Is Your Risk Assessment TOO Complex?

Every year I hear the same sounds of exasperation from auditors when they discuss their risk assessment process. For so many of us, risk assessments are the single hardest part of our jobs. Mostly, the frustration comes from the complexity we’ve built into the assessment. We combine subjective measures with past audit results and data from different systems. Then we tack on hours of interviews with management that only adds more subjectivity. When I push deeper and ask who designed this risk assessment process, very few auditors can answer. Usually, it’s someone who left the organization years before or an external consultant who recommended the approach. When it takes so much effort to complete the assessment that it takes away from the actual audits that we could be working on, is it time to admit that our risk assessment process is just too complicated?

The IIA Standards

We should always go to the primary source for answers first. The primary IIA Standard on risk assessments is Standard 2010 – Planning. Below is the standard as written in the 2017 Standards found on The IIA’s website.

2010 – Planning

The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals.

Interpretation: To develop the risk-based plan, the chief audit executive consults with senior management and the board and obtains an understanding of the organization’s strategies, key business objectives, associated risks, and risk management processes. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.

·         2010.A1 – The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.

·         2010.A2 – The chief audit executive must identify and consider the expectations of senior management, the board, and other stakeholders for internal audit opinions and other conclusions.

·         2010.C1 – The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.

In the Glossary section of the Standards, we also have a definition of the term risk.

Risk – The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood.

The underlined areas really point out the bare necessities of the risk assessment process. The risk assessment should:

·         Be completed at least annually

·         Include input from senior management and the board

·         Include impact and likelihood measures

For us to claim conformance to the Standards, our risk assessment does not have to be overly complex. The assessment could be as simple as this example:

We do need to have input from senior management and the board, but that does not mean we need to talk to everyone in our organization. Too often our scope for interviewing is overdone. Not every director in a company falls under the umbrella of “senior” management.

If you are just getting started or need to reset the department’s expectations, keep in mind that a basic risk assessment is all the Standards require.

The Real World

Talking about simplicity is all well and good, but in the real world we have to factor in other variables. You may be in a regulated industry with other requirements, or your organization may be public so you have to consider financial statement materiality. Whatever the case, just conforming to the Standards is likely not good enough.

The key is balancing requirements versus expectations. Just because others expect you to include thousands of data points in your assessment, this does not mean you should. For the purposes of deploying audit resources, the risk assessment needs to be completed in a reasonable time. As many of us are moving to agile auditing, we will be completing more frequent (e.g. quarterly) risk assessments. If the assessment takes more than two weeks to complete, we are not going to be able to conduct effective audit work.

Risk and Control Self-Assessment

After seeing several hundred variations on risk assessments, the most effective and efficient departments are those who use risk and control self-assessments (RCSAs). This pushes much of the data entry for the assessment down to the 1st line of defense who are closer to the processes. They give you a starting point, and from there we can apply our professional judgement to decide who should be interviewed, and which areas are probably low risk and can be quickly eliminated from the plan.

Whether you chose to employ any form of self-assessment, I would encourage you to find ways to automate the data collect portion of the assessment and find a solid risk assessment software package that can help you crunch the data and prioritize your audit universe. Risk assessments are a starting point that should not be so complex that we dread the exercise.