Risk Management process within the Internal Audit function should typically include the following:
• Risk Identification: What are the risks Internal Audit is facing?
• Risk Assessment: How severe are those risks?
• Risk Mitigation: Accept, mitigate or transfer of risks
• Risk Monitoring: Look out for new risks, changes to the risk assessment for existing risks and effectiveness of mitigation actions put in place.
The typical risk concerns that an internal auditor should consider are categorized in three main categories
An inherent risk is a type of audit risk that some errors, omissions and misstatements may not be identified by the internal auditors of the company. To identify these types of audit risks a clear audit plan, audit approach and audit strategy is required.
Detection risk is type of audit risk resulting from improper planning. This risk refers to the chance that the internal auditor will not be able to detect and correct an error or misstatement before the commencement of external audit. To reduce this risk a thorough understanding of the business operations is required with a sound methodology of examining components for classification, completeness testing and valuation testing.
This risk relates to the failure of internal controls existent within a company being ineffective in stopping accidently caused errors or intentional fraud. The more the internal controls are weak, the higher are the chances of errors and fraud to occur. To deal with this risk, the internal auditor must continuously evaluate the efficiency and effectiveness of the internal controls for its intended purpose. Efforts should be put in place to improve the internal controls in the company.