The Risk Assessment Plan is the foundation for the entire audit process. It lays down the guidelines for identifying and assessing the risks to an organization’s strategic objectives, while also establishing a roadmap to mitigate those risks.
From a SOX standpoint, the Risk Assessment Plan includes the identification of significant accounts, including their associated risks and relevant assertions, the selection of controls which address or mitigate these risks, and a determination of the evidence necessary to assess the design and operation of each control. Certain key elements of a Risk Assessment Plan are applicable to both the internal audit function in general and to SOX compliance specifically. These are outlined below.
In-depth analysis of financial and operational data
An analysis of business data not only entails reviewing the issues raised by the external and internal auditor, but also drilling down to the root causes of these issues to identify systemic gaps. In addition, performing period-to-period comparisons can identify emerging risks or changes to existing risks. Under the top-down risk assessment approach recommended by AS5, the auditor begins at the financial statement line item (“FLSI”) level and identifies significant accounts and disclosures and their relevant assertions. The auditor obtains an understanding of the risks and the internal controls over financial reporting (“ICFR”), which includes consideration of the entity-level controls, as well as the relevant business process and IT controls.
Understanding and engaging stakeholders
The most important prerequisite to establishing constant engagement with key stakeholders is understanding their objectives. AS5 mentions the following points regarding understanding the management and audit committees when evaluating a company’s control environment:
- Whether management’s philosophy and operating style promotes effective internal controls over financial reporting;
- Whether sound integrity and ethical values, particularly of top management, are developed and understood; and
- Whether the Board or audit committee understands and exercises oversight responsibility over financial reporting and internal control.
Organizing frequent leadership trainings, such as risk management and utilizing the risk committee to oversee major risk assessment activities, could also lead to productive stakeholder engagement.
Interview/Survey techniques and collaboration with other functions
Per AS5: “management is responsible for maintaining effective internal control over financial reporting and for assessing the effectiveness of internal control over financial reporting.” Therefore, the best way to draw out key risks in a process is by interviewing management to understand how they are dealing with these risks. Surveys could be used to complement interviews and re-confirm risk assessment results with lower-level management who weren’t interviewed. Further, it is essential that the internal audit function collaborates with the SOX auditors, external auditor, and other risk management functions to develop the risk assessment plan and encourage multi-function participation in the interview process.
Prioritize and plan audits
An efficient risk assessment mechanism should allow auditors to focus their efforts based on risks identified. Per the IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) 2010.A1: “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.” This approach to planning audits will ensure optimum use of limited resources, maximum impact on the organization, and constant stakeholder engagement.
John Kim, CPA was a SOX Subject Matter Expert and Technical Sales Director at AuditBoard. He has over 10 years of experience in Internal Audit, first as a Risk Assurance Manager at PricewaterhouseCoopers and then as the Senior Manager of Internal Audit for Zynga.