The Difference between Risks and Issues:

Uncategorized 2 Minutes

In auditing, the terms “risk” and “issue” come up frequently. While I am no stranger to what each of these terms mean, I have not thought too much about their context and, I fear, they have sometimes been used interchangeably. This is due to the close connect that risk and issue have and what they can mean to the business.

The term “risk” generally means that there is an uncertainty that an event may arise that could negatively or positively affect the objective in question. The term “issue” is something that has already happened that could hinder the success of the objective. Basically, one is something that could happen and the other is something that has already happened. Auditors tend to focus on the impact and forget if the event noted is indeed a risk, that has not occurred, or an actual issue.

One of the primary objectives of an internal audit is identifying if the company is mitigating their risks by implementing “key” controls. Key controls are the main controls that reduce the risks that could arise during be process of business. For example, making sure that no single person can create an employee, input their time and pay the employee; as this could lead to a high risk of a single person fraudulently creating a fake employee and producing paychecks for this fake employee that they could then send to themselves. While this is an extreme example, this is the type of risks that internal auditors should be looking for.

However, sometimes internal auditors may blur the lines between risk and issue, such as identifying a minor risk and embellishing it to be a major issue. More often than not, any risk that internal audits may identify, senior management has also identified and determined if the risk is worth requiring mitigation or not; they may even perform something similar to a risk matrix. The risk matrix helps to identify whether a potential event that could adversely affect the company has a low to high probability of occurring and a low to high impact of occurring. In general, something that is of high probability and high impact should be mitigated; where as a risk that is of low probability and low impact may not be worth the cost it would take to mitigate. While senior managers know this and make decisions for the best interest of the company, sometimes auditors can get too caught up risk that they automatically feel any risk that is not mitigated is an issue, even though the impact may be nil.

It would be beneficial for auditors to really looks at the difference between risk and issue, as well as the likelihood and impact any risk / issue may occur or have occurred; really look into these items and see if they are a risk or issue that will substantially adversely affect the company or are they events not worth mitigating as they have no or minimal impact. This is important so that auditors don’t “cry wolf” every time they see a very minor risk or issue arise as this could adversely affect the credibility of the internal audit department and downplay any value they could have of providing insight to potential risks or substantial issues that may see in the company’s internal processes.

Until next time.

CPack

Unknown's avatar

Published by CPack

I have been working in the field of Internal Auditing since 2010. I am a Certified Internal Auditor (CIA) who has experience in performing Gaming Regulation compliance audits for Casinos, as well as Federal Acquisition Regulation (FAR) compliance audits for government contractors. Due to the advancements in technology and how technology is used in everyday business, I am currently pursuing more knowledge in Information Systems (IS) for the purpose of being able to perform internal IS audits and provide businesses with assurances that their systems are working accurately and in compliance with internal processes, procedures, and applicable regulations. Data analytics is another area I am interested in learning more about. To learn how to look at data and use various data analytic approaches to find the potential risk areas or weaknesses with a system that can be corrected. While traditional auditing approaches have worked okay in the past, businesses capture more data these days that internal auditors can view and assess risk at a 100% instead of at a sample basis and making educated guesses as to whether a problem is systematic or not. While studying more about IS, I am learning more about Project Management. While I see many similarities in project management techniques and the Internal Audit Standards, after having worked in the Internal Audit field for eight years, I notice that Internal Audit doesn’t quite follow all the project management techniques that they “should” and that could be contributing to Internal Audit not being as affective, or value add, to the company as they could like to be. This blog will take a look at some of the project management knowledge areas and techniques that Internal Auditors should use and how these techniques can improve their audits, the reception of their audit results, and provide “value-add” to the company stakeholders.

Published

Leave a comment