Companies are exposed to a variety of potential risks, which must be managed to reduce the company's liability. Risk management might involve taking steps to ensure data is secure from computer hackers, requiring safety equipment for employees or engaging external auditors to ascertain whether the company has sufficient internal controls to prevent financial loss. Managers sometimes hire others to assess the company's risks, but many use internal risk assessors to advise on areas of potential exposure to liability. Thus, the two primary differences between a risk audit report and a risk assessment review are typically the timing and the authorship of the documents.
Timing of Risk Assessment Review
A risk assessment review can be conducted at any time, or a company might have a team or committee that reviews risks on an ongoing basis. Risk assessments might focus on a single department, such as information technology, or a branch, such as a remote location warehousing sensitive personal data on clients. The review is less concerned with whether the company is in compliance with all established internal controls, focusing instead on areas that might expose the company to a financial loss.
Timing of a Risk Audit Report
A risk audit report is typically issued after a formal audit. Auditors examine whether internal controls are in place and sufficient to reduce the company's exposure to potential loss. However, auditors also examine the financial statements, looking for any indication of a material misstatement of the company's assets, liabilities, statements regarding projected growth or pending lawsuits. Formal audits are typically conducted on an annual basis or as part of the due-diligence process when a company is bought or sold.
Authorship of a Risk Assessment Review
The risk assessment review might be authored by an employee of the company, a contractor hired to perform the assessment or the company's auditing firm. Risk assessments go to the board of directors or chief executive, who in turn take the appropriate actions. Although the auditors should receive copies of these reviews, there is no guarantee that external auditors will see them or that information contained in them will be reflected in the company's filings.
Authorship of a Risk Audit Report
Risk audit reports are prepared by the company's auditors. These are almost always external auditors rather than company employees. Auditors prepare the report based on their findings after they conduct a careful examination of the company's controls, financial statements, compliance with laws and regulations and other data. The auditors then prepare reports that detail the company's risk, as determined by their review, and the risk that their audit could be materially incorrect. A risk audit report, therefore, might include not only an evaluation of the chances that a company might not achieve its goals, but also a statement indicating whether the auditors are comfortable that they were given sufficient information to reach a conclusion.
- U.S. General Accounting Office: Information Security Risk Assessment
- Public Company Accounting Oversight Board: Auditing Standard No. 5
- COSO: Struggling to Incorporate the COSO Recommendations Into Your Audit Process? Here's One Audit Shop's Winning Strategy.
- Internal Auditing and Fraud Investigation: Business Risk vs. Audit Risk
- Continuity Central: Operational Risk Management – The Difference Between Risk Management and Compliance
- Jupiterimages/Photos.com/Getty Images