Defining the auditor’s role in the risk-audit relationship

Management is responsible for risk management, but audit plays an important supporting role. And avoiding any disconnect between auditor expectations and delivery on the job is critical to our credibility. Audit risk management processes and daily auditor actions must be completely aligned on every project every day.

In part one, we examined how to identify risks in an audit setting. We also identified two questions that auditors should ask themselves during any risk management initiative:

• What can go wrong?
• What opportunities are being missed?

In part two of our series, you’ll learn how to add measurable value through audit-based risk evaluation and solutions, including risk matrices and internal control models:

• Prioritizing risk with a risk matrix
• Internal controls are only as effective as the humans responsible for their design
• Bringing focus to the risk-audit relationship

This is not to downplay the importance of a comprehensive risk assessment and documentation efforts. Rather, a warning about how the process may overtake the purpose, as happens too often in risk matrix development. The matrix you build should be tailored to your unique environment and needs, not to another’s expectations.

Internal controls are only as effective as the humans responsible for their design

Effective internal controls require two things: a strong control environment and daily control behaviors. The control environment includes policies, procedures, laws, and regulations.

It also includes the tone at the top from organizational leaders, compliance monitoring, access, and transaction execution, review, and approval. Meanwhile, the control behaviors are the skills, interest, time, supervisor support, and peer support.

Using this chart can assist with making a quick decision about where your organization is positioned.

Supportive environment and strong behaviors place you in the highly desired quadrant 1. But plenty of controls matched with inconsistent daily human behaviors has the potential to move you down to quadrant 2.

And no amount of enhanced or additional policy, procedure or leadership ‘tone’ will fix your problem. It has been my experience that 90% of organizations exist and operate primarily in quadrant 2.

At the risk of overstating the obvious, this simple 4 quadrant analysis may be all that is needed to know with certainty where corrective activity must occur to move towards the ideal, ‘top-right’ quadrant results.

Bringing focus to the risk-audit relationship

In general, an auditor’s role is to identify risks and evaluate management’s controls and procedures to manage those risks. We do that through testing, data analytics, research, industry benchmarking and a long list of other tools. We also fulfill our role by asking questions and listening to the answers (Remember the definition of an “auditor” in part one?).

Conclusion

Strengthening the risk-audit relationship can help auditors cut through complicated risk models to ensure we focus on what matters most to our organization. But remember, one size does not always fit all. The amount of time and resources we spend measuring and monitoring depends on our industry, business model, leadership team, and an evaluation of the current state of controls and behaviors.