develop a truly risk-based Audit Plan. The role of internal audit policy & procedures, training, and internal audit’s practice and quality assurance teams are key to achieving this. However, it’s important that your internal audit staff are encouraged to share feedback and identify any potential improvements to the risk assessment process. Risk assessments are the foundations of an effective internal audit department. |