A brief guide to assessing risks and controls
As an auditor, you should assess both which risks are material to the process / area / system / risk subject being audited and what control principles would manage them.
We have already established that the internal auditor seeks to provide reasonable assurance that the controls in place are appropriate to manage material risks within the organisational appetite.
We have also established that the evidence on file should allow another professional internal auditor to arrive at the same conclusions and opinion.
To achieve the above, we should follow clearly structured working papers. These will vary from team to team, and therefore in-house training and guidance should be provided on the completion of working papers and supporting evidence to be retained.
One of the key working papers within any audit file is that which summarises the evaluation of controls. This could potentially include:
- the objectives and associated risks to their achievement
- the expected controls you would expect to manage these risks (optional)
- the actual controls in place based upon preliminary audit work
- assessment of whether the design of the actual control is sufficient to mitigate risks
- assessment of whether the actual control is being applied in practice
- your overall assessment of whether the controls, as designed and operating, manage the risks identified
The prior consideration of expected controls is optional. However, it is good practice as it helps the internal auditor identify what they think should be in place in principle, before being unduly influenced by the actual controls in place. This assessment helps inform the auditor's view as to whether the design of the control, if operated effectively, is sufficient to manage the risk.
Actual controls can be identified from discussion with the auditee, observation, review of process documentation and risk registers / board assurance framework.
Perform a walk-through to confirm controls are in place. Evidence the key steps in the walk through to demonstrate the control environment.
The auditor should compare whether what they have actually observed is reflected in process documentation, therefore informing whether policies and procedures are current and support organisational resilience.
You should consider the nature of the control, whether it’s automated or manual, and whether it relies upon the skills and knowledge of specific individuals. Over reliance on individuals may represent a significant key-person risk to the organisation. Therefore the natural extension is to consider whether the organisation has taken suitable steps to minimise this additional risk factor.
If the design is sufficient, the auditor moves to their testing strategy to ensure that the control is operating in practice. A well designed control only achieves its objective and manages risk if it is being followed.
Audit testing is all about ensuring the actual controls you are relying upon to effectively manage risk are operating properly.
As a department:
- set minimum sample sizes for testing based on the number of transactions and the frequency with which controls are exercised
- produce a test plan from your assessment of risks and controls
- provide a template for recording your testing – this may include the purpose, population, sample selection methodology, findings and conclusion
Test that the control operates effectively over time (eg that reconciliations are signed off monthly as having been completed correctly) and that the underlying transactions are accurate (eg that an individual reconciliation was accurate when you performed it a second time). This is what’s known as compliance and substantive testing.
Testing can look for indicators of fraud or error, such as analysing expenses paid on the same date to see if a claim has been split due to authorisation levels.
Professional standards recognise that internal auditors should have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organisation, but we are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
Take responsibility for designing efficient and effective testing:
- ensure there’s no bias in your sample selection methodology in order for your testing results to be credible
- consider breaking your testing population down into chunks based on the value of the transaction in order to target it better and capture any variable controls such as hierarchy of approval levels
- testing should refer to the organisation’s risk appetite / key risk indicators where relevant
- ensure there’s no bias when testing across a number of business areas exercising the same controls
- consider whether data analytics can be used to analyse data extracted from systems, test populations and provide more robust assurance than purely sampling (where appropriate)
Effectively document your testing:
- enough information should be provided so that it could be performed again
- the same conclusion should be reached by an independent reviewer
- retain evidence of the material errors you find in case it’s disputed
- re-visit your test plan in light of your test findings
Consider other evidence of the operation of controls / accuracy of data:
- analyse management information produced by the business and what that tells you about risk
- see if controls have been tested by risk oversight functions or the department themselves (may be required for Sarbanes Oxley)
Talk through your findings with the auditee at the time to ensure they’re valid, avoid any ‘surprises’ and reduce potential challenge at a later stage.
IIA IPPF Standard 2300 - performance