Best 3 Practices for a Risk-based Internal Audit

Photo of author
Written By Chris Ekai

Internal audit ,conducting a risk-based internal audit is not easy, A risk-based audit approach begins with a risk universe as the foundation for the audit plan. The objective of the department in a risk-based audit is to address management’s most critical risks. There have been debates going on about the applicability and practicability nature with most audit practitioners and risk professionals clashing on what are the key risks and the risks descriptions. Audit professionals blame risk professionals for having generic risks and not having specific risk descriptions. Risk management is about getting an organization’s key risks in a general manner, and auditors need to test controls in a specific manner, maybe that is the context of blame.

All of the audits on the plan are designed to address those risks and provide insights back to senior management. This can it can be done with the right knowledge and preparation taking into account the distinction between audit and risk management. It’s about finding the best practices for conducting a risk-based internal audit. There are many different steps that must be taken in order to go about doing this properly, which we will explore in more detail below. How do you start? Organizations should come up with a plan of action or what they want to accomplish during the audit, get your work team together, get all of your equipment ready and make sure everyone knows their part in the process. Once you’ve got all of these things squared away, then it’s time to begin!

Internal Control Evaluation in Risk Based Audit

The older auditing standards permitted auditors, at their option, to categorize the client’s internal control as a high risk, allowing them to substantially decrease the amount of effort needed to comprehend and document internal controls. The auditing standards now in place strictly limit the extent to which internal controls can be considered low risk. The definition of internal controls according to US GAAS includes not only the company’s operating policies and procedures but also its accounting system. Auditors must perform a sufficient number of tests on an entity’s internal control over the financial reports to support a reduced level of audit evidence for low-risk conditions. Auditors can perform less extensive procedures if there are low risks that the financial statements are materially misstated because of a lack of proper internal controls.

The auditor is not permitted to “default to the maximum” control risk in the risk assessment criteria. The internal control design and implementation should be evaluated during all audits to correctly identify and assess risk.

Many businesses have trouble integrating their internal control efforts into the actual activities and other elements of the deal, finding enough benefit to justify the additional audit expenditures that result from compliance with this standard, and determining how to measure the effectiveness of internal control design in practice.

Follow the COSO guidelines in risk based approach audit

The key to success is for the auditor to have superior knowledge of the COSO integrated control framework. Because internal control is linked to the financial statements in COSO, it addresses the problems that businesses and their employees confront all around the world. The COSO framework defines internal controls as being three things: A process that provides reasonable assurance that the following objectives are being achieved

  • Effectiveness and efficiency of operations
  • Reliability of financial reporting; and
  • Compliance with applicable laws and regulations.

The accountant begins with the company’s financial statements. The auditor then moves through a series of examinations that become more detailed until he or she evaluates those control activities on an individual basis. The evaluation involves both a test, such as reviewing supporting documentation or performing analytical procedures and an assessment of the control itself. A good auditor knows that his or her most important function is to prove that these controls are effective.

To be successful, the auditor must learn COSO’s methodical process for evaluating internal controls and then apply it to each business and industry. COSO recognizes the need for this discipline and provides tools in its framework to comply with auditing requirements and standards worldwide, such as:

  • The internal control questionnaire
  • The flowcharting process
  • Defining internal controls using control families
  • Understanding how individual control activities add up to company-wide controls;

Understanding the COSO methodology

The auditing process begins with the “top” of the chart and works “down.” The first step is to identify the material accounts and significant classes of transactions, as well as the relevant assertions connected to them.

The flip side of the assertion is the risk of material misrepresentation, or “what can go wrong?” This includes concerns such as incorrect information in the database and/or system. One example of a risk associated with an accuracy assertion is that one or more genuine transactions are not recorded in the system. The auditor may interpret control objectives like”

The auditor next searches for controls that meet the defined control objective. As a result, there is an unbroken connection between the financial statements and internal controls, allowing the auditing expert to perceive how one control action may have an impact on a quantity shown in the financial reports. In this example, the control objective is that transactions are recorded as they occur. If a transaction does not get recorded at all, it cannot impact financial reports.

Controls can be classified as being either general controls or application controls. General controls exist independent of application systems and typically include physical security of assets and personnel policies. Application controls function within specific software programs to ensure transactions are posted as they occur. The auditor needs general controls in place to confirm that application controls can operate effectively and efficiently.

The last step of the top-down methodology is to determine whether the control environment within which these controls reside is effective and efficient or not.

Take a top-down approach to define the scope of your internal control efforts.

Because top-down COSO audit methods allow the auditor to properly scope the internal control test work, they have shown to be highly efficient. The COSO Internal Control-Integrated Framework has five components that are related to each other. The first four are the components of internal control that have been defined for many years.

The top-down method instead encourages the auditor to progressively eliminate immaterial accounts and transactions, non-pertinent assertions, and overly redundant controls from consideration. These steps allow the auditor to complete a preliminary assessment of inherent risk and account for the most material accounts and transactions with the least effort.

The end result is a tightly focused group of controls for the auditor to comprehend, evaluate, and document, allowing the audit to be as productive as possible. This approach is most effective when the auditor utilizes a systematic inquiry to ask probing questions about each account and transaction.

In addition, the top-down method places greater emphasis on performing analytical procedures as a primary technique for evaluating internal control effectiveness. Because of this, the auditor needs a strong understanding of how to use analytical procedures properly to understand important relationships.

Concentrating on internal control aims to determine the effectiveness of control design.

Before the risk assessment standards, there was no requirement for auditors to evaluate the design of their client’s internal controls, leaving most auditors with only a grasp of how the control worked rather than assessing whether it was properly designed. Some auditors have found that evaluating control design has been difficult under the new risk assessment standards’ call for assessing control design.

