Have You Assessed Your Risks?
by Michael A. Hoerig, CPA, Audit Partner
Posted on June 3, 2015
Risk assessments are a common procedure performed by external auditors; however, every organization should consider performing an internal risk assessment as well. The goal of an internal risk assessment is to determine if the control structure is working as originally designed and if changes are necessary.
Small procedural changes occur every year at your organization, some as a result of staff turnover, others due to budgetary pressures or regulatory changes. After several years of small changes with no corresponding review of the internal controls organizations can develop “gaps” in their internal control structure that leave them vulnerable to costly errors or fraud. Whether documented informally or formally through the use of memos and worksheets, a periodic review of the internal control structure can be a beneficial exercise to ensure the controls are still relevant and that fraud risks are minimized. In some instances obsolete procedures may also be identified and eliminated.
An internal risk assessment generally consists of the following steps:
- Identify the risk areas to be assessed (e.g. cash collections, or customer billing). Keep in mind that decentralized processes (e.g. functions performed by a satellite location, or functions that each department performs) are generally considered higher risk and therefore should be considered higher priority when identifying risk areas.
- Document the current process in place through interviews and observation of employees involved. Flowcharts can also help visually demonstrate how information flows from one employee or department to another.
- Develop hypothetical errors or fraud scenarios and identify if internal controls are in place to prevent or detect the issue. If a significant weakness is detected it should be analyzed to determine the necessary changes to the internal controls.
- Consider performing tests of the internal controls. Selecting a sample of actual, historical transactions and tracing their path through the process can help complete steps 2 and 3 above by demonstrating the controls in place and where they are lacking.
- Summarize the results of the risk assessment and communicate the results to employees, management and the governing body.
While the risk assessment process is time-consuming, the benefit is an enhanced and up-to-date internal control structure. In addition, the cost of evaluating the structure before an issue arises is certainly less than the cost incurred if fraud does occur (both in dollars and reputation). For assistance with the risk assessment process at your organization, contact your HM audit team or our consulting division at 602-277, 9449, ext 327 or 928-774-4201, ext 204.