This guidance is aimed at those new to the profession although it is also a useful guide for experienced internal auditors to go through to validate what you do or gain some new ideas.
We look first at the basics of what the organisation should do (what, who, when, how) and then look at the role of risk identification throughout the various stages of an internal audit engagement.
Risk identification is the first step in the risk management process; it is fundamental to organisational success and providing relevant independent assurance.
Risk identification is the acknowledgement and recording of events that, if they occur, have the potential to impact on an organisation’s ability to achieve its objectives, purpose or aims.
It is the first stage of a generic risk management process that is part of an overall risk framework; for which the board is accountable.
Risks can have a negative effect (threats to an organisation), or have a positive effect (opportunities for an organisation). Internal auditors should be mindful of the language they use: risk is often portrayed as a threat which is incorrect and only one half of the definition.
Risk identification is the acknowledgement and recording of events that, if they occur, have the ability to either positively impact the organisation ie increased revenue through product diversification eg Burberry moved to the production of PPE; or negatively impact the organisation eg regulatory breach eg VW emissions scandal.
The risk management process must be appropriate to an organisation - a one size approach does not fit all.
We will look at some of these elements in more detail but essentially:
Even the most critical of risks can be overlooked if poorly worded.
A strong risk statement will answer the question:
The formula for writing a risk statement is Event + Cause = Consequence.
[Event that has an effect on an objective] caused by [Cause/s] resulting in [Consequence/s].
[Theft of customer data] caused by [system vulnerability due to patches not being updated] resulting in [an Information Commissioner’s Office fine of up to 4% of turnover and the potential reduction in future sales due to loss of customer confidence].
Further guidance on writing risk statements can be found here.
A fully embedded risk management process encourages all employees to be risk managers; identifying and assessing risk within their remit and reporting/escalating risks outside their personal accountabilities.
Depending on the size of the organisation, as part of the second line, there may be a risk function or specialist role which facilitates the entire risk framework and supports management.
Typically, the significant risks to the organisation, and of most interest to internal audit, are identified by management, executives, and the governing body (board). They are usually split into strategic, operational and project risks.
Risks are ideally identified in a group environment rather than by individuals operating in isolation. This is because we all have bias and limited knowledge; acknowledging it is important.
In a group it is possible to brainstorm, contribute to, and constructively challenge ideas.
Internal auditors should also seek to identify risks to ensure completeness.
Throughout an audit engagement internal auditors should always be ready to facilitate an individual or group to identify relevant risks; never assume that people know how to do this.
There are two stages to risk identification: initial and continuous.
The frequency of review should be appropriate to the risk appetite of the organisation. In deciding this, the board will take into account the complexity/volatility of the organisation and its environment together with a commitment of resource.
Some organisations may do an annual or bi-annual review whereas others may integrate it into standard operational meetings. Depending on the frequency specific process steps for stage one may be required to capture new risks as they arise.
Project managers should use defined project management methodologies that include risk management.
Risk is something that hasn’t yet happened.
When a risk materialises, it is no longer a risk, it is an issue.
Sometimes you or management might identify a risk that is so time critical you cannot go through the normal internal audit process of providing assurance and agreeing actions to improve its management; it just needs to be managed.
The coronavirus pandemic is a great example of this. The chief audit executive at company X knew that cashflow was critical and that the financial processes were unsatisfactory. Internal audit identified slow paying customers and supported management to focus on accounts receivable.
In times of crisis, internal auditors should check if they are not already aware of what the first and second line are doing and where necessary be prepared to roll your sleeves up and use your internal audit skills to help manage the risk(s). It does not compromise independence to protect the organisation from such immediate threats.
Risk must always relate to an objective; this provides context and maintains relevance. Think of it as putting a boundary around the identification process.
Imagine that you are identifying the risks for your next holiday…global shortage of a particular vaccine, strike by airline cabin staff, civil unrest in the country…the list could be endless and quite random but a waste of your time if you’re only going to Brighton!!!
There are lots of different approaches that can help identify risk within a given time frame.
