Improving Internal Audit Risk Assessment Processes

Internal audit teams at financial institutions typically perform an enterprise risk assessment annually as part of their audit plan update process. The intent of this audit risk assessment process is to document the risks of certain activities or areas in the institution relative to other activities or areas.

Why do auditors perform this risk assessment periodically? By understanding and documenting the risks, audit leaders can determine the cycle/frequency for each audit in the plan, with higher risk areas being audited more frequently.

The basic steps for an internal audit risk assessment include:

1) Defining the audit universe and audit entities

2) Assessing the audit entities based on various risk categories

3) Scoring the risk factors to arrive at a risk rating for the audit entity

4) Using the information to determine which entities to include in the audit plan, along with the frequency

Audit Risk Assessment Example

To illustrate step #2, let’s consider an example: Consumer regulatory compliance is one risk category an auditor will consider when performing a risk assessment. Assuming that this category does not include financial crimes, what elements or factors should the auditor review? How can the auditor improve the risk-rating accuracy?  Below are some ideas:

• Review regulatory material from banking industry regulators and other agencies including the OCC, FDIC, Federal Reserve, NCUA, CFPB, and FTC. Material can include the periodic risk or supervisory updates each agency publishes, as well as enforcement actions, examination manuals, etc.
• Review internal metrics such as the number of accounts, number of transactions of a certain type, etc.
• Review audits and examinations performed in the prior years, open audit and examination issues, percentages of issues closed and how quickly, and numbers of self-identified issues.
• Review policies and procedures, including last review date.
• Review second-line compliance monitoring/testing reports and any corrective actions.
• Review the vendors used in the activity or area and how they are managed.
• Review informational packets sent to various management and board-level committees, including the reporting of key risk and performance indicators (KRIs and KPIs).
• Review other risk assessments performed at the institution, including fraud risk assessments, fair lending risk assessments, and/or Regulation E or NACHA/ACH risk assessments, as they pertain and are available.

All of the above is important, but the most important data input to the risk assessment for the consumer regulatory compliance category could be the level of consumer complaints in the activity or area. At the very least, this can be used as a reconciling factor. For example, if the consumer regulatory compliance category comes out as low risk for an activity or area, yet a large percentage of all consumer complaints fall into this activity or area, you have a disconnect in the risk rating, and it would have to be reconciled and/or overridden.

Risk Rating & Scoring Considerations

The topic of overrides comes up often in conversations about risk assessments. Overriding a risk rating can be justified in certain contexts, as the example above demonstrates. Just be mindful that any risk rating override needs to be explained and reviewed/approved by audit department leadership. There can also be overrides in terms of the frequency of any particular audit. If regulation requires the audit to be performed annually (or thereabouts), making the risk rating inconsequential, it should be computed nonetheless.

In terms of weighting, all examiners expect is that the weighting of each element make reasonable sense, and that you have your methodology documented in your procedure. Similarly, in terms of scoring, examiners expect the scoring methodology to be reasonable and documented. The use of a 5-point scoring methodology has gained traction in the last decade or so, but many institutions still use a 3-point scoring methodology.

Other Internal Audit Risk Assessment Tips

Ensure that the written procedure for conducting the annual audit risk assessment includes what will be reviewed. If a data-gathering checklist is used, include that in the procedure. A checklist can add formality to the risk assessment and provide the auditor with an area to comment on each item or document reviewed.

Internal audit risk assessments should provide insight into the risks in the audit entities, enabling internal audit management to create a risk-based audit plan that is well supported and documented.

Read Next | How Internal Audit Reinforces Governance →