How and why you should perform a risk assessment over the end to end process when planning an internal audit
The International Standards for the Professional Practice of Internal Auditing (Standards) require auditors to assess the risks of each engagement. Specifically, the Standards state the following:
2210 – Engagement Objectives
Objectives must be established for each engagement.
2210.A1 – Internal auditors must conduct a preliminary assessment of the risks relevant to the activity under review. Engagement objectives must reflect the results of this assessment.
There are many ways in which audit teams can assess the risks associated in the engagement. These can include:
Review of the risk register
Review of any controls / assurance activities already in existence
Review of prior audit activity
Meetings with key stakeholders
Fact is, each of these items are sufficient in assessing the risks of the overall process, however where audit teams often fall behind, is their ability to consolidate each of these activities into a central tool which provides an overview of the end to end process, risks throughout the process, and our final risk assessment.
My Audit Spot have developed a Process Level Risk Assessment tool. You can view some images of this below:
To view a free copy of the template, please click here.
To purchase a copy of this template, please click here.
As the audit team performs the various walkthrough and meetings with key stakeholders, there is a significant amount of knowledge which is being obtained. Whilst this should be all documented in our various planning workpapers, it is beneficial for a team to meet together for a 'Team Planning Day'.
During a Team Planning Day, all team members should be able to bring together what they have learnt to build a high level process flow. The high level process flow should identify the key steps in the end to end process which is currently being audited. For each high level step, the team should list each of the identified controls, known risks and possible risks.
Using the guidance slide in the template, team members should then be able to consistently assess the likelihood and impact of the risk eventuating for each of the key steps in the process. Once this has been determined, team members, and particularly audit teams with limited resources, will be able to identify the most high risk areas of the audit. This will allow them to build a more targeted audit scope and objective, but also a more appropriate test plan which proportionally addresses the risks identified. For instance, a low risk step within the end to end process should not have the same level of audit attention as a high risk area, unless audit resources are available.
Let is know how your audit team meets the Standards by assessing the risk in each audit engagement.