Internal auditors must focus their reviews, prioritize what to audit, and concentrate on what matters most to the business. Since there are often insufficient resources to cover the entire audit plan, internal auditors can no longer conduct sprawling or unclear audits looking under every rock hoping to find something somewhere.
An audit is a complex undertaking that requires internal auditors to examine documents, speak with employees, observe business practices, and evaluate controls in business programs and processes. Given these dynamics, is there a document that organizes what needs to be understood and provides a clear roadmap for effective testing? Yes, there is. It's called the Risk and Control Matrix (RCM), and if you aren't taking the time to assemble one, you should.
Key criteria for risk and control matrices include:
- The objectives of the activity under review. If you don't know what auditees are supposed to accomplish, what are you auditing? You need to know the criteria under review to determine if the program or process is achieving its purpose.
- The risks jeopardizing the achievement of the objectives. Modern internal auditing is risk-based, which means we need to know what are the biggest factors and events that could prevent the business from meeting its objectives.
- The controls that manage or mitigate the business risks assessed. Well-designed programs and processes should include controls to manage risks.
- The audit steps to be performed to evaluate the design and operating effectiveness of internal controls.
The first step is to document the objectives of the unit, program, or process under review. If management has not documented the objectives, or if they have not been communicated and linked to employees' performance evaluations, than a design weakness is present that should be discussed with business management. After all, if employees don't know what they're supposed to do, what exactly are they doing every day? How could we assess efficiency and effectiveness without the required parameters?
Next, we need to list the risks that threaten the achievement of business objectives. Quite often this step is not exhaustive enough or is performed by individuals with limited knowledge of the process being assessed. The most important problem this creates is that if a risk has not been identified it won't be measured or analyzed either, so brainstorming, partnering with process owners and fellow auditors, and using prefabricated lists of common risks will help put key risks on your radar screen.
After listing the risks, we should categorize them. Common categories include compliance, operational, financial reporting, non-financial reporting, strategic, information technology, information security, and fraud.
Risks are often measured using a three-point scale of high, medium, or low. Using these measures, the impact of the risk—if it were to materialize—and the likelihood of the risk occurring, are rated. A more precise assessment is possible by using a five-point scale like this one:
An important limitation of only using adjectives as measures is that they are subjective. As such, one person's "minor" risk, could be someone else's "moderate" risk, and so on. While this difference of opinion will always exist, the prevalence and magnitude of the differences generally increases when the risk assessment process is predominantly subjective. To improve on this, impact ratings can be expanded to provide more detailed descriptions based on explicit ranges, facts, or events for each. This may involve monetary amounts, the degree of disruption to the organization, bodily injury to workers and others, security, health and safety, social, economic, reputational, and environmental impacts. A similar process can be followed with Likelihood, where estimated probability ranges provide greater clarity.
We then need to document the controls that business management has put in place to mitigate the risks and protect company assets. For each risk, we should list the corresponding control or controls that mitigate them. Each control is also categorized based on its characteristics. For example:
Preventive: Prevents a risk from occurring
Detective: Detects when a risk event occurred
Manual: Performed by an individual
Automated: Performed by a computer application or other machine
Annual, semi-annual, quarterly, monthly, weekly, daily, multiple times a day, or with every transaction
It is also important to list the name and position of the owner for each control, especially those controls that mitigate high risks. The risk owner is the individual with the knowledge, resources, and authority for the management and monitoring of the risk identified. This person is also responsible for the implementation of responses. So by identifying the risk owner, the specific activities taken to perform the control activity, and the mechanism that tells the risk owner if the control has failed—such as reports and metrics—accountability for control oversight is clearer.
An important step now is to examine the design of the program or process and ask questions such as:
- Are there significant risks lacking at least one mitigating control?
- Are there highly rated risks with too few controls?
- Are there low-rated risks with too many controls?
- Are controls mostly detective?
- Are controls mostly manual?
The Audit Steps
Finally, we prepare to test control effectiveness.
Internal auditors should use a risk-based, top-down approach to testing and focus on those controls related to important risks. The idea is to focus on controls whose failure would significantly jeopardize the achievement of business objectives. The focus should also be placed on those controls that cover or mitigate more than one risk, support an entire process, are among the organization's entity-level controls, or contain analytic elements to provide broader coverage of the underlying transactions and activities.
Additional considerations are the potential for fraud, inefficiency, and abuse and waste that could have a significant impact on the business. The range of scope is smaller than financial statement materiality as defined by external auditors, and although I agree with John Wooden that "little things make big things happen," as internal auditors we must use our judgment to test judiciously and know why we test what we test.
Testing procedures can include any or a combination of: Inspection, observation, confirmation, reperformance, recalculation, and analytical procedures.
As internal auditors gather and analyze the results of the testing, it is important to compare the inherent risk (meaning the risk before the control is considered), to the residual risk (the risk after the control has been assessed). This will provide valuable insights into the quality of the control structure and the reliability that can be placed on it.
The Risk and Control Matrix is your roadmap during planning, an indispensable aide when preparing your work program, a prioritization tool when deciding what to test, and, in general, the most important workpaper to determine what is relevant and useful during every engagement. By sorting the risks based on significance and impact, every audit step will be purposeful and will enable internal auditors to only review important controls. The RCM helps facilitate the decision process to make sure internal auditors are focused on what matters most to the business.