Risk management is the process a company goes through to identify, assess and prioritize risks. During a risk management audit, the company will employ either an internal or external individual to review the risk management steps a company has taken. Auditors will review specific risk management plans to ensure they are relevant, timely and effective. Companies will use audits as part of the risk management process to ensure the plan or procedures do not go stale if not used frequently.
Separating the risk management function from the risk management audit allows a company to have a second pair of eyes to review risk management plans. This also creates a natural segregation of duties within the company. Segregating duties ensures that one employee does not have too much responsibility or control over an internal business function. Another advantage of this separation is to ensure that multiple employees have knowledge of a company’s risk management plan. This ensures that the absence of one employee does not create a risk in and of itself or within the organization.
Using an external auditor for the risk management audit can further enhance this process to ensure the company has created an adequate plan for risk management. Companies in some industries may also benefit from an external auditor’s knowledge of an industry and ability to offer suggestions for overhauling the risk management plan. Companies needing certification from an outside agency will also benefit from an external risk management audit. For example, businesses seeking funds from banks or lenders may need to provide an auditor’s statement that details the company’s plan for managing and avoiding risk.
The risk management audit process will typically follow a few basic steps, although audits are usually individual to each company. The audit will start with a meeting to discuss the audit scope and determine what risks the company’s management team believes are most dangerous to the company. After this initial meeting, auditors will devise a written plan for selecting a sample and the testing methods to determine how effective the company’s risk management plan seems to be when compared to the possibility of each risk.
Conducting an audit is typically not a frequent process. Audits are both lengthy and expensive, which are two significant drawbacks for this process. Most companies conduct an informal review of their risk management plan internally. Formal audits represent an annual or semi-annual occurrence that allows the company to undergo a thorough review. Most times, this audit will be separate from the company’s financial audit, as the procedures are different for each type of audit.