Business men and woman brainstorming and planning in the office.
ComplianceJune 13, 2022

Defining the auditor’s role in the risk-audit relationship

Management is responsible for risk management, but audit plays an important supporting role. And avoiding any disconnect between auditor expectations and delivery on the job is critical to our credibility. Audit risk management processes and daily auditor actions must be completely aligned on every project every day.

In part one, we examined how to identify risks in an audit setting. We also identified two questions that auditors should ask themselves during any risk management initiative:

  • What can go wrong?
  • What opportunities are being missed?

In part two of our series, you’ll learn how to add measurable value through audit-based risk evaluation and solutions, including risk matrices and internal control models:

Solutions

TeamMate+ Audit

Audit management

The world’s leading audit management software - empowering audit departments of all sizes.

Prioritizing risk with a risk matrix

Once auditors have identified the risks in their organization, how should these risks be documented and assessed? A risk assessment matrix is a common and highly useful documentation framework that supports risk management efforts, including:

  • Identifying risks
  • Assessing the likelihood and significance
  • Red flags
  • Preventative controls
  • Detective controls
  • Controls effectiveness assessment
  • Residual risks
  • Risk response

However, assessing the likelihood and significance of a risk occurring is a highly subjective process. Management and auditors should not only consider the monetary significance but also the importance to the organization’s reporting, operations, reputation, legal and regulatory compliance impact.

The risk matrix should be an active tool that both illustrates situational awareness and drives corrective action where needed. And while a risk matrix is often a very complex document, it doesn’t need to be. It may be effective to develop a risk matrix that ranks the likelihood of a risk event using subjective “seat of the pants” measures like probable, potential, possible, and remote classifications. Even broad measures like these can quickly demonstrate where action is needed right now.

It’s beneficial to take a step back, examine the risk matrix tools you’re using and ask yourself, “Is it too complex?” If the answer is “yes”, perhaps it’s time to make a change.

Never let the format get in the way of substance and purpose.

View a demo


This is not to downplay the importance of a comprehensive risk assessment and documentation efforts. Rather, a warning about how the process may overtake the purpose, as happens too often in risk matrix development. The matrix you build should be tailored to your unique environment and needs, not to another’s expectations.

Internal controls are only as effective as the humans responsible for their design

Effective internal controls require two things: a strong control environment and daily control behaviors. The control environment includes policies, procedures, laws, and regulations.

 Defining the auditors role graphic 1 

It also includes the tone at the top from organizational leaders, compliance monitoring, access, and transaction execution, review, and approval. Meanwhile, the control behaviors are the skills, interest, time, supervisor support, and peer support.

Using this chart can assist with making a quick decision about where your organization is positioned.
Defining the auditors role graphic 2
Supportive environment and strong behaviors place you in the highly desired quadrant 1. But plenty of controls matched with inconsistent daily human behaviors has the potential to move you down to quadrant 2.

And no amount of enhanced or additional policy, procedure or leadership ‘tone’ will fix your problem. It has been my experience that 90% of organizations exist and operate primarily in quadrant 2.

At the risk of overstating the obvious, this simple 4 quadrant analysis may be all that is needed to know with certainty where corrective activity must occur to move towards the ideal, ‘top-right’ quadrant results.

Bringing focus to the risk-audit relationship

In general, an auditor’s role is to identify risks and evaluate management’s controls and procedures to manage those risks. We do that through testing, data analytics, research, industry benchmarking and a long list of other tools. We also fulfill our role by asking questions and listening to the answers (Remember the definition of an “auditor” in part one?).

Conclusion

Strengthening the risk-audit relationship can help auditors cut through complicated risk models to ensure we focus on what matters most to our organization. But remember, one size does not always fit all. The amount of time and resources we spend measuring and monitoring depends on our industry, business model, leadership team, and an evaluation of the current state of controls and behaviors.

Subscribe below to receive monthly Expert Insights in your inbox

John Hall Headshot
President, Hall Consulting, Inc.
John J. Hall, CPA is the founder and President of Hall Consulting, Inc. John has over 40 years of experience as a speaker, auditor, consultant, and business owner.
Back To Top