A New Approach to Audit Risk Assessment

In today's economic environment, entities are asked to find the most efficient utilization of resources while achieving optimal levels of effectiveness. This holds true in the public as well as the private sector. Governmental agencies in particular have been faced with reduced budgets, but are still expected to accomplish -- even exceed -- their objectives. Internal auditors in governmental agencies are no exception, and are being told to "do more with less." What, then, are auditors to do in the case of the initial audit risk assessment? The traditional approach considers audit risk assessment to be solely within the purview of the auditor. It consists of relying on the auditor's competence in the execution of audit steps including completing questionnaires, drawing flowcharts and writing narrative descriptions. This auditor-only approach is used in response to the perceived need to maintain independence between the auditor and auditee. However, this traditional approach ignores the potential benefits of utilizing the knowledge and experience of the auditee's employees. Makosz and McCuaig (1990) suggested that internal auditors need to rethink their approaches and techniques and that a "Renaissance" approach is necessary to respond to ever-changing demands. They described the risk assessment technique used at Gulf Canada Resources which utilized the knowledge and experience of the auditee's managers and employees. In this approach, the auditor and auditee work together constructively, instead of adversarially. Indeed, Makosz and McCuaig point out that some of the best audit recommendations are suggested by the auditees. Their approach resulted in an increase in the scope, quality and quantity of information gathered. In addition, the attitude toward internal auditing has improved. Internal auditing has become a cooperative effort of a team working to reach a common, mutually beneficial goal. A State Agency Experience The Inspector General of a large state agency, faced with a reduced budget while being asked to maintain the same level of service, initiated a project to build and utilize an audit risk assessment model. The objective of this model was to more efficiently allocate scarce audit resources based on the best possible assessment of audit risk. The "Renaissance" approach suggested by Makosz and McCuaig was used in building the audit risk assessment model. The first step was to create a team responsible for the project. The project team consisted of an internal audit manager, representatives from major functional areas and an independent consultant. The internal audit manager had overall project responsibilities, including scheduling meetings, preparing agendas, reporting results and interacting with agency management. The functional area representatives provided information regarding their individual areas and provided a liaison with their areas. The consultant provided a conceptual framework and facilitated the information gathering sessions with functional area representatives. After the roles of the participants were defined, the next step was to determine the project's objectives and scope. The team reviewed relevant legislation, policies and guidelines and held discussions with the agency's senior management. As a result of these efforts, the team decided that there were two major objectives for the audit risk assessment model. The first objective was to optimize the use of available audit resources. The second objective was to optimize the use of other agency resources through the application of appropriate internal accounting and administrative controls. The scope of the project included all operations of the agency, as well as agency execution of all legislative requirements mandated to it. The project also included creation of a two-year audit plan. This plan had to ensure three objectives: the audit of major systems of internal accounting and administrative controls every two years; design review of all new computerized systems: and review of major modifications of existing computerized systems before installation. …