Alexandra was a young manager in a small audit department of a manufacturing company.

Her department was facing time-management issues, as the audit engagements could not adhere to the timeframes included in the annual audit plan, which had been developed in line with the Institute of Internal Auditor’s International Professional Practices Framework (IPPF) for internal auditing and approved by the board of the company.

Many of the scheduled assurance audit engagements were completed with significant delays compared to the plan. As a result, the timely completion of the overall audit plan was at risk. Alexandra had to find out why.

She decided to call some of her peers, including acquaintances from various internal audit conferences and events she had attended and described the methodology that her audit department used to plan and complete its assurance engagements.

Most of them suggested that the audit engagements did not adhere to the timeframes in the annual plan due to insufficient engagement planning, which led to wasting several hours, or even days in some cases, auditing almost all of the areas of a specific activity and not focusing only on those with increased risk.

They also referred her to the IPPF.

According to the IPPF, internal auditors must develop and document a plan for each engagement, including the engagement’s objectives, scope, timing, and resource allocations (Standard 2200 on Engagement Planning).

Alexandra’s audit department was indeed developing a plan for each assurance engagement and documenting the relevant plan on an audit-planning memo.

The Preliminary Risk Assessment

Further studying the IPPF, she came upon a requirement that, during the planning phase of an audit engagement, internal auditors need to conduct a preliminary assessment of the risks to the activity’s objectives, resources, and operations. The assurance engagement’s objectives should reflect the results of this preliminary risk assessment (2201 – Planning Considerations, 2210 – Engagement Objectives).

The internal procedure guiding her department’s audits required that a risk assessment should be conducted during the planning phase of an audit engagement in order to identify and analyze all the risks towards the achievement of the objectives of an activity. Then, the relevant risks should be briefly summarized in the audit-planning memo.

However, the internal procedure did not require that after this risk assessment, the identified risks should be prioritized based on the assessed criteria (for example, risk likelihood, impact, and others) and that the engagement objectives should be developed so as to ensure the coverage of the most significant risks.

As a result, the objectives of the audit engagements, and subsequently the scope of the audit engagements, were defined not to cover only the most significant risks affecting the audited activity, but also various other risks of less significance, based on the judgment of each internal auditor. This pitfall during planning of the audit engagements led to not adhering to the time frames established in the annual audit plan.

Alexandra wanted to find a solution to address the problem.

Auditing what Matters Most

After discussing the situation with her peers, Alexandra suggested the company implement a risk and control matrix.

The risk and control matrix is a useful tool in the arsenal of internal auditors, usually built in a spreadsheet application, which allows internal auditors to document the preliminary risk assessment process by listing the inherent risks identified which impact the activity under review, organize them per category (compliance, liquidity, operational, etc.) and assess them based on defined criteria, such as probability, impact, velocity, and others).

For each of the listed risks, the risk responses in place—such as mitigating controls, compensating controls, and transferring of risk—are listed in the risk and control matrix. Additional information concerning the risk responses can also be detailed in the risk and control matrix, such as nature of controls (preventive, detective, or compensating), periodicity of their execution (daily, weekly, monthly, etc.) and automation (manual, systemic, partly systemic).

Thus, the risk and control matrix allows for the prioritization of the risks identified during the preliminary risk assessment in an assurance audit engagement and facilitates developing audit objectives which will address the most significant of these risks.

Focus on the Important Controls

As Hernan Murdoch writes in this article on auditing what matters most, “Internal auditors should use a risk-based, top-down approach to testing and focus on those controls related to important risks. The idea is to focus on controls whose failure would significantly jeopardize the achievement of business objectives. The focus should also be placed on those controls that cover or mitigate more than one risk, support an entire process, are among the organization's entity-level controls, or contain analytic elements to provide broader coverage of the underlying transactions and activities.”

The usage of the risk and control matrix can also be expanded beyond the traditional documentation of the preliminary risk assessment performed while planning an assurance audit engagement. In this context, the risk and control matrix can also be used to assess the design of the risk responses in place to address the most significant risks, as well as to define the tests to be performed in order to audit the effectiveness of these risk responses.

The IIA provides detailed guidelines on the risk and control matrix in its Engagement Planning practice guide.

As time and resources available for audit engagements are finite, an internal auditor usually cannot review all risks related to an activity during an audit engagement. Preliminary risk assessment is a vital process in planning an assurance audit engagement, allowing internal auditors to prioritize risks and establish audit engagement objectives that cover the most important of these risks, allowing for more efficient allocation of the resources available. The risk and control matrix is a useful tool to perform and document the preliminary risk assessment.

Alexandra helped the company implement the risk and control matrix, allowing internal audit to prioritize and focus on the top risks during engagements. The move allowed the internal audit department to get back on schedule for the overall audit plan. And, at her next review, Alexandra got a promotion and a raise.


Eleftherios Tsintzas is the Deputy Audit Division Director at Alpha Bank Romania.

Photo by Charles Forerunner on Unsplash