Management is responsible for risk management, but audit plays an important supporting role. And avoiding any disconnect between auditor expectations and delivery on the job is critical to our credibility. Audit risk management processes and daily auditor actions must be completely aligned on every project every day.
In part one, we examined how to identify risks in an audit setting. We also identified two questions that auditors should ask themselves during any risk management initiative:
- What can go wrong?
- What opportunities are being missed?
In part two of our series, you’ll learn how to add measurable value through audit-based risk evaluation and solutions, including risk matrices and internal control models.
Prioritizing risk with a risk matrix
Once auditors have identified the risks in their organization, how should these risks be documented and assessed? A risk assessment matrix is a common and highly useful documentation framework that supports risk management efforts, including:
- Identifying risks
- Assessing the likelihood and significance
- Red flags
- Preventative controls
- Detective controls
- Controls effectiveness assessment
- Residual risks
- Risk response
However, assessing the likelihood and significance of a risk occurring is a highly subjective process. Management and auditors should not only consider the monetary significance but also the importance to the organization’s reporting, operations, reputation, legal and regulatory compliance impact.
The risk matrix should be an active tool that both illustrates situational awareness and drives corrective action where needed. And while a risk matrix is often a very complex document, it doesn’t need to be. It may be effective to develop a risk matrix that ranks the likelihood of a risk event using subjective “seat of the pants” measures like probable, potential, possible, and remote classifications. Even broad measures like these can quickly demonstrate where action is needed right now.
It’s beneficial to take a step back, examine the risk matrix tools you’re using and ask yourself, “Is it too complex?” If the answer is “yes”, perhaps it’s time to make a change.