Published on May 1, 2020

5 tips for successful internal audit risk assessments

Risk assessment exercise can be exciting or dead boring. Here are the five tips to start the risk assessment in any organization.

As it is difficult to find the right approach to initiate risk assessment, despite having relevant resources like methodologies, templates, and flowcharts. We will try to find out a suitable approach for starting the risk assessment. So here are the following 5 tips.

  • Address strategic risks.
  • Understand the business and its processes.
  • Identify the stakeholders who have interests in the organization.
  • Meet the stakeholders' expectations.
  • Develop the criteria to rate the risks.

Tip 1: Address strategic risks.

Internal auditors should understand that those risks which have organization-wide impact are more important than any departmental or small function risk. This will help the auditors to establish the connection of strategic objectives with the risks which the Company is facing or may face.

Keeping this in mind, an auditor will plan his audit to uphold internal controls where the consequences of such risks are high.

Similarly, the departmental manager includes relevant internal controls in policies and procedures in order to mitigate the consequences of high risks.

Tip 2: Understand the business and its processes.

At the outset of risk assessment, do meet with members of Senior Management and seek the answers for following questions:

  • Where does the Organization see themselves in the next 3 to 5 years?
  • What Organization sells?
  • What is the market in which the organization operates?
  • Who are the key customers and competitors?
  • How the organization source its raw materials, machinery, and manpower (supply chain management)?
  • What is the growing trend in the last 5 years and exceptional events, resulting in losses?
  • How often laws & regulations change, effecting the organization, customers, and competitors?
  • What are the ongoing and upcoming projects?
  • How often the organization failed to achieve its targets, projects, and lessons learned?

Therefore, root cause which causes the risk to occur should be analyzed as they derive from events, like change in the management, laws & regulations, market dynamics, employees, etc.

Tip 3: Identify the stakeholders who have interests in the organization.

Stakeholders, also known as risk owners, to be identified as complex organizational structure and processes' increases the scope of work.


Because you have to identify people, systems and data around which organization depends, to achieve its goals.

Tip 4: Meet the stakeholders' expectations.

You cannot keep everyone happy and can easily be lost if try to satisfy their expectations and needs. Therefore, at the outset, the scope shall be agreed upon.

Common problem

Risk owners often argue that 'x' number of internal controls are in place, hence the consequences of such risk(s) do not impact.

Hence, awareness of "What would go wrong" shall be disseminated among the risk owners, as if no controls are in place.

Tip 5: Develop the criteria to rate the risks.

The criteria to rate risk depend upon its likelihood and impact and the following questions should be asked from risk owners:

  • Impact- How do you rate a loss, in dollars terms, from a risk event as high, medium, and low?
  • Likelihood- How frequently if an event occurs, considered as a high or medium or low risk?

Remember, impact and likelihood are independent of each other and should be assessed separately.


Risk assessment exercise can be exciting or dead boring. The use of technology and innovative ideas can help auditors and managers to automate their work processes, therefore bringing efficiencies.

Risk assessment is a continuous process and should be performed based on the dynamic nature of the business “risk profile”.

However, the blind trust of the Board and those who are charged with Governance, in the management, coupled with inadequate control functions increases the risk of management override of internal controls.

Photo by Cristian Escobar on Unsplash

So what was your experience, share your story in the comments below and share this post.

One comment on “5 tips for successful internal audit risk assessments”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

©2019-2022-Usama Zulfiqar-All Rights Reserved

Pin It on Pinterest

Share This
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram