Is there a theoretical difference between the components of external and internal audit risks or is that difference attributable to how we understand risk as external auditor and as internal auditor?

What is the audit risk made up of firstly? Conceptually, both the internal and external audits won’t differ in this context. You would understand that Inherent Risk, Control Risk and Detection Risk would constitute the audit risk for both, once you’re through this blog piece. Though risk and its management are more ingrained in Internal Audit purely by virtue of its scope and its approach. But since I have covered that a lot in my blogspace, here I would be focusing on the Internal ‘Audit Risk’.

It’s imperative here to note that the IIA and the Internal Audit profession do not use audit risk terminology in approaching the risk. Instead, we use what’s known as the risk-based auditing and the risk-based planning. Though the Inherent risk component of the audit risk is indeed used by internal audit, internal audit plan encourages auditors to adopt and align to how the entity assesses risks.

It is this beauty of internal audit planning comprehensiveness that it allows internal auditors to utilize any approach they deem appropriate in planning the coverage of the audit universe. Internal Auditors are required to begin with KYC, fully engage with board and management, develop understanding of how the entity identifies and evaluates risk, they may utilize ERM and any other process or function level risk identification and assessment approach, determine risk significance from heat maps for instance and residual risks to develop their risk-based strategy and planning.

As thorough as it may sound, one might find it to be too wide and demanding an approach to audit planning, to be utilized from the outset and hardly so when even the risks aren’t documented! So, what if, there’s an alternate in the form of audit risk concept that has always been owned and utilized by external auditors in planning external audit engagements available for internal audit plan?

I’ve always found the external audit’s ‘audit risk’ approach to internal audit planning simple, yet intriguing for deployment in internal auditing. So, let’s take a leaf from the external auditor’s playbook and see how this could also be helpful in effectively planning internal audit coverage of the entity’s risk universe!

I prefer rebranding the ‘Audit Risk’ (AR) as ‘Audit Planning Risk’ (APR) to get a better grasp over it, simply because these risks are initially identified and assessed at the planning stage of an audit engagement. This applies to both the Internal and External audit engagements. Do remember the focus on initial assessment, the AR / APR is not static like any risks and thus they remain under continual scrutiny. Similarly, audit planning itself must remain dynamic, adjusting for revelations throughout the engagement.

Let’s now delve into the APR components concluding at the audit risk definition.

INHERENT RISK

The IIA defines inherent risk as “the combination of internal and external risk factors that exists in the absence of any management actions”. For the external auditors, inherent risk is “the susceptibility of an assertion about a class of transaction, account balance or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls”. Simply put, inherent risk is the default or pure risk occurring before the application of any control. It’s the risk present by design or by nature.

Differences?

Components

External Audit

Internal Audit

Perspective (scope driven)

Financial Statements

Any process, system, operation, function, etc.

Materiality

Assessed right away largely based on judgment over values, volume, complexity, etc.

Assessed based on internal (significance attached, stakeholder influence, mode of operation, documented policy and procedure, volume and complexity, etc.) and external (regulatory or statutory, etc.) factors

Actions

Controls

Controls and other risk mitigation strategies

Thus, theoretically it might seem almost similar, but if seen from the viewpoint of how both the auditors’ approach and decipher risk, there are significant differences.

For instance, materiality consideration is the most significant difference in my opinion; external auditors are focused on material impact on financial statements because financial accounting and reporting frameworks insist upon material compliances and risk of material non-compliances. For internal auditors, it couldn’t be a starting point, just one of many factors because all risk needs to be documented, the assessment and evaluation of which is done at a later stage.

CONTROL RISK

For the external auditors control risk is “the risk that a misstatement that could occur in an assertion about a class of transaction, account balance or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control”.

Literally speaking, there’s no such risk assessment used by internal auditors in audit planning thus it is not defined. But it’s what we do when we assess risks through the heat map charting these out in terms of probabilities and impacts. Probabilities are primarily concerned with the effect of controls application and failure. So, it’s not hard to adapt and use since the conceptual understanding of what could be a control risk is very much ingrained in internal auditing. And there’s not much difference aside from perspective.

Control risk is simply the risk emanating from a failure of the control systems / procedures. For our part, we the internal auditors understand that controls could fail due to several reasons including but not limited to:

  • Design inadequacy
  • Incompetent application
  • Redundancy / Irrelevance
  • Non-compliance
  • Collusion to bypass

Thus, the risk of controls failing is omnipresent and internal auditors convert these into invaluable audit findings and recommendations for improvement in terms of risks these controls are desired to mitigate.

I’ve however conceptualized and deployed the control risk approach to internal audit planning and documenting the internal audit universe and it’s easy and useful in carving out the ‘risk-based internal audit plan’.

Since the audit findings and recommendations aim to identify and improve deficient / non-existent controls, it’s best if the inventory of findings and recommendations per process, system, operation, function, etc. is utilized to determine high, moderate and low control risk assessment relevant to the process, system, operation and function based on the controls deficiency threshold or the risk tolerance threshold.

If, however, there’s no existing inventory of findings to rely on, external audit management letters covering control deficiencies could be utilized if available. If not, documented independent risk assessment must be used to identify areas of audit significance. But, if a documented risk assessment is not available either and there’s no organizational knowledge, the internal auditor must rely on industry knowledge, KYC and the communication with management and board.

I do have an alternate for that too in case it seems that there’s too much subjectivity involved; keep the control risk high by default unless board and management believe and can make a case to have it below that.

DETECTION RISK

It’s a purely external audit concept defined as “the risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements.”

Simply, it’s the audit failure risk. And it doesn’t mean that internal auditors don’t or can’t fail, us being in the limelight of many corporate failures worldwide clearly reflecting how we fail our clients and ourselves.

The detection risk in internal auditor’s case is taken care of by design, i.e., the systematic and disciplined approach distinction in the internal audit definition, the Global Internal Audit Standards and the profession’s testament to professionalism and quality in the form of the IIA’s Certified Internal Auditor credential.

 

The audit risk model thus has an even greater relevance to our cause.

Whilst the Audit Risk for external auditors is a function of risk of material misstatements (inherent and control risks) and detection risk, it means much more to us, the internal auditors.

For us it’s the risk of not aligning the audit universe with the entity’s risk universe, not being aware of what the entity’s risk universe should be, not being adaptive and agile, not carving out an adequate internal audit plan, becoming irrelevant and yes failing ourselves!