Primary navigation:

QFINANCE Quick Links
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > Data-Driven Continuous Risk Assessment: How Internal Audit Keeps Pace with the Speed of Business

Auditing Best Practice

Data-Driven Continuous Risk Assessment: How Internal Audit Keeps Pace with the Speed of Business

by Joe Oringel

This Chapter Covers

  • We live in a connected world where the pace of change is accelerating.

  • New business initiatives, often supported by significant investments in new processes or new systems, are the norm.

  • Despite these changes, internal audit most often sets its audit plan only once each year, and input into the risk assessment is often based more on subjective interviews and/or survey data than objective, data-driven analysis.

  • Guidance is provided on how frequent risk assessment can be made the center of a modern, data-driven internal audit process.

Introduction: Professional Guidance on Risk Assessment

Professional standards issued by the Institute of Internal Auditors (IIA)1 require that a documented risk assessment be undertaken at least annually. In practice, this risk assessment results in the identification and prioritization of risks and a response (i.e. an internal audit plan) to measure and mitigate these risks. This process is documented in a written internal audit plan for the organization. Figure 1 shows the steps in the internal audit process.

The internal audit plan is then presented to senior management and the audit committee of an organization’s board of directors for approval, usually prior to or sometimes early in the (fiscal) year. Periodic status reports on any changes to the audit plan are provided to these key stakeholders, based on the results of audit projects and also on any changes to the risk assessment. An internal audit plan may be based on internal audit’s risk assessment or a broader enterprise risk assessment (see Appendix 1 for a comparison of enterprise risk management (ERM) and risk assessment by internal audit).

Statement of Problem

The strengths of an annual audit plan can be its weakness. As recently as 2007, most (64%) internal audit departments did not have a systematic process to update their audit plan on more than an annual basis.3 Considering the dramatic pace of change in the world’s economy and the resulting impact on business and business strategies, this offers an opportunity for much improvement. A hockey metaphor seems appropriate: internal audit departments that do not systematically update their audit plan more frequently than annually are skating to where the puck used to be.

Components of a Risk Assessment: Units and Measures

The internal audit profession describes an audit universe, which is a master inventory of potential business processes, systems, activities and/or locations that could be audited in a given year or multiyear plan. Audit units within the audit universe are then ranked by relative risk to set the internal audit plan. Whether the audit units are business processes, systems, activities, or locations, the most common measures of risk for these audit units are likelihood (i.e. probability of occurrence) and impact (i.e. measure of loss, in terms of dollars, people, or reputational impact).

Measures of likelihood are often expressed as a percentage, but they can also be expressed in subjective, qualitative terms such as probable, possible, and unlikely. In either case, a recommended practice is to express the likelihood within a specific period of time, such as the current fiscal quarter, fiscal year, or even the next five or 10 years. Measures of likelihood are more meaningful when associated with a specific time period.

Examples of likelihood measures that combine qualitative and quantitative measures are remote, possible, and probable, where each term is associated with the specific percentage likelihood within a one-year period. Remote would mean that an event has less than a 10% chance of occurrence in the next 12 months. Events that are possible are those that have a likelihood between 10% and 50% within the next 12 months, and those that are probable would have greater than a 50% likelihood of occurrence.

The most common measure of impact is financial loss. Some organizations specifically consider impact on reputation, or even potential loss of human life, as part of their assessment of impact. While subjective measures such as high, medium, and low are sometimes used, most organizations find that specific thresholds for increasing levels of impact help to facilitate more meaningful discussions of risk. Scales can vary from three-level (e.g. high, medium, low) to five-level (i.e. 1 to 5) or more. Specifying a dollar amount of loss within a time frame (i.e. the current fiscal year) is a recommended technique. So, setting $250,000 or less as low impact, $250,000 to $2,500,000 as medium impact, and more than $2,500,000 as high impact will help to ensure more consistent language and measurement with respect to potential impact.

Figure 2 is an example heat map that shows the relationship between likelihood and impact for risks and audit units using a five-point scale. The audit units represent different company locations by region.

Back to Table of contents

Further reading

Articles, Guidance, etc.


  • Committee of Sponsoring Organizations of the Treadway Commission (COSO):
  • Information Systems Audit and Control Association:
  • Institute of Internal Auditors:

Back to top

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share