Businessman discussing strategy with female colleagues in office
Compliance 10 June, 2022

Reducing the uncertainty of risk in audit

Auditors in internal audit, government, and public accounting assurance positions are considered risk experts. An essential part of their job is to identify business risks – whether financial, compliance, reputation, IT, fraud, and a long list of other exposures. But are auditors focusing on the right risks?

When populated with surface-level brainstorming, standard risk models often result in a false sense of security and missed risks. And the reality is that risk management controls are only as effective as the humans responsible for their design, execution, and effectiveness.

In part one of this two-part series, we’ll narrow it down to what risks really matter in an audit setting to bring precision and clarity to what auditors need to know and do:

Ask questions and listen

When you think about the word “auditor,” the root word is “auditory,” which means to listen. So, an auditor is actually “one who listens.” The primary way auditors work, gather information, and assess whether or not management adequately addresses risk requires asking questions and listening to the answers. When auditors can do this, that’s when the risk-audit relationship comes together.

A colleague, Dana Pearce, describes the risk-audit relationship in this way, “Managing risk is the art of building value by understanding what can be gained or lost from action or inaction, the foreseen or unforeseen, the planned or the unplanned.” As auditors, our job is to ask, “What can go wrong? What opportunities are we missing?” These two questions, when asked from the management perspective, are the starting point of any risk management initiative.

In addition to core compliance and control risks, auditors should ask, “What would it look like if we are losing customers, our cash flow drops off, or our revenue quality begins to deteriorate? What early warning signs would I pay attention to if I was the owner?” Auditors need to think more broadly about the risk-audit relationship. As we take a fresh look at our business environment and what has changed in the past few years since the global pandemic, this is a great time to step up and push the risk-audit relationship even further.

View a demo

Black Swan risks

A Black Swan risk is a truly extraordinary event. It is a high significance, high impact, low probability event, such as a global pandemic, terrorism, political instability, disruptive technology, or natural disasters. It could also be the complete failure of technology that puts an organization out of business for an extended period, not just an hour or two as systems go down. Are auditors adequately taking Black Swan events into account? Coming out of the pandemic, it does make sense to spend a bit more time focused on your business risks and how auditors should proactively plan for potential Black Swan events.

Prospective risks

Prospective risks are potential risks down the road, like climate change and rising sea levels. These risks may not be relevant right now, but there can be red flags or observable signs that risk is coming, so auditors need to have prospective risks on their radar.

Integrity of management

Auditors need to consider more risk than ever before in their audit role. In our more complex audit environments, it’s critical to take the integrity of management into account. This includes senior management, mid-level managers, and supervisors trying to meet their goals for the year. Is it possible that management’s integrity level could drop off because people are under intense pressure? This is something that auditors should be aware of.

Reliability of accounting systems and information

What if the reliability of accounting systems or information falters? What if competitive pressures, cashflow pressures, or growth pressures kept your systems from being properly maintained? While auditors may think the likelihood of this happening is low, the risk remains and is worth consideration.

Risk and the circle of trust

There are three sources of risk around what I call the “circle of trust.” Visualize the circle of trust as your entire organization’s operation. Looking from a distance, we can see that there are three positions on the circle.

Managing risks – both known and unknown

As our business environment grows more complex, auditors must anticipate new levels and varieties of risk. While these risks can be unpredictable, there are measures every auditor can take to help management mitigate their impact.

Existing risks

Existing risks, which are the risks auditors know about today, can be broken down into two tiers. The first tier includes the finance, compliance, reputation, technology, and fraud risks. These are the risks that auditors commonly perform a risk assessment on, whether annually, every six months, or even project by project. But it may be helpful for auditors to expand their thinking and go a little wider to include the Tier 2 risks, such as operations, supply chain, infrastructure, knowledge, and competition, into their risk assessments.

Process graphic for Expert Insights: Reducing the uncertainty of risk in audit - circle of trust
First, there are the people located outside the circle of trust, such as the public, our customers and clients, the students in our schools and taxpayers our government serves. The organization interacts with people in this first position, but we build in access and transaction controls to limit their access to our systems. This group makes up the outside risk.

The second position on the circle of trust is one foot in and one foot out. This group includes contractors and consultants, business partners, and recurring vendors – all of those people and organizations that are allowed into your organization only halfway. You let them into your circle of trust with one foot while remembering that they have their own business needs and objectives and are trying to generate their own profit. And sometimes, their fiduciary responsibility to serve you may conflict with their desire to maximize their profits or return on investment.

The third risk is made up of the people inside the circle of trust – the employees. It might be surprising, but they bring the highest level of risk to your organization. Why? Your internal employees are the controls. Management builds protective controls primarily against outside risk or those who we only let in halfway. These people aren’t allowed to go too deep into our systems, unlike the employees already inside the circle of trust.

Now that you better understand what is intended by “business risk” as a foundation for meaningful audit action, we’ll take a closer look at how the tools for risk tolerance measurement, including risk matrices, can help and hinder the audit function. Click here for part two.

Subscribe below to receive monthly Expert Insights in your inbox

John Hall Headshot
President, Hall Consulting, Inc.
John J. Hall, CPA is the founder and President of Hall Consulting, Inc. John has over 40 years of experience as a speaker, auditor, consultant, and business owner.
Back To Top