Risk: Risk in Sequence

1. Define Primary Prioritization Inputs

Assigning a risk rating to each auditable area is a primary input for prioritization. Internal audit calculates these ratings as part of its risk assessment. There are two classes of risk ratings: inherent and residual. 

The Global Internal Audit Standards defines inherent risk as the combination of internal and external risk factors that exists in the absence of any management actions. Inherent risk ratings are typically based on impact and likelihood. For example, the combination of likelihood (score = 3) and critical impact (score = 5) results in extreme inherent risk (score = 8) for the auditable area. Internal audit may include additional risk attributes in its assessment such as risk velocity, risk persistence, and risk preparedness. 

Residual risk is the portion of inherent risk that remains after management actions are implemented. By adjusting the inherent risk rating based on the effectiveness of controls and scoring of risk responses, internal audit arrives at a residual risk rating. Continuing the previous example, an extreme inherent risk rating (score = 8) mitigated by good control effectiveness (score = 4) results in a residual rating (score = 4) for the auditable area. This equation is aimed to show the link between inherent and residual risk.

To gain efficiency and achieve synergy with an organization’s risk management function, internal audit may determine inherent and residual risk by leveraging the results of an enterprise risk assessment, if an independent review has deemed it mature and effective.

Either inherent or residual risk ratings may be a primary input for prioritization. Although management often focuses solely on the residual risk rating, internal audit should consider both risk classes to determine which one to use. Reviewing the effectiveness of management’s existing remediation actions in the risk areas identified can help auditors make this determination. If internal audit concludes these actions were effective, it should use the residual risk rating for prioritization. If no conclusion was made, it should use the inherent risk rating. 

Some jurisdictions may prescribe regulatory requirements for calculating risk ratings, which internal audit must consider during risk measurement. Risk measurement often requires standardizing terminology, definitions, and specifications, such as risk ratings and materiality, throughout the audit universe. This standardization may involve aligning with the organization’s risk management framework, according to The IIA Practice Guide: Developing a Risk-based Internal Audit Plan.

2. Establish Secondary Inputs

Secondary prioritization inputs are factors not captured in a risk rating that provide additional considerations to better align with the organization’s strategies, objectives, and needs. The list of secondary inputs is unique to each organization and may include:

• Materiality (magnitude of key financial indicators).
• Industry or business complexity.  
• Effectiveness of remediation actions (controls).
• Susceptibility to fraud.
• Strategic prospects.
• Degree of change, including mergers and acquisitions, technology, and personnel. 
• Assurance coverage from past audits. 
• Results of previous engagements or other audit work.
• Insights from senior management and the board.

Given the wide range of factors, secondary inputs can be grouped into categories: financial, strategic, and operational. To quantify the factors or their categories, internal audit should use assessment criteria and relevant scales for each factor or category. 

3. Calibrate Primary and Secondary Inputs

Calibration is the process of aligning inputs measured on different scales to common values. For example, input A is measured as 10 on a scale of 1 to 20, while other inputs use a scale of 1 to 5. Internal audit can use statistical models to adjust input A’s score from 10 to 2.5, aligning it to the five-point scale. Auditors can use the calibrated score to calculate its rank among the other inputs. To avoid the need for calibration, internal audit can adopt common measurement scales for all inputs.

4. Compute a Total Rank Score

Although some inputs are more important than others, internal audit can weigh the inputs. Auditors should assign a higher weight (percentage) to the most critical inputs. Because an internal audit plan is built on a risk assessment, the risk rating typically receives the highest weight. 

Internal audit should consolidate all inputs into one table and apply weighting to compute a single score. This total rank score is the basis for sequencing auditable areas in the internal audit plan. 

As shown in “Sequence Auditable Areas”, internal audit weighs the primary prioritization input (a residual rating of 4) for Auditable Area 1 at 70%. Secondary prioritization inputs materiality (score = 2), fraud susceptibility (score = 1), strategic focus (score = 2), and management concerns (score = 1) were weighted at 10%, 5%, 10%, and 5%, respectively. Combining these weighted scores results in a total rank score of 3.3. That places Auditable Area 1 in the second sequential position in the internal audit plan.

5. Apply Specific Considerations

Specific considerations involve making one-off adjustments to the sequence of audits in the risk-based internal audit plan. For example, senior management or the board may request specific audits, or internal audit may exclude certain assignments if they are covered by other assurance providers. Additionally, laws and regulations can mandate specific assurance. 

Putting Top Risks First

The outcome of prioritization is a well-defined sequence of auditable areas. An effective sequence ensures that high-risk and critical activities receive the necessary attention, enabling internal audit to provide timely insights and advice. It is an approach that keeps stakeholders informed about the organization’s key risks and supports the organization in achieving its objectives.