ComplianceJune 13, 2022

Defining the auditor’s role in the risk-audit relationship

By: John J. Hall

Prioritizing risk with a risk matrix

Once auditors have identified the risks in their organization, how should these risks be documented and assessed? A risk assessment matrix is a common and highly useful documentation framework that supports risk management efforts, including:

  • Identifying risks
  • Assessing the likelihood and significance
  • Red flags
  • Preventative controls
  • Detective controls
  • Controls effectiveness assessment
  • Residual risks
  • Risk response

However, assessing the likelihood and significance of a risk occurring is a highly subjective process. Management and auditors should not only consider the monetary significance but also the importance to the organization’s reporting, operations, reputation, legal and regulatory compliance impact.

The risk matrix should be an active tool that both illustrates situational awareness and drives corrective action where needed. And while a risk matrix is often a very complex document, it doesn’t need to be. It may be effective to develop a risk matrix that ranks the likelihood of a risk event using subjective “seat of the pants” measures like probable, potential, possible, and remote classifications. Even broad measures like these can quickly demonstrate where action is needed right now.

It’s beneficial to take a step back, examine the risk matrix tools you’re using and ask yourself, “Is it too complex?” If the answer is “yes”, perhaps it’s time to make a change.

Never let the format get in the way of substance and purpose.

This is not to downplay the importance of a comprehensive risk assessment and documentation efforts. Rather, a warning about how the process may overtake the purpose, as happens too often in risk matrix development. The matrix you build should be tailored to your unique environment and needs, not to another’s expectations.

Internal controls are only as effective as the humans responsible for their design

Effective internal controls require two things: a strong control environment and daily control behaviors. The control environment includes policies, procedures, laws, and regulations.

 Defining the auditors role graphic 1 

It also includes the tone at the top from organizational leaders, compliance monitoring, access, and transaction execution, review, and approval. Meanwhile, the control behaviors are the skills, interest, time, supervisor support, and peer support.

Using this chart can assist with making a quick decision about where your organization is positioned.
Defining the auditors role graphic 2
Supportive environment and strong behaviors place you in the highly desired quadrant 1. But plenty of controls matched with inconsistent daily human behaviors has the potential to move you down to quadrant 2.

And no amount of enhanced or additional policy, procedure or leadership ‘tone’ will fix your problem. It has been my experience that 90% of organizations exist and operate primarily in quadrant 2.

At the risk of overstating the obvious, this simple 4 quadrant analysis may be all that is needed to know with certainty where corrective activity must occur to move towards the ideal, ‘top-right’ quadrant results.

Bringing focus to the risk-audit relationship

In general, an auditor’s role is to identify risks and evaluate management’s controls and procedures to manage those risks. We do that through testing, data analytics, research, industry benchmarking and a long list of other tools. We also fulfill our role by asking questions and listening to the answers (Remember the definition of an “auditor” in part one?).

Conclusion

Strengthening the risk-audit relationship can help auditors cut through complicated risk models to ensure we focus on what matters most to our organization. But remember, one size does not always fit all. The amount of time and resources we spend measuring and monitoring depends on our industry, business model, leadership team, and an evaluation of the current state of controls and behaviors.

John Hall Headshot
John J. Hall
President, Hall Consulting, Inc.
John J. Hall, CPA is the founder and President of Hall Consulting, Inc. John has over 40 years of experience as a speaker, auditor, consultant, and business owner.
Solutions

TeamMate+ Audit

Audit management

Learn More

The world’s leading audit management software - empowering audit departments of all sizes.

Learn More
View a Demo
Contact Us

Related Insights

  • Case study
    Compliance
    Finance
    Tax & Accounting
    November 14, 2025

    Driving global tax innovation: How Moore Australia leverages CCH solutions

    Discover how Moore Australia uses Wolters Kluwer’s CCH Integrator and CCH iKnowConnect to deliver cutting-edge compliance solutions and support firm-wide growth.
    Learn More
  • Article
    Compliance
    Legal
    Tax & Accounting
    October 11, 2025

    Malaysia Budget 2026 - Tax and Accounting Report

    On Friday, 10 October 2025, the 2026 Malaysia Budget was delivered in Parliament. Wolters Kluwer provides a full coverage of all the major economic, tax and accounting reforms and announcements impacting your clients and organisation.
    Learn More
  • Article
    Compliance
    Legal
    Tax & Accounting
    October 11, 2025

    Malaysia Budget 2026 - HR Report

    On Friday, 10 October 2025, the 2026 Malaysia Budget was delivered in Parliament. Wolters Kluwer provides a full coverage of all the major economic and employment reforms and major updates impacting your clients and organisation.
    Learn More
  • Article
    Compliance
    Legal
    Tax & Accounting
    July 17, 2025

    The price of knowledge: why professionals must invest in their research solution

    With free resources such as ChatGPT and Microsoft Copilot at your fingertips, have you thought about how much that free option could really cost you or your firm?
    Learn More
Back To Top