Each year, internal audit conducts a companywide risk assessment in order prepare its annual audit plan. Typically, the whole internal audit function is involved in this exercise with input from the Chief Audit Executive. The process is driven and coordinated by IA’s senior management team.

Annual audit risk assessment methodologies

Internal audit can apply a top-down, bottom-up or hybrid approach to complete this task. Whichever of these three methodologies is used, greatly impacts the level of detail required for the analyses.

Let me give you my take on the primary factors influencing this decision:

• Nature of the business (mature industry vs. rapidly evolving tech sector etc.)
• Regulatory environment
• Audit committee of the board or the board’s preference
• Corporate strategy initiatives
• Market positioning and intensity of competition
• Availability of reliable data at the business unit and/or function levels
• Stability of the workforce i.e. employee turnover

Internal audit’s top-down approach is mainly driven by the risk perspectives of senior executives and the board. Senior management interviews coupled with qualitative measures are the critical inputs for this methodology.

On the other end of the spectrum, the bottom-up model is based on granular metrics at the business unit and/or function level. These key risk indicators, such as: change in revenues, introduction of new products or services, employee turnover, process changes, new system implementations…, are the fundamental building blocks of this risk assessment model.

The hybrid approach takes the best of both models and apply them in a weighted or equally weighted fashion.

Changes to the risk assessment methodology

One of the key challenges for internal audit is to identify when a change to the risk assessment methodology is warranted. On a high-level, the velocity of change within the sector as well as the organization itself will drive the need to adjust/update the risk assessment approach.

This dilemma is similar to the market risk management models sensitivity adjustment based on changing market dynamics and/or broken correlations.

Ultimately, one should not prescribe a specific frequency (like: every other year) for changing IA’s risk assessment methodology. The annual risk assessment should warrant a closer look at whether the model is still relevant.

Adjustments to the methodology should be based on new or changing key risk indicators using the professional judgement of IA’s senior management as well as the Chief Audit Executive.

What annual audit risk assessment methodology is used by your organization and why?

Please, give a Thumbs Up if you like this post and please, share it within your network!!!

#riskassessment #annualauditplan #auditplan #planning #internalauditplan