Obviously, the example above is too simple to be practical in the real world, and we do not want to make the mistake of overcorrecting if the risk assessment is too complex.
Talking about simplicity is wonderful, but we have to factor in other variables in the real world. You may be in a regulated industry with other requirements, or your organization may be public, so you have to consider financial statement materiality. Risk metrics and assessment frequency will be unique to your organization, this is why the IIA Standards are vague on details. Whatever the case, just conforming to the Standards is likely not good enough. We end up with a complicated assessment that looks like this:
The key is balancing requirements versus expectations. Just because others recommend including different data points in your assessment, this does not mean you should. For the purposes of deploying audit resources, the risk assessment needs to be completed in a reasonable time. As many move to agile auditing, risk assessments become more frequent (e.g., quarterly) risk assessments. If the assessment takes more than two weeks to complete, we will not be able to conduct effective audit work.
After seeing several hundred variations on risk assessments, several best practices stand out from the most successful internal audit departments.
Every year, before you start scoring your assessment, consider the metrics you are using. The metrics you used last year might not apply this year, or new ones could be more meaningful. Remember that every metric comes from somewhere and requires time for evaluation.
Some of the most effective and efficient departments use risk and control self-assessments (RCSAs). The self-assessment pushes part of the data entry for the assessment down to the 1st line of defense and closer to the processes. They give you a starting point, and from there, we can apply our professional judgment to decide who should be interviewed and which areas are low enough risk to eliminate from the plan.
Automation tools and bots are now more accessible for data collection from other systems. Using a solid risk management software package can help you pull information, crunch the data, and prioritize your audit universe.
Risk assessments are the starting point in the planning process. If we add too much complexity we run the risk of making an assessment that we dread and the exercise loses its value. As the risk landscape changes faster, we will need to complete the risk assessment more frequently. As you start your next planning cycle, focus on meeting the standards, balancing expectations, and applying best practices that work for your organization, and you will have a strong risk assessment and a solid foundation for your audit plan.