Annual Risk Assessment - 4 Steps (Summary)
Arif Zaman FCCA, CIA, CISA, CPA, CFE, CCSA, CRMA, CRBA
Head Internal Audit & Risk | xEY I xEmaar I xTelenor | Consultant | Trainer | Speaker | Author I YouTuber
Internal auditor prepares audit plan based on the working of annual risk assessment. The risk assessment is the most crucial component of the whole annual planning process. All the upcoming yearly audit engagements are substantially driven by it apart from pervasive need audits (special requests).
"If there's one thing that I would like to call nightmare in auditors' life, I will say the risk assessment process because if it goes wrong, the whole audit process get affected by it and we end up by doing audits which is of less value to the organization."
Risk assessment generally involves four key steps:
Step 1: Audit Universe -Break down the organization in auditable entities
In order to develop the audit universe, prior year list of entities can be used as a basis for a Group. If you are responsible for only one entity you can use organization charts/structure, process, function or product range as a basis to develop audit universe. The auditor can also seek management assistance in breaking the organization into auditable areas in order to develop the audit universe.
Step 2: Conduct risk assessment
Design your risk assessment based on your organization's environment. To carry out a risk assessment, information can be gathered through several means:
- Coordinate and take input from risk function and other second lines of defense.
- Held meeting or send questionnaire to the functional heads to gather risks
- Review earlier audit reports
- Use other sources such as industry publication, economic statistics, online forum, expert reviews, etc.
- Use your own judgment and experience
The information gathered will highlight the historical data on past risks (its likelihood and impact of contributing risk events) as well as future possible risk event that could encounter to the organization.
Step 3: Analyze the information collected
The information collected from several sources will assist the auditor to identify all the key risks to be incorporated into risk matrix.
Risk matrix is worksheet use to populate all the risk in a systematic order against audit universe (auditable areas) in order to analyse and rate based on the likelihood (likelihood is an estimate of the chance of an event or an incident happening) and the impact of the risk on revenue, reputation, reporting etc.
Use the risk matrix to combine LIKELIHOOD and IMPACT to obtain a risk score. The risk score may be used to aid decision making.
Risk appetite can be an extra guide in risk assessment and help in rating the risks.
Advance Techniques For Risk Analysis
Usually, in the financial sector, a more sophisticated method of risk analysis are used. Banks, in particular, are required by their regulators to identify and quantify their risks, often computing measures, such as:
Quantitative Risk Analysis; Quantitative risk analysis is the practice of creating a mathematical model of a project that explicitly includes uncertain parameters that we cannot control, and also decision variables or parameters that we can control.
Models and Simulation; By computer simulation, we can introduce uncertainty into our experiments by allowing some conditions. The simulation consists of experiments (or random trials), by which we collect statistics about the results.
Monte Carlo Simulation; Monte Carlo simulation is especially helpful when there are several different sources of uncertainty that interact to produce an outcome. For example, if we're dealing with uncertain market demand, competitors' pricing, and variable production and raw materials costs at the same time, it can be very difficult to estimate the impacts of these factors - in combination - on Net Profit. Monte Carlo simulation can quickly analyze thousands of 'what-if' scenarios, often yielding surprising insights into what can go right, what can go wrong, and what we can do about it.
Step 4: Consult with executive management and finalize the audit plan
After identifying and rating each risk, the auditor comes up with the list of all the key risk pertaining to the auditable areas. In prioritizing the auditable areas, following things need to be taken into consideration:
- High risks that are directly affecting to achieve the business objective.
- Select certain medium and low risk as well because there is an element of subjectivity involved in the risk assessment process, due to which we could have miscalculated the risk assessment.
- Do take into consideration Black Swan event by thinking out of the box - The Black Swan concept challenges us to think about the unthinkable. To consider events that may be inconceivable or at least highly unlikely.
Once finalize the audit areas, split into priority 1 and priority 2 list. Priority 1 is basically the initial draft annual audits for the next year. Whereas the Priority 2 is the backup plan, in case for any reason the auditor is not able to execute, he can choose from this list.
Last but not least, do not wait till year end to update your risk assessment, if the event (internal or external) causes to change any risk category (high, medium, low), the auditor must update their risk assessment and adjust annual audit plan accordingly.
I welcome your valuable comments!
?
ABOUT THE AUTHOR
Arif Zaman brings with more than a decade of proven experience in internal audit, risk management and fraud investigation. He is the Head of Internal Audit at Public Joint Stock Company based in Dubai, UAE. He holds a MSc in Professional Accountancy from University of London and BSc Hons in Applied Accounting from Oxford Brookes University along with an impressive set of professional certification including ACCA, CIA, CISA, CFE, CCSA, CRMA, CRBA, CPA and CGA etc.
For more immediate reading, here are some other posts I have written:
Technical Article
Corporate Governance . Risk Appetite . Road Map to Data Analytics . Political pressure on CAE . Difference between the role of internal control, compliance, risk management and audit? . Internal audit is a dying career? . Internal audit - Innovate or stagnate . Internal audit insight from IIA President . Auditing business ethics . Business email compromise . Create a risk register in 4 steps . Cloud computing - Internal audit perspective . Annual risk assessment (4 steps) . Annual audit planning process (5 steps) . Role of internal audit in risk management . The impact of emerging technology on auditing . Family business governance . New IPPF 2015 (summary) . Internal audit function maturity curve . Real story - Ponzi scheme
Others
- Feel like you are falling apart . My most vivid childhood memories . I think of my failure as a gift . Life changing story - From admin staff to TV anchor . Remove toxic people from your life . Africa is not a country . The best time of the day to do things at work . Build your personal brand . Pass the 6 second CV scan test
Contador Público y Auditor
8 年Buen aporte. Hoy día es muy importante la revisión de los contratos, el modelo del negocio y el plan estratégico.
Experienced Audit, Risk Management & Compliance Professional
9 年Arif, any further additions for Compliance Personnel ??
Experienced Audit, Risk Management & Compliance Professional
9 年Arif, any further additions for Compliance personnel ?
Chairman/CEO at Lawrence Adeyemo Holdings, Incorporated
9 年Thanks for sharing.....
Deputy General Manager @ Deeko Bahrain | Strategic Visionary | Expert in Operations & Growth | Navigating Change for Success
9 年Dear Sir, Your articles are very effective and full of knowledge. Really appreciate your time and efforts to publish them for common good.