This assessment takes place at inception or creation of the auditable entity. in fact, there is a limited assessment performed when the audit group is analyzing its’ universe. This universe review typically is based on the collective team knowledge of the businesses they audit.
Understanding the Universe
The audit universe, simply stated, is everything that needs to be reviewed. The auditor should know, at a minimum, the business products, financial situation and strategy. Other aspects that could provide insight include market position, legal and regulatory requirements, staffing and personnel and any history of significant problems.
It is a good idea to bring senior line management into the discussions when there is any doubt as to aspects of the business. A fatal mistake would be for the auditor to assume knowledge that could then cause erroneous structure of entities. Failure to completely understand the universe will come back to haunt the audit group and it is something that can be eliminated by simply asking questions and gaining knowledge.
Creating the Audit Entity
The second step in risk assessment is to create the auditable entities. An auditable entity can look and represent the business any way that the audit team feels is most appropriate. This excercise is not performed in a vacuum. While the audit team may know much about the entity, those who manage the business know more. It is important to inlcude them in some stage of discussion during this phase of the risk assessment.
Assessing the Entity
Once the entity is created the audit team should develop a process that ensures all risks are identified and measured properly. During the past few years, several processes have been introduced to the audit industry. Each has positive aspects but not each is appropriate for all businesses or even for all entities within a business. However, it is recommended that the auditor begin the risk assessment by hvaing a format and templates whcih the entire group will use. Once this template is created then the audit team can go straight to documenting the information they need.
Most industry experts agree that there is an uinherent risk to every business. For the auditor to better understand these risks, he/she should research similar businesses, talk with business experts and also with management of the proposed auditable entity. These conversations will ensure that all inherent risks are noted and discussed. More importantly, the auditor and business management will have a common understanding of the inherent risks.
Validating ControlsOnce the risks are known, defined and documented, the aduitor should look for controls for each one. These controls will need to be validated at some time but for the assessment process the auditor can rely on management’s assertion that the controls are established and working effectively.
Each risk listed may have one or more controls. There may be instances where no controls are know to be implemented. That is alright. Part of the risk assessment is to understand the risk environment not confirm that all controls are working. That step comes alter.
Finally, the auditor must compare the risk to the control. If there are adequate controls then the inherent risks can be reduced. if not then it will remain as if teh control did not exist at all.
Overall Entity Rating
As a last step, the auditor should provide an entity level risk rating. There are many ways to do this. The most effective way is to use the inherent and residual risk ratings and combine that with intuition and knowledge. This provides both an objective and subjective approach to rating the entity.