What a Risk Assessment Must Do
A risk assessment for internal audit planning must accomplish four things: identify the complete audit universe; evaluate the significance of each element based on inherent risk, control environment quality, and other relevant factors; produce a prioritised, defensible ranking that drives resource allocation decisions; and be updated at least annually, or more frequently when the organisation's risk profile changes materially.
The risk assessment that cannot accomplish these four things — because the audit universe is incomplete, the scoring criteria are arbitrary, the ranking is predetermined, or the process is infrequently updated — is not fit for purpose.
Defining the Audit Universe Comprehensively
The audit universe must cover all significant operations, processes, systems, and entities within scope, including subsidiaries, joint ventures, outsourced service providers, and significant third-party relationships. Common failures: excluding operational processes that management considers sensitive; failing to include newer business activities or recently acquired entities; not updating the universe when the organisation's business model changes; and limiting the universe to what the current audit plan already covers.
A well-constructed audit universe should contain significantly more auditable entities than can be covered in any single year. The purpose of the risk assessment is to prioritise among genuine choices. An audit universe that perfectly matches the existing audit plan is not a risk assessment — it is a rationalisation.
Risk Scoring: Criteria, Weighting, and Consistency
Risk scoring methodology must be explicitly documented, consistently applied, and defensible when challenged. Scoring criteria should include at minimum: inherent risk (significance of potential adverse outcomes considering both likelihood and impact); control environment quality (effectiveness of existing controls in managing inherent risk); management's risk tolerance (areas where the board has established lower tolerance for risk exposure); and auditor judgment factors (regulatory scrutiny, prior audit findings, management quality, organisational change).
Consistency is as important as the criteria themselves. Risk assessments that produce materially different scores for similar risks — due to assessor variability or adjustments made after initial scoring to accommodate management preferences — are not credible. Calibration mechanisms, requiring documentation of scoring rationale and testing for outliers, improve consistency and defensibility.
Stakeholder Input: Essential and Potentially Biasing
Stakeholder input from management and the Audit Committee is an important input to risk assessment but must be managed carefully. Management's view of risk is valuable but inherently subject to self-interest. Internal audit must incorporate management's risk perspective while applying independent professional judgment to assess whether management's characterisation is accurate. The most rigorous approach treats stakeholder input as data to be assessed rather than conclusions to be adopted.
The Board Presentation: Making Risk Assessment Credible
The CAE who presents a risk assessment the committee cannot evaluate — because the methodology is opaque, scoring criteria are undefined, or the rationale for priorities is unstated — is not supporting meaningful oversight. Effective risk assessment communication to the board includes: explicit description of scoring methodology and criteria; the complete audit universe, not just the top priorities; the rationale for highest-priority areas; coverage gaps (significant risk areas that will not be covered due to resource constraints); and an explicit statement of what the risk assessment does and does not tell the committee. Boards that approve audit plans without understanding the risk assessment that generated them are approving resources without adequate information.