Core Risk Concepts
| Concept | Definition | Audit Relevance |
|---|---|---|
| Inherent Risk | The level of risk before any controls are applied | Determines the natural risk exposure of an activity or process |
| Control Risk | The risk that existing controls fail to prevent or detect a material error or fraud | Assessed by evaluating control design and operating effectiveness |
| Residual Risk | The remaining risk after controls have been applied: Inherent Risk – Control Effectiveness | The actual risk faced by the organization; what the board relies on management to manage |
| Risk Appetite | The level of risk the organization is willing to accept in pursuit of its objectives | Determines which residual risks are acceptable and which require additional controls or audit attention |
| Risk Tolerance | The acceptable variation around a risk appetite — the operational range | Used to assess whether actual risk levels fall within acceptable boundaries |
Building the Risk-Based Audit Universe
The audit universe is the complete catalogue of all auditable entities — every process, system, business unit, subsidiary, project, and activity within the scope of internal audit. Building the audit universe is the prerequisite to risk-ranking and audit planning.
- Identify all auditable entities: Revenue processes, expenditure processes, HR and payroll, IT systems, treasury, compliance functions, operations, contracts, projects
- Gather risk information: Prior audit findings, management risk assessments, regulatory reports, industry benchmarks, internal loss events
- Score each entity on risk dimensions: Financial impact, regulatory risk, reputational risk, operational risk, fraud risk, change risk
- Calculate a composite risk score for each auditable entity
- Rank the universe from highest to lowest risk
- Allocate audit resources proportionate to risk ranking
Risk Assessment Dimensions — A Practical Scoring Model
| Dimension | High (3) | Medium (2) | Low (1) |
|---|---|---|---|
| Financial Exposure | >₦100M | ₦10M–₦100M | <₦10M |
| Regulatory Risk | CBN/SEC regulated; enforcement history | Some regulatory oversight | No direct regulation |
| Change Level | Major system or process change in period | Moderate changes | Stable, unchanged |
| Prior Audit Findings | Significant unresolved findings | Minor findings resolved | Clean history |
| Fraud Risk | High cash/asset handling, known red flags | Some exposure | Minimal exposure |
| Control Maturity | Weak or untested controls | Adequate but not tested | Strong, independently verified |
Continuous Risk Assessment
The audit plan is not static. Risk-based auditing requires continuous monitoring of the risk environment and willingness to adjust the plan when significant new risks emerge. Events that should trigger audit plan reconsideration include:
- Major organizational restructuring or leadership changes
- Significant system implementations or migrations
- Regulatory changes or new enforcement actions in the sector
- Whistleblower allegations or unexplained financial anomalies
- Significant economic events affecting the operating environment
Key Takeaway
Risk-based auditing is the difference between an audit function that covers the organization and one that protects it. By allocating resources systematically based on risk, internal audit can provide the board and audit committee with meaningful assurance that the organization's most significant exposures are being monitored, tested, and reported on — not just the areas that are easiest or most comfortable to audit.
Read: Audit Planning & Execution →