Auditors in internal audit, government, and public accounting assurance positions are considered risk experts. An essential part of their job is to identify business risks – whether financial, compliance, reputation, IT, fraud, and a long list of other exposures. But are auditors focusing on the right risks?
When populated with surface-level brainstorming, standard risk models often result in a false sense of security and missed risks. And the reality is that risk management controls are only as effective as the humans responsible for their design, execution, and effectiveness.
In part one of this two-part series, we’ll narrow it down to what risks really matter in an audit setting to bring precision and clarity to what auditors need to know and do:
Ask questions and listen
When you think about the word “auditor,” the root word is “auditory,” which means to listen. So, an auditor is actually “one who listens.” The primary way auditors work, gather information, and assess whether or not management adequately addresses risk requires asking questions and listening to the answers. When auditors can do this, that’s when the risk-audit relationship comes together.
A colleague, Dana Pearce, describes the risk-audit relationship in this way, “Managing risk is the art of building value by understanding what can be gained or lost from action or inaction, the foreseen or unforeseen, the planned or the unplanned.” As auditors, our job is to ask, “What can go wrong? What opportunities are we missing?” These two questions, when asked from the management perspective, are the starting point of any risk management initiative.
In addition to core compliance and control risks, auditors should ask, “What would it look like if we are losing customers, our cash flow drops off, or our revenue quality begins to deteriorate? What early warning signs would I pay attention to if I was the owner?” Auditors need to think more broadly about the risk-audit relationship. As we take a fresh look at our business environment and what has changed in the past few years since the global pandemic, this is a great time to step up and push the risk-audit relationship even further.