Auditors in internal audit, government, and public accounting assurance positions are considered risk experts. An essential part of their job is to identify business risks – whether financial, compliance, reputation, IT, fraud, and a long list of other exposures. But are auditors focusing on the right risks?
When populated with surface-level brainstorming, standard risk models often result in a false sense of security and missed risks. And the reality is that risk management controls are only as effective as the humans responsible for their design, execution, and effectiveness.
In part one of this two-part series, we’ll narrow it down to what risks really matter in an audit setting to bring precision and clarity to what auditors need to know and do.
Ask questions and listen
When you think about the word “auditor,” the root word is “auditory,” which means to listen. So, an auditor is actually “one who listens.” The primary way auditors work, gather information, and assess whether or not management adequately addresses risk requires asking questions and listening to the answers. When auditors can do this, that’s when the risk-audit relationship comes together.
A colleague, Dana Pearce, describes the risk-audit relationship in this way, “Managing risk is the art of building value by understanding what can be gained or lost from action or inaction, the foreseen or unforeseen, the planned or the unplanned.” As auditors, our job is to ask, “What can go wrong? What opportunities are we missing?” These two questions, when asked from the management perspective, are the starting point of any risk management initiative.
In addition to core compliance and control risks, auditors should ask, “What would it look like if we are losing customers, our cash flow drops off, or our revenue quality begins to deteriorate? What early warning signs would I pay attention to if I was the owner?” Auditors need to think more broadly about the risk-audit relationship. As we take a fresh look at our business environment and what has changed in the past few years since the global pandemic, this is a great time to step up and push the risk-audit relationship even further.
Managing risks – both known and unknown
As our business environment grows more complex, auditors must anticipate new levels and varieties of risk. While these risks can be unpredictable, there are measures every auditor can take to help management mitigate their impact.
Existing risks
Existing risks, which are the risks auditors know about today, can be broken down into two tiers. The first tier includes the finance, compliance, reputation, technology, and fraud risks. These are the risks that auditors commonly perform a risk assessment on, whether annually, every six months, or even project by project. But it may be helpful for auditors to expand their thinking and go a little wider to include the Tier 2 risks, such as operations, supply chain, infrastructure, knowledge, and competition, into their risk assessments.
Black Swan risks
A Black Swan risk is a truly extraordinary event. It is a high significance, high impact, low probability event, such as a global pandemic, terrorism, political instability, disruptive technology, or natural disasters. It could also be the complete failure of technology that puts an organization out of business for an extended period, not just an hour or two as systems go down. Are auditors adequately taking Black Swan events into account? Coming out of the pandemic, it does make sense to spend a bit more time focused on your business risks and how auditors should proactively plan for potential Black Swan events.
Prospective risks
Prospective risks are potential risks down the road, like climate change and rising sea levels. These risks may not be relevant right now, but there can be red flags or observable signs that risk is coming, so auditors need to have prospective risks on their radar.
Integrity of management
Auditors need to consider more risk than ever before in their audit role. In our more complex audit environments, it’s critical to take the integrity of management into account. This includes senior management, mid-level managers, and supervisors trying to meet their goals for the year. Is it possible that management’s integrity level could drop off because people are under intense pressure? This is something that auditors should be aware of.
Reliability of accounting systems and information
What if the reliability of accounting systems or information falters? What if competitive pressures, cashflow pressures, or growth pressures kept your systems from being properly maintained? While auditors may think the likelihood of this happening is low, the risk remains and is worth consideration.
Risk and the circle of trust
There are three sources of risk around what I call the “circle of trust.” Visualize the circle of trust as your entire organization’s operation. Looking from a distance, we can see that there are three positions on the circle.
