Internal auditing professional standards require the function to monitor and evaluate the effectiveness of the organization's Risk management processes. Risk management relates to how an organization sets objectives, then identifies, analyzes, and responds to those risks that could potentially impact its ability to realize its objectives.

Under the COSO enterprise risk management (ERM) Framework, risks fall under strategic, operational, financial reporting, and legal/regulatory categories. Management performs risk assessment activities as part of the ordinary course of business in each of these categories. Examples include: strategic planning, marketing planning, capital planning, budgeting, hedging, incentive payout structure, and credit/lending practices. Sarbanes-Oxley regulations also require extensive risk assessment of financial reporting processes. Corporate legal counsel often prepares comprehensive assessments of the current and potential litigation a company faces. Internal auditors may evaluate each of these activities, or focus on the processes used by management to report and monitor the risks identified. For example, internal auditors can advise management regarding the reporting of forward-looking operating measures to the Board, to help identify emerging risks.

In larger, more complex organizations, major strategic initiatives are implemented to achieve objectives and drive changes. As a member of senior management, the Chief Audit Executive (CAE) may participate in status updates on these major initiatives. This places the CAE in the position to report on many of the major risks the organization faces to the Audit Committee, or ensure management's reporting is effective for that purpose.

In auditing, risk assessment is a very crucial stage before accepting an audit engagement. According to ISA315 Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement, "the auditor should perform risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control."

The main purpose of risk assessment procedures is to help the auditor understand the audit client. Aspects like client's business nature, management structure and internal control system are good examples. The procedures will provide audit evidence relating to the auditor’s risk assessment of a material misstatement in the client’s financial statements. Then, auditor obtains initial evidence regarding the classes of transactions at the client and the operating effectiveness of the client’s internal controls. In auditing, audit risk includes inherent risk, control risk and detection risk.

Inherent risk is typically assessed using a scale, with assessments being either low, medium, or high. Assessments of medium or high will require additional audit work performed to conclude that management's assertions are appropriate.

• Complexity of determining the account amount (if it is an estimate or a financial statement disclosure)
• Past history (including any audit differences identified)
• The circumstances of the entity's business environment
• Management's overall risk awareness

Control Risk is the risk that a company's internal controls are insufficient to mitigate or detect errors or fraud.

Detection Risk is the risk that the auditing procedures used will not find a material misstatement in the financial statements of the company being audited.

With over 30 years of industry experience, we are your risk assessment professionals. We diligently work to ensure that your financial integrity remains secure. Count on us to get the job done professionally and correctly.

Contact us today to learn how we can make a difference!