Approach |
Description |
Facilitated workshop |
Useful to get different stakeholders (across a process, a whole team, a topic of mutual interest) together to surface detailed information about the risks ie source, causes, consequences, stakeholder impacted, existing controls |
Brainstorm |
Creative technique to gather risks spontaneously, everyone should be encouraged to contribute as there are no ‘wrong ideas’ and job roles and hierarchies are left at the door |
Interviews |
One-to-one discussions to identify risks, useful when detail is required, or sensitive information is involved. |
Surveys/Questionnaires |
Carefully constructed questions designed to gather data on risks |
Data analysis/Artificial Intelligence |
Analysis of data and/or use of algorithms can identify trends and predict potential risk events |
SWOT analysis |
(Strengths, Weaknesses, Opportunities, Threats) A common business analysis tool, the ‘O’ and ‘T’ are risks |
PESTLE analysis |
(Political, Economic, Sociological, Technological, Legal, Environmental) A common business analysis tool to help identify external risks |
Scenario analysis |
Involves developing hypothetical but possible future events to anticipate the type of risks that might arise, and resultant opportunities and threats An example of a scenario could be that activists take down the world wide web and global access to the internet is lost |
Stakeholder analysis |
Stepping into the shoes of others – recognising individuals or groups with interest/influence over the organisation and understanding their objectives and expectations to identify the risks they pose |
Audit reports |
Review of past risks, particularly useful if the organisation is immature in the development of its risk framework |
Past experience |
Either corporate or personal – information that contributes to risk identification by having already experienced/witnessed something |
Documented knowledge |
Existing risk registers are a great example of this as is an internet search of risk research such as the Chartered Institute’s Risk in Focus publication |
Lessons learnt |
Similar to past experience although specific to learning from mistakes to prevent them from recurring, and/or identification of missed opportunities to ensure in a similar scenario the opportunities aren’t missed again |
It is also important to consider future risks. This is a totally different exercise and typically done less frequently as the timeframe for the risks may be 10 year or more. The technique for doing this is known as horizon scanning and guidance on identifying and assessing these Emerging Risks can be found here.
According to the International Professional Practice Framework (IPPF) ‘the mission for internal audit is to enhance and protect organisational value by providing risk-based and objective assurance, advice and insight.’
There are a number of points within the activities of internal audit where risk identification is important.
Internal audit activity |
Risk identification relevance |
Internal audit strategy |
A strategic plan sets out the mission, purpose and values of the internal audit function, by ensuring alignment to stakeholder expectations and the needs of the organisation it means internal audit maintains relevance
To develop this internal audit must understand the organisation’s risk framework to the extent one exists, the organisation’s risks and also perform a SWOT analysis to identify and manage its own risks
A strategic plan facilitates decision-making on resource allocation, targets, performance measures and areas of focus (linked to the Quality Assurance and Improvement Programme) |
Risk-based internal auditing |
The Chartered Institute defines RBIA as a methodology that links internal auditing to an organisation’s overall risk management framework. It allows internal audit to provide assurance to the board that risk management processes are managing risk effectively, in relation to the risk appetite It is about auditing the management of risk and is dependent on the organisation having a framework in place |
Annual/Rolling plan (Performance Standard 2010 and 2050) |
When RBIA is possible, internal audit produce a risk-based audit plan for approval by the audit committee (or other such governing body) The majority of internal audit resource will be directed to provide assurance that management is adequately and appropriately managing specific risks; there may also be an element of cyclical compliance assurance depending on what functions exist within the first and second line and regulatory requirements The complexity and volatility of risk within many sectors have led to the annual internal audit plan being replaced with one that is updated more frequently, such as quarterly or rolling If an organisation does not have a risk framework, internal audit should undertake its own risk assessment process or ideally facilitate the process for management in accordance with its legitimate roles in risk management |
Audit engagement planning (Performance Standard 2200) |
Depending on the information available, internal auditors may need to identify risks to supplement those offered by management, particularly when risk maturity is evolving Internal auditors should be continually alert to emerging or unidentified risks surfacing as the engagement progresses. Risks identified during engagement planning may need to be reprioritised |
Audit findings (Performance Standard 2320) |
Internal auditors must base conclusions and engagement results on appropriate analyses and evaluations. It is a good discipline to present each audit finding in relation to the risk that it relates to. This draws out situations where findings relate to multiple risks which can be beneficial in prioritising data in formal audit communications All audit engagements provide the opportunity to evaluate the effectiveness of the risk management process in the area under review |
Agreeing actions (Performance Standard 2410) |
Management are invariably busy with limited free resource. Internal auditors can demonstrate commercial acumen by prioritising risks for discussion and highlighting the consequences if identified weaknesses are not addressed |
Yes, they can although how they need to be addressed may differ.
