A brief guide to assessing risks and controls
As an auditor, you should assess both which risks are material to the process/area/system/risk subject being audited and what control principles would manage them.
Principles and approach
Your template could potentially include:
- audit objectives or business risks, the risks to achievement of objectives, what control principles would manage these risks (optional);
- the actual controls in place and if their design is sufficient to mitigate risks;
- the assessment post-testing of whether well-designed controls are complied with; and
- your overall assessment of whether the controls, as designed and operating effectively, manage the risks identified.
Guidance and training should also be provided, including on whether processes should be documented
An assessment of what risks are material to the process/area/system/risk subject being audited is a logical analysis of what could go wrong and what would cause that to happen. This may involve consideration of:
- the audit objectives;
- risk appetite, risk ownership, risk priorities and key risk indicators;
- risks highlighted by the business areas in their risk registers;
- what has gone wrong - in other words, known incidents;
- discussions with business managers and risk division;
- internal and external research; and
- output from a meeting of the team to identify material risks.
An assessment of what control principles would manage these risks is optional. However, it’s also good practice because it helps you identify what you think should be in place in principle, before being unduly influenced by the controls that are actually in place
You should consider what will prevent the risk from crystallising and how to detect it if it does. Risk can also be transferred instead of controlled. Your assessment will also take into account the nature of the control, whether it’s automated or manual, and the different types of control
Actual controls should be identified from a review of process documentation and risk registers, as well as from discussion with the business. Walk them through to confirm they’re in place, then compare them to your control principles to assess whether they’re sufficient to manage risk as designed.