CPE for Government Auditors

Two Approaches to Audit Risk Assessment

I have always harbored a bit of uneasiness about auditing. It started on my very first audit. I remember being 23 years old, walking in to a client’s office, asking questions, and then passing judgment on their systems and procedures. What a precarious place for me to be.

How could I, an outsider, quickly understand and pass judgment on a client’s systems? They knew I was clueless and so did I. Sometimes I was in an adversarial relationship with the client and they had no inclination to help me figure things out. They reasoned—rightly—the less I knew the better.

The probability that I would hit the hot spots was pretty slim. I know I spent a lot of time barking up the wrong tree and at the end of the audit no one cared to read my report.  I was not doing a thoughtful risk assessment, but instead was repeating whatever the auditor before me had done.

I remember spending about a year performing a series of revealing and scathing (NOT!) examinations of inventory tags on funky state office equipment. Even if I found that a tag or an inventory item was missing, who would care?

Failure in auditing is defined as spending too much time looking at something no one cares about. And I, and my managers, were failing at auditing.  After that scintillating audit of state office equipment, I decided to start looking for another job.  Luckily, the leadership in my office acted to stop the madness and begin doing risk assessments before I had the chance to put together my resume.

The audit management decided that enough was enough. As a team, we were spending our time doing meaningless things because we were simply repeating the procedures of our predecessors, who did what their predecessors did, and so on, and so on. Our reports were boring because they didn’t have anything relevant to say. Important things were happening at our client’s offices that we were missing.

So the management team announced at our annual staff conference, “OK, guys and gals, we are going to approach our audits differently from now on. We want you to ditch the canned audit programs and customize your approach for each client. We are going to start doing more thorough risk assessments. We want you to THINK about what you are doing. And to help you THINK, we are going to cut your audit budget by 10%.”

The team’s reaction to this was pretty funny. Young auditors like me thought that sounded reasonable—scary—but reasonable. But the veteran auditors started grumbling.  I overheard one of them say , “I was not hired to think, I was hired to audit!” HA.  He and many of his contemporaries jumped ship within the next year.

What a luxury!

I see the same thing happening as I am training CPAs, audit firms, monitors, and internal auditors around the country. Many auditors prefer not to think. Thinking takes time and they don’t believe they have any. So, they just do the same inane procedures over and over every year.

What a luxury to be able to do something stupid over and over again and get paid for it! The folks hiring these auditors are throwing good money down the drain.

I think many auditors get away with this because their clients aren’t savvy to how powerful an audit function can be. Auditors can and should provide clients with information they can actually use.

A good risk assessment process keeps you focused on the significant stuff.

The first step to avoiding audit failure is to perform a risk assessment. In a risk assessment you find out what matters. Let’s talk about two general approaches to risk assessment. The first approach is independent study. The second approach is facilitated discussions.

#1: If you decide to use independent study to perform a risk assessment, you perform an investigation on your own, trying to uncover risk with interviews and reading. This is a fine approach, but not ideal. You may not ask the right questions and inadvertently use old, outdated, maybe even bogus documents for your research.

#2: The second approach, the facilitated discussion makes more sense to me. In facilitated discussion, you allow the client to identify where the risks are. This involves a huge shift in the dynamics of the auditor/auditee relationship. This is a collaborative approach, not the gotcha approach many audit shops use.

Let the auditee define the risk

The auditee knows where the risks is better than you do!

I recently had the privilege of conducting a seminar for the internal audit shop at a huge insurance and banking company.  This company literally splits their audit into two pieces. The first piece is spent facilitating discussions with the client about the client’s goals and how they are meeting these goals. At this point gaps are identified between what the client is doing and where they should be.

At the end of this first piece of the audit, the auditor and the client agree on what needs to be done to fill these gaps and a simple report is issued containing a corrective plan of action.

Then the team leaves the client alone for up to six months to give them time to work on the action plan. After the six-month break, the audit team returns for the second piece of the audit. In this piece they verify that the client was correct in their assessment of existing conditions and that the client made the agreed upon improvements.

This is so dreamy from an auditor’s perspective. Here all the auditor has to do is facilitate the discovery process. The client determines their own recommendations for improvement and therefore is much more likely to implement these recommendations. It takes the sting out of the relationship. The auditor is no longer pitted against the client in an adversarial relationship because the auditor is helping the client achieve their goals.

The facilitated discussion approach would make me feel so much more comfortable in my audit work. Of course, you still need to keep your auditor independence and skepticism in place throughout this process,  but we are born skeptics, are we not?


To find out more about the risk assessment process, check out YellowBook-CPE’s self-study book entitled Essential Skills for the Government Auditor available here: https://yellowbook-cpe.com/product/essential-skills-for-the-beginning-government-auditor

Visit the Yellowbook-CPE.com Student Center
Click to learn more about Yellowbook requirements.


Lost your password?