Key Considerations in Risk Based Internal Audit
Even when risk identification is primarily a management responsibility, internal auditors play a pivotal role in risk management by evaluating the process controls highlighting critical risks in achievement of business objectives as well as providing assurance regarding adequacy of controls in respect of existing and emerging risks. |
A regular and effective risk-based audit program is essential to achieve these objectives. It helps auditors in identification of potential risks, fraud and errors based on which the auditor can suggest areas of improvement. It also helps in efficient prioritization of audit engagements and resources.
Auditors need to consider following key points while conducting risk-based internal audits:
Understand the Business, Its Objectives, and Risks:
A risk-based audit is broader in scope and requires a complete understanding of organizational strategies, goals, and objectives in contrast to a checklist-based audit which focus on evaluating compliance with a specified set of requirements. It is necessary for auditors to have an exhaustive knowledge of the entity’s business environment – including the strengths, weaknesses, and challenges – to be able to plan the audits with a focus on all the critical risks.
Auditor can start by identifying key business objectives and associated risks for each identifiable process. Audit engagements need to be prioritized and scheduled accordingly to provide insights on where controls design is in accordance with the activity wise risks, and where they are not. It is important to ensure that all types of risks – operational, financial, regulatory, legal, IT or technology risks – are considered on enterprise level.
Auditors need to:
- Carry out a deep dive into the entity’s environment and operations to identify the most significant business risk or risk category that could impede its ability to meet the desired objectives.
- Examine whether stakeholders are incorporating risks into decision-making and strategic planning processes.
- Evaluate company’s readiness to respond any unexpected events.
- Determine existence of documents to manage changes effectively i.e. defining the steps or controls to manage potentially significant changes that could impact the overall internal control system.
Get Management Involved:
Risk-based auditing and monitoring program can be terms as effective if there is a buy-in of those charged with management in the entity. Thus, internal auditors needs to work closely with entity’s senior leadership and management teams to align the RBIA and audit mission with the business strategy and risks. Even where risk register is documented and provided to internal auditors, regular interactions and communication (before and after conduct of audit) allow internal audit function to:
- Leverage management’s assistance in conducting a true ‘risk assessment’ of various business areas
- Understand risk tolerance and thresholds.
- Identify emerging risks in collaboration with management teams. In fact, senior leadership must participate in and agree on high-risk priorities for the audit plan. As the respective HODs are ultimately the ‘owners’ of risk, they are expected to have already identified such emerging risks especially in areas critical for the entity.
- Focus on the most important risks in optimally designing and scheduling audits in a transparent manner.
- Make the audit process more swift as transparent and regular communication with management will reduce (if not eradicate completely) the factors making the audits slow and limited.
Determine Management’s Risk Tolerance and Appetite:
Risk appetite is the level of risk or amount of risk exposure that an entity is willing to accept. Process owners need to set risk thresholds to identify when and where controls are required to be implemented. This process is necessary to distinguish between the desirable controls (that are ‘nice to have’) from essential controls that are necessary to protect business interest – financial as well as non-financial.
Internal auditors should:
- Identify and understand the risk management policies, if any, implemented in the entity
- Gauge risk appetite at the organizational and individual process levels.
- Conclude the risk tolerance, and use them as a starting point for independent risk assessments.
Mapping of the risk appetites and tolerance levels adds trustworthiness to the audit issue management process as well.
An auditor, well equipped with the understanding of ‘risk tolerance’, can identify a control gap (vis a vis the tolerance threshold) more effectively, and report appropriate for resolution.
Assess Risk Impact and Likelihood:
After identification of key risks, there is need to
- Assess the likelihood and impact on the organization; and
- Management’s ability (at least theoretically) to mitigate such risks.
- Assess whether the defined processes are appropriately addressing (at least) the most significant risks.
Results of this activity shall be used in the audit planning activity as well to ensure that all the significant impact in critical process (which may have a catastrophic effect) are covered for assessing the design effectiveness and operating effectiveness during the audit process.
Different organizations can have different attitude towards same type of risks leading to different approach the address it. Accordingly, internal auditor needs to define risk assessment parameters empathetically – based on unique requirements / positioning of the specific entity.
Certain practices are applicable universally, including the following:
- Define impact quantitatively (wherever possible) and qualitatively.
- Defining likelihood establishing the overall range of values or level of categories. These should ideally include all values that could possibly be encountered, so that situations can be differentiated easily for preparing management’s appropriate response.
- Examine critical points – activity wise – to ensure that relevant and effective controls are in place.
- Designing control tests to adequately cover probable concerns. Ensure documentation of testing processes and repeat use management documents (in the form of audit tool kit), work paper management, and client data protection.
- Present all conclusions, audit findings, reports, and corrective action plans to the management.
Conclusion: Internal auditors are well-positioned to support organizations in enhance operational efficiency, compliance, assets protection, financial reporting as well as drive better business performance. Through RBIA, internal auditors can enhance their role and provide value added contribution as strategic advisers by delivering timely, accurate and thorough insights on risks and provide suggestions empathetically on management’s response to the issues. With the inputs received from internal auditors, the stakeholders are in a position to focus on business growth which is in consonance with the their risk appetite,