What is risk assessment in internal audit?

The Institute of Internal Auditors Qatar Chapter held a training session on 'Simple Risk Assessment Techniques for internal auditors' by Alaba Adedamola Awolaja from Nigeria. Alaba Awolaja, CIA, is a business professional and consultant with over a decade of banking and financial services. He is a dedicated risk management professional with a keen focus on identifying, assessing, managing, and controlling potential events that may affect entities' objectives and prevent/detecting fraud.

Table of Contents Show

What is the most effective way to risk assess an audit universe line?
Additional benefits
What common pitfalls should be avoided?
How do you know the risk assessment is correct?

'Risk assessment is the overall process of risk identification, risk analysis, and risk evaluation. Risk assessment is at the center of a typical risk management process. Internal audit's risk assessments start by considering inherent risk, the combination of internal and external risks in their pure, uncontrolled state," said Alaba in his opening remarks.

The factors that influence selecting the right risk assessment technique depend on the complexity of the problem, the degree of uncertainty, the extent of resources needed, and the quantitative output requirement. The most common techniques are Brainstorming, Delphi, Scenario analysis, Structure What If (SWIFT), Hazard and Operability Studies (HAZOP), Business Impact Analysis, Bow Tie Analysis, etc. Alaba detailed each technique on the correct usage, differentiating factors, comparative strengths, and relative benefits.

Alaba elucidated various standards and practical application of techniques in real-life situations. The standards applied mainly are the International Professional Practices Framework (IPPF) from the IIA, International Standard Organization (ISO), COSO methodology, and IRM structure.

"Alaba's presentation was highly useful to improve continuous risk assessments in this era of the dynamic risks to navigate the stormy and uncertain future of businesses. The insightful presentation followed a great Q&A session that was appreciated for practical inputs," said Sundaresan Rajeswar Board member of the IIA Qatar

"I have seen the use of elaborate, time-consuming methodologies, including formulas, to score individual risks. Sometimes these formulas seemed better suited for a rocket launch than calculating a single risk in an audit plan. As I often coach internal auditors, simplified formulas can be just as effective as complicated ones. Professional judgment will invariably be a factor no matter how complex the process." Alaba concluded by quoting from the book 'The Speed of Risk' by Richard F. Chambers, CEO of the IIA Inc.

Fahad al-Marri, Senior Vice President of the IIA Qatar, addressed the gathering. "Set personal improvement goals to improve your value as internal auditors as a new year resolution for 2021. Do write to the Chapter Board indicating the topics of interest to organize knowledge-sharing events," Fahad said.

Girish Jain, Murtaza, and Murali coordinated the event that ran for nearly two hours and had a full capacity of over 100 attendees.

In order to continue enjoying our site, we ask that you confirm your identity as a human. Thank you very much for your cooperation.

Risk assessments are the foundations of an effective internal audit department although common pitfalls should be considered.

Robust risk assessments will help inform which internal audits should be performed and when, including the most appropriate audit products to use and required skillsets.

Risk assessments should be dynamic and updated as and when key new information is available - not simply left to an annual refresh.

The previous article titled Internal Audit: Understanding the audit universe and the journey to risk maturity discussed if internal audit should establish an internal audit universe or place reliance on an enterprise-wide risk assessment process. This article will focus on where internal audit has decided to create and maintain their own audit universe.

Internal audit assesses the risk of each auditable entity within an internal audit universe to help determine the priority and therefore timing of when the internal audit should occur. This risk assessment is not only based on current known information within your organisation but also the external environment e.g. evolving regulations, emerging risks. From this, a quarterly, semi-annual, or annual Audit Plan can easily be produced by internal audit.

What is the most effective way to risk assess an audit universe line?

The internal audit profession has no standard approach other than to be appropriate regarding the size, complexity and risk profile of your organisation. Each internal audit department will develop their own unique methodology and approach to assess the risk of auditable entities and ultimately produce an Audit Plan. Although the process of risk assessment is subjective, a consistently applied risk assessment framework does need to be applied. Typically, a documented risk assessment for each auditable entity may include:

Background information such as business objectives, organisational structure etc.
Financial information - revenue and costs.
System architecture.
Results of previous audits including any key findings and open issues.
Scope of the auditable entity i.e. clearly state which key business processes and IT systems are in scope to avoid duplication, or worse, avoid anything ‘falling through the cracks’, and
Detailed risk assessments of each risk category (see table below).