Look again at the risk statement and the objective.
Is it clear and specific?
Can it be broken down further?
Rewrite a risk that is simply the opposite of the objective (failure to comply with xxx or poor understanding of xxx) or states the impact rather the risk (loss of data xxx).
Risk identification can be stressful depending on the environment in which it is done. Internal auditors should be mindful of culture and aim to create a ‘safe space’ as far as possible.
In a blame culture, individuals may fear reprisal if they are not perceived to be managing their risks, others may be naïve to risks if new in a role and some may be risk immature expressing a preference for firefighting, dealing with the problem rather than taking the steps to prevent or prepare for it.
Internal audit should refer to their legitimate roles in risk management to educate and raise awareness of good practice alongside highlighting where cultural change would be beneficial.
It is not uncommon for people to want to focus on what they can influence.
The question to ask is - if the event was to occur what would the consequences be for the organisation? Consider the coronavirus pandemic, an earthquake, new entrant into a competitive marketplace, cyberattack on the national grid…
Human nature means many of us are uncomfortable with uncertainty, and therefore risk. There are lots of psychological barriers ‘risk framing’ which we often put in place without realising which is often referred to as cognitive bias.
Think for a moment about your organisation’s risk profile.
Global institutions such as the World Health Organisation and World Economic Forum has been warning of the increasing probability of a global pandemic for many years before the events of 2019/20.
Internal auditors should encourage management to recognises biases and take any lessons forward from the coronavirus pandemic to better address other high impact/low probability risks.
Bias |
Risk thinking |
Internal audit response |
Gambler’s Fallacy |
If something has already happened it’s less likely to happen again; natural disasters, cyber-attack |
Validate if the risk event is statistically independent |
Normalcy Bias |
Things will always function/happen in the way they do now; coastal cities, driving cars |
Explore rationale by repeatedly asking why (5 why’s technique) and suggest alternative viewpoints |
Anchoring Fallacy |
Over reliance on historical information/events to make judgements |
Explore what has changed and moved point of reference to current data and forecasts |
Availability Bias |
Overestimate highly visible or known occurrences; plane crash vs car accident |
Look at proportionality and compare the risk to others that are similar |
Short-termism |
Excessive focus on immediate risks/consequences at the expense of those in the future; climate change |
At the end of the discussion, reframe the conversation and encourage horizon scanning |
Zero-Risk Bias |
Aversion to taking risks, preference to eliminate all risk |
Discuss commerciality, eliminating risk is costly, also look at the consequence of missed opportunity by taking risk, if defined refer back to the organisations risk appetite |
Texas Sharpshooter Fallacy |
Ignore data that doesn’t fit or emphasising data that does fit with a point of view, such as a business case |
Fully explore the topic, suggest looking at it from different perspectives |
Information Bias |
Over focus on gathering data superfluous to need |
Acknowledge expert knowledge but simplify the context to focus on the nub of the issue |
We have shown that internal auditors need to be adept at analysing and interpreting the risks identified by the organisation. They also need to be able to identify risk for themselves, take into account the influence of organisational culture and personal bias to educate where necessary.
International Professional Practice Framework (IPPF)
1300 – Quality Assurance and Improvement Programme
2050 – Coordination and Reliance
2320 – Analysis and Evaluation
2410 – Criteria for Communicating
Preparing an internal audit strategy: Top tips
Risk based internal auditing, Production of the audit plan
How to plan an audit engagement
Position paper - Risk management and internal audit
Risk appetite – concept and theory