Every year, usually around the end of the year, auditors start preparing for the risk assessment process.
For so many of us, risk assessments bring a multitude of challenges. Mostly, the frustration comes from the complexity we have built into the assessment. We combine subjective measures with past audit results and data from different systems. Then we tack on hours of interviews with management and discussions about emerging risks that add more subjectivity. Then we pack all this information into a risk assessment template. Often, the template was designed by someone who left the organization years before or an external consultant who recommended the approach, and we decided to roll everything forward when it might not make sense.
When it takes so much effort to complete the assessment that it takes away from the actual audits that we could be working on, is it time to admit that our risk assessment process is just too complicated?
What Do the IIA Standards Say About Risk Assessments?
We should always go to the primary source for answers first. The IIA Standard on risk assessments is Standard 2010 – Planning. If you refer to the guidance as written in the Standards found on The IIA’s website, you can get to the bare necessities of the risk assessment process. The risk assessment should:
- Be completed at least annually
- Include input from senior management and the board
- Include impact and likelihood measures
The last bullet comes from the glossary definition of risk appended to the Standards. To claim conformance to the Standards, our risk assessment does not have to be overly complex. The assessment could be as simple as this example:
Obviously, the example above is too simple to be practical in the real world, and we do not want to make the mistake of overcorrecting if the risk assessment is too complex.
What Happens in the Real World?
Talking about simplicity is wonderful, but we have to factor in other variables in the real world. You may be in a regulated industry with other requirements, or your organization may be public, so you have to consider financial statement materiality. Risk metrics and assessment frequency will be unique to your organization, this is why the IIA Standards are vague on details. Whatever the case, just conforming to the Standards is likely not good enough. We end up with a complicated assessment that looks like this:
The key is balancing requirements versus expectations. Just because others recommend including different data points in your assessment, this does not mean you should. For the purposes of deploying audit resources, the risk assessment needs to be completed in a reasonable time. As many move to agile auditing, risk assessments become more frequent (e.g., quarterly) risk assessments. If the assessment takes more than two weeks to complete, we will not be able to conduct effective audit work.
Three Tips for Simpler Risk Assessments
After seeing several hundred variations on risk assessments, several best practices stand out from the most successful internal audit departments.
1. Evaluate Your Metrics
Every year, before you start scoring your assessment, consider the metrics you are using. The metrics you used last year might not apply this year, or new ones could be more meaningful. Remember that every metric comes from somewhere and requires time for evaluation.
2. Consider Self-Assessments
Some of the most effective and efficient departments use risk and control self-assessments (RCSAs). The self-assessment pushes part of the data entry for the assessment down to the 1st line of defense and closer to the processes. They give you a starting point, and from there, we can apply our professional judgment to decide who should be interviewed and which areas are low enough risk to eliminate from the plan.
3. Adopt Automation
Automation tools and bots are now more accessible for data collection from other systems. Using a solid risk management software package can help you pull information, crunch the data, and prioritize your audit universe.
What Is the Next Step?
Risk assessments are the starting point in the planning process. If we add too much complexity we run the risk of making an assessment that we dread and the exercise loses its value. As the risk landscape changes faster, we will need to complete the risk assessment more frequently. As you start your next planning cycle, focus on meeting the standards, balancing expectations, and applying best practices that work for your organization, and you will have a strong risk assessment and a solid foundation for your audit plan.
Justin Toro, CISA, is a Commercial Account Executive at AuditBoard. Prior to joining AuditBoard, Justin spent 6 years with KPMG in Atlanta specializing in information technology audits, SOX/ICFR, and SOC Reporting across a variety of industries. Connect with Justin on LinkedIn.