A COSO review of internal control design may be beneficial in several ways. Firms that have strictly implemented the COSO procedure have been able to conduct a comprehensive evaluation of internal control design, resulting in improved audit quality.

The COSO framework mandates that the auditor define control objectives, followed by the execution of control activities to verify these goals. A properly designed control system satisfies the stated control objectives. An ineffective system fails to satisfy any of the required controls. The identification of these flaws enables the auditor to more effectively assess risks and develop the appropriate sequence of further audit procedures.

Best 3 Practices for a Risk-based Internal Audit

Determine the Type and Extent of tests

The majority of auditors recognized that the risk assessment criteria would necessitate more audit procedures than in the past, and they were prepared to invest significantly higher costs during the first year of implementation. The expectation was that expenses would go down over time as a result of auditors leveraging their experience with clients acquired in prior audits. In reality, realizing these savings.

Recognize and assess changes

For years, auditors have struggled against a SALY mentality, the inclination to subconsciously believe that everything on the audit is “Same As Last Year,” which almost always results in lower audit quality. The risk assessment standards give audit firms the ability to eliminate a SALY mindset by refocusing the problem. Instead of considering how to “update” last:

  • Since our last audit, has anything significant occurred at the entity or in its operating environment?
  • As a result of these modifications, what has happened to the client’s inherent risks since our previous audit?
  • Were any modifications to internal control required to address these changes in inherent risk?

After the auditor has addressed these concerns, he or she will be able to assess the nature and amount of any further risk assessment procedures. A full set of tests is necessary when the following conditions are met.

The auditor concludes that there have been significant changes since the period covered by his or her last audit which is likely to have a material effect on at least one balance sheet account. The nature of these changes is not adequately addressed in an existing audit program.

Understanding and evaluating change

  • Begin by considering the nature of the changes to the entity and its environment since the previous audit. It is key to ask whether those changes have resulted in changes to inherent risks. For example, the COVID 19 pandemic recession may create inherent risks for organizations that were not present before the pandemic.
  • If the overall risks have not changed, the auditor must confirm that controls have been implemented properly to ensure that they are still effective.
  • If the entity’s or its environment’s inherent risks change, the auditor must inquire whether modifications to internal controls were required in order to address these new perils. For example, a recession may generate hazards relating to asset value that was not previously significant. The client did not conduct any substantial analysis of asset impairment in the past. However, in the current, more austere times, management may have enhanced its asset impairment testing. Consequently, the auditor needs to be aware of relevant changes that could have been introduced into internal controls and evaluate whether they are appropriate and effective in mitigating potential risks.
  • If the overall risks or their severity change (e.g., as a result of new technology), the auditor needs to understand the controls and how they function in order to assess whether or not they will address these new risks.

Continuous Implementation of Internal Audit

It was tough for even the most well-resourced audit businesses to implement the standards fully, according to one source. Most firms continue to develop their auditing methods and establish firm rules in response to issues that result from implementing the standards.

The continuing audit problems for smaller firms will demand even more focus. Smaller, less complex businesses present a variety of difficulties that larger clients do not. Auditing small, less complicated enterprises are frequently difficult because:

  • Adjustments to the accounting records need to be made before beginning major auditing procedures.
  • Unaudited transactions with unknown related parties.
  • Internal controls that are simple or traditional, with little documentation, no separation of duties, and a lack of in-house accounting knowledge.
  • The need for standardized audit practice is aided by tools developed for audits of bigger businesses to the problems that arise in an audit of a smaller, less complex company. The idea that it is impractical to audit smaller companies is being questioned by many, however. The Big Four have begun the process of demonstrating the validity of audits of businesses with smaller turnovers.
  • The result has been a greater focus on client service and better training programs for auditors who are expected to spend more time studying small company clients.

Create your own methodology.

Many organizations use a predetermined set of standardized practice tools to develop their audit methods. These forms and checklists assist auditors in fulfilling the standards’ criteria, but they should not be confused with the standards themselves. An auditor may follow the guidelines and create audit evidence in a variety of ways.

Until recently, the notion of bespoke audit practice aids for highly judgmental areas such as documentation of internal controls had been considered the domain of only the largest businesses. By developing their own forms or checklists for highly subjective topics such as internal control documentation, growing numbers of audit firms are producing a more personalized, firm-specific set of audit practices.

Participation in audits of smaller, less complicated business units

During the audit planning process, the unique needs of an evaluation of a smaller, less complicated firm typically necessitate the involvement of the most seasoned auditors. More experienced auditors will be able to make significant judgments about audit strategy, such as:

  • The parameters, procedures, and techniques used to gather information about the client and its surroundings.
  • The analysis of risks of material misrepresentation.
  • The auditor’s documentation of assessed risks, both general and specific.
  • The client’s internal control documentation is to be expected and/or determined.
  • The selection of additional audit processes that are directly linked to evaluated threats.
  • Define audit priorities. Audit resources are assigned to those aspects of the audit that pose the greatest risk based on your defined audit objectives.


The risks that are the most important to your organization depend on what you do, who you serve, and how much risk is tolerable. To determine this for yourself, ask these two questions: “What am I trying to protect?” And “How much risk can my company tolerate?” If you have a clear answer to both of those questions then it will be easier for you or your team to take steps in order to mitigate threats.

What do you think of risk-based audits? Are they effective or not? Why or why not, and what tips would you give for conducting your own audit with a risk-focused approach? Share your thoughts in the comments below.


Leave a Comment