How to Risk Assess Your Audit Universe: Charting the Dangerous Waters

In our previous article, "An Audit Universe Explained," we introduced the concept of the Audit Universe as your essential map of everything within your organisation that could potentially be audited. We talked about how this map could be structured – whether by traditional auditable units, strategic key risks, or important business services. Having this comprehensive map is a fantastic start, but a map alone doesn't tell you where the stormy seas or the hidden reefs are.

That's where risk assessment comes in. It's the crucial next step in making your Audit Universe truly useful. It's how we decide not just what can be audited, but what should be audited, and with what priority. It's the process of identifying which parts of your organisational map represent the most significant potential challenges or vulnerabilities, ensuring internal audit focuses its efforts where they can have the biggest impact. Risk Assess Your Audit Universe

Why Risk Assess Your Universe? It's All About Focus: Imagine you have a limited number of coast guard vessels (your audit team) and a vast coastline (your organisation). You can't patrol every single inch all the time. You need to know where the treacherous currents are, where accidents are most likely, or where valuable cargo is being shipped. Risk assessing your Audit Universe provides that intelligence.

The goal is to:

• Prioritise: Identify the highest-risk areas that demand immediate attention.

• Allocate Resources Wisely: Ensure your audit team's time and expertise are directed to where they add the most value.

• Ensure Strategic Alignment: Confirm that your audit plan addresses the key challenges facing the business.

• Justify Your Plan: Provide a clear, defensible reason for why certain audits are being performed (or not performed).

Key Criteria for Your Risk Assessment: Whether your universe is structured by departments, strategic risks, or end-to-end services, the core principles of assessing risk remain similar. Here are the key criteria internal audit teams typically use:

1. Impact / Severity: What would be the consequences if a risk in this area actually occurred? Think about the potential fallout:

   • Financial: Significant monetary loss, fines, revenue impact.

   • Reputational: Damage to brand image, loss of customer trust.

   • Operational: Disruption to core business activities, inability to deliver services.

   • Regulatory/Legal: Non-compliance, legal penalties, sanctions.

   • Safety/Environmental: Harm to people, property, or the environment.

   • Simply put: How much would it hurt if things went wrong here?

2. Likelihood / Probability: How probable is it that a risk in this area will occur?

   • Consider historical incidents, industry trends, complexity of operations, reliance on specific technologies, or even the general economic climate.

   • Simply put: How likely is it that things will go wrong here?

3. Control Effectiveness (or "Mitigation"): Are there already good safeguards in place that reduce the impact or likelihood of risks?

   • Even a high-impact, high-likelihood risk might be well-managed by strong, reliable controls. Conversely, a medium risk with weak controls could be a higher priority. This criterion helps you focus on areas where controls might be absent, insufficient, or simply not working as intended.

   • Simply put: Are there good safety nets already in place?

4. Change / Volatility: How much is this area changing?

   • Areas undergoing significant change – new systems being implemented, new regulations coming into force, major reorganisations, or rapid market shifts – often introduce new and unknown risks, or can weaken existing controls. Change often equals risk.

5. Management Focus / Maturity: How much attention is management already giving this area? How mature are their own processes for managing risks?

   • If management has a robust internal risk management process and actively monitors an area, internal audit might adjust its approach. This isn't to say we don't audit it, but it helps prioritise our efforts.

6. Previous Audit Findings / Time Since Last Audit: What did we find last time we looked?

   • Recent significant findings might indicate persistent issues or evolving risks, making an area a higher priority. Conversely, an area with a clean bill of health recently might be a lower priority for immediate re-auditing.

Gathering the Right Information: Who to Ask & Where to Look: This isn't an exercise done in isolation by the audit team. To get an accurate risk assessment, you need to engage with the business.

• Talk to Management & Process Owners: They are the "owners" of the risks in their areas. They know the day-to-day challenges, the critical processes, and where they feel most vulnerable. Their insights are invaluable.

• Review Strategic Documents: Business plans, risk registers, board minutes, annual reports – these reveal the organisation's strategic priorities, key initiatives, and stated risk appetite.

• Look at Previous Audit Reports: Not just internal audit, but also external audit reports, regulatory findings, or any internal reviews. These provide historical context on known issues.

• Consider External Factors: Industry reports, regulatory updates, economic forecasts, geopolitical news – anything outside the organisation that could introduce new risks or amplify existing ones.

• Leverage Data Analytics: Where possible, use data to inform your risk ratings. High transaction volumes, frequent errors captured in systems, or unusual trends can highlight underlying risks that might not be obvious through interviews alone.

Documenting Your Insights: Making it Actionable: Once you've gathered your information and applied your criteria, you need to document it. This could be a simple matrix where each auditable unit/risk/service has a score (e.g., a number out of 100, or a High/Medium/Low rating for each criterion), along with a brief narrative explaining the rationale. The key is consistency and transparency. A clear, documented risk assessment ensures your audit plan is defensible and understood by all stakeholders.

New Thinking & Enhancing Your Approach

• Collaboration is Non-Negotiable: This isn't internal audit telling the business what their risks are. It's a dialogue, a partnership. The best risk assessments are those where business leaders feel ownership of the risks and appreciate audit's role in helping them manage those risks.

• Focus on "Actionable Risk": Instead of getting bogged down in theoretical inherent vs. residual risk, focus on a practical "actionable risk" that considers the real-world effectiveness of existing controls. Where do we truly need to direct our attention to make a difference?

• Continuous Assessment, Not Just Annual: Your Audit Universe should be dynamically updated, as discussed in the previous article. This means your risk assessment should also be a continuous activity, adjusting priorities as new information emerges or circumstances change, not just a once-a-year event.

• Beyond Knowns: Emerging Risks & Scenario Planning: The risk assessment process should include conversations about "known unknowns" and "unknown unknowns." What new technologies, regulatory shifts, or market disruptions could appear? Including scenario planning discussions can help identify risks that aren't yet fully formed.

• Data-Driven Insights: Push beyond subjective judgment. Use data analytics to identify areas of high transaction volume, significant exceptions, or unusual patterns that might point to higher underlying risks, making your assessment more robust.

Conclusion: Risk assessing your Audit Universe is the engine that drives an impactful internal audit plan. Whether your universe is built on auditable units, strategic risks, or important business services, a thoughtful and dynamic risk assessment process helps you prioritise effectively, allocate resources wisely, and ultimately ensure that internal audit focuses its efforts where they can genuinely protect and enhance the organisation's value. It transforms your map into a navigational chart, highlighting the precise routes to secure success.