Internal audit teams at financial institutions typically perform an enterprise risk assessment annually as part of their audit plan update process. The intent of this audit risk assessment process is to document the risks of certain activities or areas in the institution relative to other activities or areas.
Why do auditors perform this risk assessment periodically? By understanding and documenting the risks, audit leaders can determine the cycle/frequency for each audit in the plan, with higher risk areas being audited more frequently.
The basic steps for an internal audit risk assessment include:
1) Defining the audit universe and audit entities
2) Assessing the audit entities based on various risk categories
3) Scoring the risk factors to arrive at a risk rating for the audit entity
4) Using the information to determine which entities to include in the audit plan, along with the frequency
To illustrate step #2, let’s consider an example: Consumer regulatory compliance is one risk category an auditor will consider when performing a risk assessment. Assuming that this category does not include financial crimes, what elements or factors should the auditor review? How can the auditor improve the risk-rating accuracy? Below are some ideas:
All of the above is important, but the most important data input to the risk assessment for the consumer regulatory compliance category could be the level of consumer complaints in the activity or area. At the very least, this can be used as a reconciling factor. For example, if the consumer regulatory compliance category comes out as low risk for an activity or area, yet a large percentage of all consumer complaints fall into this activity or area, you have a disconnect in the risk rating, and it would have to be reconciled and/or overridden.
The topic of overrides comes up often in conversations about risk assessments. Overriding a risk rating can be justified in certain contexts, as the example above demonstrates. Just be mindful that any risk rating override needs to be explained and reviewed/approved by audit department leadership. There can also be overrides in terms of the frequency of any particular audit. If regulation requires the audit to be performed annually (or thereabouts), making the risk rating inconsequential, it should be computed nonetheless.
In terms of weighting, all examiners expect is that the weighting of each element make reasonable sense, and that you have your methodology documented in your procedure. Similarly, in terms of scoring, examiners expect the scoring methodology to be reasonable and documented. The use of a 5-point scoring methodology has gained traction in the last decade or so, but many institutions still use a 3-point scoring methodology.
Ensure that the written procedure for conducting the annual audit risk assessment includes what will be reviewed. If a data-gathering checklist is used, include that in the procedure. A checklist can add formality to the risk assessment and provide the auditor with an area to comment on each item or document reviewed.
Internal audit risk assessments should provide insight into the risks in the audit entities, enabling internal audit management to create a risk-based audit plan that is well supported and documented.