Considering internal control maturity when defining an audit response


Traditional audit plans are often driven by the overall inherent levels of risk exposure without considering the perceived level of maturity of internal control. As a result, audit findings often highlight issues which management was already aware of. In these cases management often considers internal audits a non-value adding activity.

Leading internal audit functions consider internal control maturity when determining an appropriate response for the significant risks to the business. The picture below summarizes four response strategies:

►High inherent risk exposures with low levels of control require an audit response focused on improving internal controls through e.g. internal audit advice and/or assessment of improvement plans.

►High inherent risk exposures where controls are asserted by management to be adequate, require a response focused on gaining assurance that controls continue to operate as designed and that risk is properly managed.

Low inherent risk exposures that also have a low level of control may be consciously accepted by management but the development of the risk level must be monitored.

►Low inherent risk exposures with a high level of control are consciously accepted by the organization and in some instances may generate opportunities to increase process efficiencies.