In the world of auditing, you can’t look at everything. If you tried to check every receipt or interview every single employee, an audit would take years. To plan intelligently, auditors have to use their judgment to figure out where the biggest problems are likely to be hiding. This is called “Risk-Based Planning.” It’s the process of using risk to decide where to spend your time and energy.
Why focus on risk? Planning an audit based on risk makes your work more helpful. Instead of checking things that are already working fine, you focus on the “danger zones.” This helps you save time, so you don’t waste hours on small details that don’t matter. It also lets you focus your best people – you put your most experienced team members on the hardest tasks. And it helps the company, because management wants to know about big problems that could hurt the business.
To plan an audit, you need a way to measure how risky a specific area is. Auditors use a simple formula to do this: Risk = Impact x Likelihood. Impact (Ask yourself “How bad is it?”) is a measure of potential consequences – if something goes wrong, how much damage will it cause? This could be losing money, legal issues, or ruining the company’s reputation. Likelihood (“How often does it happen?”) measures the chances of this actually going wrong. If a process is complex or confusing or hasn’t been checked in a long time, the likelihood is high.
You can visualize the risk calculation with a heat map using a grid. On one side is Impact, and on the bottom is Likelihood. The heat map can measure just low and high values, or it can include intermediate measures (medium) or use quantitative scoring methodologies (e.g., 0, 1, 2, 3). As the simplified graphic below shows, Low Impact and Low Likelihood are green areas, where you might just do a quick check-in. High Impact and High Likelihood are red areas, which should be at the top of your audit plan.
In Risk-Based Planning, once you’ve calculated the risks, you can build your audit plan. Start by making a list of things that could go wrong in the department you are auditing. Next, use the Impact and Likelihood formula or a heat map to give each risk a score. If an area has a high risk score, you’ll want to examine it closely. To mitigate that risk, you might look at hundreds of documents. Conversely, if the risk is low, you might only look at a sample of five or ten items.
Auditing isn’t just about finding mistakes from the past; it’s about preventing future problems. By assessing risk with the Impact x Likelihood formula, you can make sure you are looking at the things that matter most and ensure an audit is a powerful tool to keep a company safe.
Blue Sky Consulting can help your organization’s audit planning and risk assessment needs. Contact us to learn how we can help you.