Does your internal audit team get external audit involved in the risk assessment process? Suppose you’re not fostering a collaborative relationship with external audit during your risk assessments. In that case, you could be missing out on opportunities to improve efficiencies, save costs, and increase the strategic value of your audits. In this article, you’ll learn about the benefits of increased transparency and collaboration with external audit during the risk assessment process, as well as three concrete ways to boost external audit confidence in internal audit’s risk assessments.
What Is an Audit Risk Assessment?
To meet IIA Standard 2010 (Planning), “the chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity.” An audit risk assessment is a systematic evaluation of the risks affecting an organization. The assessment typically rates the risks based on the potential impact and likelihood of the risks. An audit risk assessment may include other metrics for evaluation unique to the organization that can be quantitative and qualitative. The assessment risks are rated based on the auditor’s knowledge of the area and interviews with management.
When internal audit teams conduct risk assessments in their organization, they engage with many different stakeholders, including the CFO, the audit committee, executives, and department leaders across the company. One stakeholder that tends to get overlooked during the risk assessment process is the external auditor.
With an increased push towards risk-based auditing, more scrutiny is being placed on the initial risk assessment that drives the audit plan from a traditional internal audit standpoint and the scoping from a SOX standpoint. Understandably, it is becoming more common for external auditors to question the completeness and analysis behind the internal audit team’s risk assessment. Without transparency into the methodology, process, rationale behind scoping decisions, or documentation, external audit tends to have reservations about the assessment’s reliability.
What Is the Purpose of Audit Risk Assessment?
An audit risk assessment is used to create a prioritized listing of risks that serves as the basis for developing the audit plan. The audit risk rating roles up to departments, processes, or business objectives that make up the audit universe, ultimately becoming the target for the audits on the plan. The audit risk assessment is the critical first step in audit planning. The audit risk assessment results set the course for the audit department’s understanding of the organization and most of the work the department performs.
Why isn’t internal audit doing more to get external audit involved in the audit risk analysis process? For some teams, there is a perception that external audit is just looking to increase the scope of their engagement and, by extension, their billing. Others question whether external audit adds that much value to the audit risk assessment process.
In practice, internal audit can benefit in some simple ways by working more closely with the external audit team during the audit risk analysis process. Discussions early on can help mitigate the risk that external audit identifies a gap late in the year when there is little or no time to remediate. It also enables both parties to leverage the work performed by one another and, in turn, reduce unnecessary costs. Fostering a more collaborative relationship can strengthen confidence in the work performed by internal audit as well. Crucially, by presenting a united front with external audit, internal audit teams can gain trust from the audit committee and provide informed updates throughout the year.
Here are three steps that internal audit professionals can take during the audit risk assessment process to increase transparency and collaboration with their external audit partners — and ultimately bolster confidence in their work.
1. Document the Rationale Behind the Scope and Risk Ranking
Internal auditors must be precise and thorough in their documentation regarding the rationale behind scoping for processes and audit risk ratings. What analysis went into that high, medium, or low ranking? Carefully documenting qualitative and quantitative factors that drive scoping and audit risk rating decisions will increase the chances that external audit can better assess the risks and interpret the team’s work.
For example, it generally isn’t enough to simply document that the Accounts Receivable process is in scope this year because it was in scope last year and revenue is steady. Comments about an uptick in PCAOB findings related to revenue controls or specific commentary regarding key clients or revenue streams would give external auditors confidence and visibility into the assumptions involved in making the scoping decision.
It’s also essential to communicate the rationale behind the audit risk rating. If 60 percent of the organization’s revenue is driven from only three territories, it will stand to reason that Accounts Receivable in the remaining territories would be considered low risk. In general, the internal audit team should be specific regarding the business’s current conditions and the function that drove each process’s risk ranking.
2. Assess New and Emerging Risks
On an annual basis, some internal audit teams will simply roll forward the audit risk analysis they have conducted the year before, which is likely identical to previous years. While this process may be a great starting point, the question remains: what are internal audit teams doing to address new and emerging risks?
Internal audit may be overlooking an opportunity to increase their strategic relevance in the organization by having a risk assessment process that evolves along with the business’s shifting needs. In addition to seeking out market research regarding emerging risks for the organization’s particular industry, internal audit should actively facilitate feedback from executives and department heads, often as part of a larger Enterprise Risk Management (ERM) strategy. With this input, teams can track changes to risks over time and gain insight into new risks a particular division might be facing due to changing market conditions. Focusing on identifying emerging risks can ensure that internal audit assesses the right issues and gives more confidence to their external audit partners.
3. Solicit Feedback from the External Audit Team
Getting external audit involved earlier in the risk assessment process and soliciting their feedback can strengthen the strategic value of the work and create efficiencies throughout the year. Taking it a step further, leveraging industry-specific benchmarked risks provided by your external auditor can go a long way to help increase their reliance since their methodology has been woven into the assessment. It can decrease the time spent by external audit on areas that may not be relevant or in line with their expectations. Having a dialogue with external audit during the risk assessment phase can also help the internal audit team consider factors that may come up later in the year.
For example, suppose external audit were involved with risk assessments from the beginning. In that case, they could provide insight into what the PCAOB will focus on over the next 12 months — giving internal audit an appropriate runway to start pre-assessments on business units that might be coming into scope over the next few years. Without such transparency early on, the chance for surprise findings late in the year increases.
Internal audit teams have a lot to gain by improving the transparency and collaboration with external audit during the risk assessment process. Whether your team implements more methodical documentation of the rationale behind their scope and risk ranking, puts a mechanism in place for identifying new and emerging risks, or solicits feedback from the external audit team earlier in the process, all these measures can boost the strategic value of — and confidence in — internal audit’s risk assessment.