Risk Assessment Do's and Don'ts

Risk Defined

Risk is the potential for loss to an enterprise due to error, fraud, inefficiency, failure to comply with statutory requirements, or actions which bring disrepute to the entity. Risk is a synonym for all the adverse outcomes that the organization wishes to avoid. Risk is a function of the probability that such consequences will occur, their magnitude, and their imminence.

Risk Assessment

Risk assessment is a process of estimating a riskiness coefficient or score to be associated with each auditable unit within the organization. Risk assessment is typically undertaken to focus attention on significant audit areas, to allocate scarce audit resources to the most important audit areas, and to help with key audit prioritizing decisions such as audit frequency, intensity and timing.

Section 520.04 of the Standards for the Professional Practice of Internal Auditing suggests that criteria used for setting audit priorities should include:

  • - the date and results of the last audit
  • - financial exposure
  • - potential loss and risk
  • - requests by management
  • - major changes in operations, programs, systems and controls
  • - opportunities to achieve operating benefits
  • - changes to and capabilities of audit staff.
  • These standards point out clearly that the riskiness of a specific auditable unit is only one of the key factors to be considered in establishing an audit coverage plan and schedule. A risk coefficient alone is not a sufficient basis for making appropriate audit planning decisions. It is also necessary to bring the cost of carrying out an audit into the picture; i.e., the riskiness coefficient of an audit unit must be "deflated" by the cost of eliminating, reducing, or maintaining that level of risk.

    A fundamental flaw in many risk assessment methods used in practice is their failure to take into account the fact that auditing is a costly activity and to systematically factor this consideration into the development of a long range audit coverage plan.

    Since relating costs and benefits is a fundamental principle of rational decision making, internal audit departments should focus not only on the riskiness of an auditable unit, but also on the cost of reducing risk through auditing.

    One way of applying this cost/benefit approach is to simply calculate the ratio of the riskiness coefficient of a given auditable unit divided by the cost of auditing that auditable unit, yielding a measure of the benefits (in terms of risk reduction) to be derived from investing audit resources in a given activity (in terms of incurring the cost of the audit). The units assigned the highest audit frequency would be those with the highest "payoffs" as measured by their risk to cost ratios.

    A more sophisticated method is used by the auditMASTERPLAN system; the following formula approximates the approach used by auditMASTERPLAN to calculate the optimal inter audit frequency:

    Optimal Inter-Audit Interval =

    where b is an audit unit's riskiness coefficient, M is the audit unit's maximum loss potential, and C is the average cost per audit. In this formulation, the smaller the inter-audit interval, the higher the audit priority.

    Audit Frequency = Plan Horizon/Optimal Inter-Audit Interval

    In Figure 1 the vertical axis represents cost, expressed in financial terms. The horizontal axis is audit frequency represented by the number of audits carried out over the period of time.that is the planning horizon. As the audit frequency increases (moves to the right) the curve representing the total expected losses, decreases. That is, the more frequently an auditor audits a unit, the less opportunity there will be for the expected losses to accumulate and, therefore, total losses will be lower. However, at the same time, the more frequently an auditor audits a given auditable unit, the more audit costs are incurred.

    The total relevant cost is the sum of the audit cost and the cost attributable to the losses due to fraud, waste, error, and so forth incurred in the absence of auditing. It is in the best interests of the organization as a whole to minimize its total costs (i.e., the costs of auditing plus the costs of not auditing). The minimum point on the total relevant cost curve identifies the frequency which balances the cost of auditing a given unit so many times during its planning horizon against the cost of not auditing that audit unit, and incurring the expected losses instead. Since risk is a measure only of the cost of not auditing, it is not sufficient to merely look at risk ratings as the basis for developing audit coverage plans .

    Non-Systematic vs. Systematic Risk Assessment

    There are two fundamental ways of establishing risk scores: non-systematic and systematic.

    Systematic approaches involve systematic decomposition of risk into individual factors which are assessed individually, then combined into an overall score reflecting an audit unit's riskiness. The process requires identification of key areas of risk (i.e., termed risk factors) important to management, grouping risk factors into categories based on similar characteristics, and assigning weights to the risk factors indicating their relative importance in a model for setting audit scope (frequency, intensity and timing).