The table below provides an illustrative example of a detailed risk assessment for an auditable entity (each organisation will define and use different risk categories):

Note: A few internal audit departments assess at the inherent risk level and do not consider the control environment in their risk assessment.

The documented risk assessment needs to clearly justify the assessment of each risk category above e.g. Why is Impact rated as Medium risk for the Operational risk category? Your internal audit department should have developed quantitative and qualitative criteria to help determine this. Additionally, internal audit may develop an ‘algorithm’ or formula to calculate the overall residual risk score for each auditable entity.

Continuing this example, by using the illustrative table below the overall residual risk score for each auditable entity (750 in the above example) would result in a risk assessment of High for this auditable entity which would require this audit to be performed e.g. every twelve months.

This is just one approach to constructing an audit plan; albeit a common approach. When developing the ‘algorithm’ or formula to calculate the overall residual risk score, some level of calibration of the initial results is likely to be required to avoid unrealistic outcomes e.g. 80% of your auditable entities scoring at High risk levels.

Additional benefits

As the above illustrative table suggests, the results of the risk assessment may also inform internal audit if a full scope internal audit is required or if some other internal audit product would be more appropriate, such as a Key control review or Continuous monitoring for lower risk auditable entities.

Additionally, the Audit Plan (and the time budgets estimated to complete each internal audit or audit product) informs internal audit and the Audit Committee on the quantity and quality of internal audit resource required to deliver the Audit Plan e.g. total internal audit headcount, split between business and IT auditors, subject matter experts to help in highly technical areas etc.

What common pitfalls should be avoided?

There are many, but some points to consider are:

Will you ‘double count’ the same risk across two or more risk categories e.g. the risk of breaching Anti-money laundering regulations could potentially apply to the Legal & Compliance, Reputational or Financial risk category. Perhaps pick one risk category and consistently apply this otherwise you may artificially overstate the risk score i.e. potentially auditing an auditable entity too frequently to the detriment of auditing another auditable entity;

Develop a consistent approach to address scenarios where internal audit intentionally addressed only part of the scope of the auditable entity. How do you track and document this? Do you consider this to mean that this auditable entity is now covered and is now not due to be audited again until the next cycle? Your Internal Audit Policy and Procedures should provide guidance on this.

Where an audit of an auditable entity is required by a law or regulation, should you risk assess and score that auditable entity as if it was not a regulatory required audit, or simply override the overall risk assessment score to ensure it is audited at the prescribed frequency? Regardless, the audit still needs to be carried out at the regulatory required frequency, but by adopting the former method above you can easily quantify the extra ‘burden’ of performing regulatory required internal audits.

How do you know the risk assessment is correct?

You are never sure, due to the subjective nature of a risk assessment. However, if you consistently follow your audit methodology and clearly justify your risk ratings, then an independent party would at least understand your thought process and provide the Audit Committee with the opportunity to review and challenge all the residual risk scores relative to each other.

The results of the risk assessment and the draft audit plan are usually subject to an intensive socialisation process with management and external audit. Ultimately, the risk assessment, the draft audit plan and any noteworthy comments from the management during the socialisation process, should be presented to the Audit Committee for their review, challenge and approval.

Risk assessments should be updated as and when new key information becomes available and not simply limited to a once a year exercise. Often, internal audit departments implement a quarterly continuous monitoring programme which helps to promptly identify new information, emerging risks etc. A significant change in a risk assessment during the year could lead to a planned internal audit being no longer due in the current year and therefore deferred from the Audit Plan, or a proposed new audit to be added to the current year’s Audit Plan. Any proposed changes to the Audit Plan intra year would be expected to be presented to the Audit Committee for their challenge and approval.

Summary

An effective and consistently applied risk assessment process is critical for internal audit to develop a truly risk-based Audit Plan. The role of internal audit policy & procedures, training, and internal audit’s practice and quality assurance teams are key to achieving this. However, it’s important that your internal audit staff are encouraged to share feedback and identify any potential improvements to the risk assessment process. Risk assessments are the foundations of an effective internal audit department.