There are two ways to mitigate risk in the world of internal auditing. One is to ensure that your company is following the regulations that are already in place. The other way includes adding an extra element to this – assessing potential risk. This practice came into being in 1999 when the Turnbull Report on corporate governance was issued by the ICAEW. Its purpose was to assist in understanding another report, namely the ‘Internal Control: Guidance for Directors on the Combined Code.’
It required directors to provide a statement to shareholders about the significant risks to their business. That revolutionized auditing activity by establishing a method where risks were analyzed along with the traditional practice of ensuring compliance. This method is called a risk-based approach to internal audits. But what is this method exactly, and why should companies apply it to themselves? Let’s discuss.
What is A Risk-Based Approach to Internal Audit?
Risk-based auditing focuses on the analysis and management of potential risks to a business. The standards auditors use to assess this include COSO guidelines and AS/NZS. The latter has become a part of a family of international standards of risk management called ISO 31000. The Institute of Internal Auditors labels risk-based internal auditing (RBIA) as “a methodology that links internal auditing to an organization’s overall risk management framework.” RBIA enables internal auditing to give assurance to a company that its risk management processes are functioning effectively. At every stage, RBIA looks to reinforce the responsibilities of management and the board for risk management.
Traditional Audit vs. Risk-Based Audit
Traditionally, an audit focuses on the transactions that create the financial statements such as the balance sheet. It would also assess conducting tests to assess the internal controls of the company and their accuracy. It also tests the account balances and the overall posting system of the accounts.
The risk-based method seeks to identify those risks that have the greatest potential for impact, including political and social factors such as the effect of demographic and legislation change. This method also assesses the risk responses prepared by the management. That helps auditors understand how the company plans on handling risks. This provides an in-depth understanding of the way the business operates. It also highlights business risks, which is incredibly helpful as that assesses the profitability and the survival of a company.
There are certain audit risks taken into consideration, namely inherent risk, control risk, and detection risk. Inherent risk refers to the challenges involved in the very nature of the business of transaction. Control risk means the danger of a misstatement that could occur but not be detected, corrected, or prevented by the firm’s internal control mechanism. Detection risk refers to the probability of the audit processes failing to detect the existence of a material error or even fraud.
The Many Benefits of a Risk-Based Audit
- Business-Focused Approach: This method communicates that the management has identified, assessed, and responded to risks above and below the company’s risk appetite. It ties the objectives, processes, risks, controls, tests, and reports together. Risk-based auditing has greater efficiency because it audits the high-risk areas, not just the predominantly financial parts – which may not represent the greatest risk. It ensures that the risks that matter most to the organization are audited, and that management takes ownership and accountability for the mitigation and monitoring of these high-risk areas.
- Inclusive Audits Facilitated by Management: The organization will closely involve themselves in the risk and audit process through workshops, self-assessments, combined assurance activities, etc., So the management can relate to the benefits of the audit output clearly. Management is far more likely to support the audit work when they are involved in the process and genuinely understand and support the recommendations.
- Proper Categorization and Reporting of Risks, Responses, and Actions: Findings and recommendations are ranked to provide the greatest value to the company. The risk management procedures include effective responses and the completed actions. Management monitors this to ensure they continue to operate effectively.
- Improved Risk Mitigation: Risk-based auditing reveals key risks that are insufficiently controlled or over-controlled, thus improving risk mitigation and overall business efficiency.
- Effective Use of Audit Resources: Instead of depending on the availability of resources to determine how many audits can be conducted, it decides the nature and number of the risks on which the audit committee requires assurance. That allows for better planning and resource allocation. It also helps identify the most significant risks and channel resources towards those.
To help explain these situations, let’s take a look at some examples –
- Could Risk-Auditing Have Saved the Titanic?
In this hypothetical case study, it was assessed whether a risk-based internal audit on the Titanic could have stopped it from sinking. The authors highlight a few important points. The Titanic was a ship with brand new, untested technology and several design flaws that were overlooked in favor of hurrying the launch. The captain had unchecked authority and a large appetite for risk. If an auditor was present, they could have tapped into the crew’s knowledge to create a risk picture and interpreted the potential risks. An auditor would have also been able to avoid being blindsided by the captain. They could have formulated the correct questions that would help stakeholders look beyond the financial aspects and observe the underlying risks involved with setting the ship along its maiden voyage!
- Risk-based Internal Audits Within Greek Banks
In another, more realistic case study, the auditing practices of three Greek banks were considered. The authors note that the banks had adopted a combination of cyclical auditing and RBIA. They took into account several risks but failed to document them or link them to a relevant assessment. Recommendations included having a strongly defined auditing universe and creating risk-assessment-driven scoping and audit planning. Doing so would help the banks achieve their objects in a more effective and cost-efficient manner.
The case study also suggests that they include the following in their list of risks: the size of the area to be audited, number of employees, years of operation of the entity, and under current management, major changes in operations, programs, systems and controls, and more. Each should be assigned a risk rating, and the auditor must decide which audit to perform. Finally, audit planning should be monitored using specialized software for resource and project management to ensure the effectiveness and efficiency of planning and its monitoring.
We hope this gives you some insights about Risk-based audit, its benefits, execution, and best practices.
For a more detailed overview, you can always reach out to us. We’ll be happy to help you in your financial and operational journey.