    Clearly, the second approach is more onerous than the first. Why chose it? Well, research conducted into the reliability of subjective global judgments in a variety of fields shows that global judgments such as those required by the non-systematic approach are prone to significant errors. The general consensus of this research is that professionals should refrain from trying to make global intuitive judgments such as, "The riskiness of audit unit A is ..." Instead, they should apply their judgment to:

    1) decompose complex global judgments into component factors,

    2) assess these specific areas of risk and concern, and

    3) leave the combining process to mathematical models, since it has been found that computational models and algorithms consistently outperform even seasoned professionals.

    Benefits of Systematic/Formal Approaches

    Virtually all of the important literature that deals with planning emphasizes that the formal process whereby individuals engage in a systematic consideration of important factors makes a key contribution to the quality of subsequent decisions.

    Formal/Systematic Approaches Do Not Eliminate Judgment

    The use of a formal/quantitative approach to risk assessment does not eliminate the need for the exercise of judgment. On the contrary, it highlights some of the important judgments that are required:

  • - Identifying the key elements of the problem being considered.
  • - Characterizing the interrelationships among these elements.
  • - Selecting an appropriate quantitative model for expressing these relationships.
  • - Adopting appropriate ways for obtaining the values to be entered into a quantitative model.
  • - Assessing the values to be used with the parameters of the selected quantitative model.
  • - Evaluating the quality of the analysis and its applicability to the circumstances under consideration.
  • In summary, there need not be a conflict between the application of professional judgment and intuition and reliance on formal or systematic approaches to risk analysis. Indeed the best approaches to problem solving strive to combine elements of intuition and systematization in such a way as to take advantage of the best features of humans and computational models. The auditor applies expertise in identifying critical risk factors and using them to record key observations about issues such as internal control. A system can be used to combine these ratings consistently since that is something that a system can do best and an auditor cannot do as well.

    The benefits of systematic/formal approaches to risk assessment:

  • 1. The train of logic can be documented.
  • 2. Training is enhanced since trainees can study logic that is documented.
  • 3. Review and consultation are facilitated.
  • 4. Decisions may be easier to explain and justify, especially in the future when the auditor's memory of the circumstances fades.
  • 5. Potential errors may be reduced by reducing the need to combine large quantities of data in one's head.
  • 6. A direct linkage can be provided between the administrative structure and budget of the internal audit department and the characteristics of individual audit units; this linkage emphasizes the integrated nature of administrative and operational activities.
  • 7. New data can be more easily incorporated into the analysis as it becomes available.
  • 8. Consistency may be enhanced since it may be easier to set operational guidelines for quantitative risk assessment methods than for more global qualitative risk judgments.
  • 9. Quantitative methods may be more easily defended; e.g., to audit committees, external parties, etc.
  • 10. Quantitative judgments of risk can be incorporated into other methods to help ensure the appropriate intensity of auditing commensurate with the risk profile of the audit unit. This can help reduce the possibility of overauditing or underauditing.
  • Key Audit Decisions Aided by Risk Assessment

  • 1. Audit Frequency
  • In many organizations, it is assumed that all units will be audited at least so often during a planning horizon that typically covers 3 to 5 years. The issue is, "How often within this planning horizon should each auditable unit be audited?" The general opinion is that riskier audit units should be audited more frequently, although the actual audit frequency can be set in various ways.

    A fixed frequency policy is based on the implicit assumption that there are natural frequencies associated with audit units. The problem then becomes finding the "right" fixed frequency for each unit. This approach is followed by many internal audit departments, although frequencies may be adjusted periodically. It may be argued, however, that if auditees "learn" the fixed frequency, they may be motivated to perform at peak levels only at or near the audit dates. In addition, to the extent that the frequencies are imperfect, some auditable units would be consistently overaudited, while others would be consistently underaudited.

    Under a conditional audit frequency approach all auditable units are monitored continuously or at specified intervals for signs of abnormal activity. Two approaches to conducting such monitoring activities are analytical review and periodic risk assessment. Audits would be scheduled when units exhibited a deterioration along some key dimension. The reasoning is that when compliance with set policies and procedures or sound management practices deteriorates, this adversely affects the unit's activity. Abnormal activity may be an indicator of control failures, etc. and vise versa. Thus, by monitoring various relevant economic indicators, the internal auditor might be alerted to problems such as non-compliance with control procedures. Conversely, by monitoring risk factors such as adequacy of controls, the internal auditor might be alerted to impending deterioration of economic activity. A variety of indicators can be used individually or in combination with other factors.

  • 2. Audit Intensity
  • Riskier units should be audited more intensely; however, audit intensity may be a complex function of time, samples sizes, seniority, skill, etc. There is no known simple or unique relationship between the riskiness of an audit unit and these intensity factors, since in some cases one factor can substitute for another, while in other instances it might not.

  • 3. Audit Timing
  • No audit department has the resources to audit all of its auditable units simultaneously. Therefore, a third key audit decision is the timing of the audit. In the absence of other considerations, the riskier audit unit should be audited sooner than the less risky audit units. Unfortunately, direct application of such simple logic is rarely possible, since a variety of constraints intervene, such as limited availability of the appropriate audit personnel at a given point in time, personnel development considerations, management requests, auditee considerations, etc.

    There are three main alternatives for scheduling audits: fixed, random or conditional timing.

  • a. Fixed Timing Policy
  • A fixed timing policy is based on the assumption that there are fixed times best suited to the conduct of specific audits. As mentioned earlier, if auditees know the timing of audits, they may "dress up" for the occasion, giving an inaccurate impression of their effectiveness, efficiency, etc..

  • b. Random Timing
  • Under this policy the frequency and timing of audits is unpredictable. Since auditees cannot guess when they will be audited, it is argued that they would be motivated to maintain their controls and procedures at reasonable levels. Surprise audits are examples of the use of this policy. If surprise audits are used to motivate compliance or deter non-compliance, randomization becomes an important technique for scheduling audits.

  • c. Conditional Audit Timing
  • Under a conditional audit approach audits are scheduled when units exhibit a deterioration of controls or performance along some key dimension. In addition, other scheduling criteria could be used such as availability of human resources, personnel development criteria, the need to balance effort over a time horizon, etc.

    4. Internal Audit Department Size and Capability

    As mentioned earlier, no internal audit department is of a sufficient size to carry out all the necessary audits simultaneously, or even within the time span of one fiscal year. A fundamental principle of internal audit administration is that the internal department be of a sufficient size and capability to address the areas of concern to management, with an adequate frequency, over a reasonable time horizon of 3-5 years. If risk factors reflect management concerns, then they can be used as a basis for establishing the department size required to address the most important audit units (i.e., those with the highest risks or those with the highest [risk/audit cost] payoffs) .

    Implementing a Systematic Risk-Assessment Approach

    A systematic approach to risk analysis consistent with the Professional Standards of the Institute of Internal Auditors. entails a number of specific steps and techniques:

  • - Define the audit universe and identify the auditable units within the entity for which these analyses will be carried out.
  • - Identify appropriate risk factors designed to reflect management's concerns.
  • - Select an appropriate format for evaluating risk factors so that the more important risk factors play a more prominent role in the risk assessment process than less important risk factors.
  • - Develop a combination rule for each audit unit which will properly reflect its riskiness over several risk factors that have been identified.and a method of setting audit priorities for the audit units.
  • - Once audit units have been rated according to their riskiness, it is important to have a mechanism for assigning them to audit frequency categories; that is, to identify which units will be audited so often, say once every five years, and which units will be audited more often, say twice every five years, and which will be audited virtually continuously, say five or even ten times over a five year planning horizon; and, a mechanism for applying variable audit scope or intensity of auditing commensurate with the importance of the audit unit.
  • - Having carried out these analyses, it is useful to produce an audit coverage plan which indicates which audits will be conducted at what times throughout the planning horizon and the expected costs associated with those audits.
  • - The coverage plan provides a roadmap for the management of staff skills so that they are available to carry out audits of appropriate scope and intensity when they are needed; a basis for scheduling audits in such a way as to ensure a balanced workload and the availability of resources when needed; a basis for appropriate co-ordination with external auditors to ensure that areas of importance are appropriately covered and that total audit costs for the organization are minimized.
  • - An important part of a long term planning process is establishing the appropriate department size for the internal audit department commensurate with its mandate and responsibility. Zero-base budgeting can be used as a technique for incorporating staffing considerations and risk considerations in establishing the ideal department size.
  • - Finally, a system of quality assurance is required to make sure that these activities are properly carried out.
  • These steps are discussed in more detail next, with illustrations from practice.


    Next Page


    J. Efrim Boritz

    School of Accountancy, University of Waterloo, Waterloo, Canada N2L 3G1

    Copyright 1992, 1993 All Rights Reserved