A common management technique in the internal audit department is to review the same risk areas, year after year. Doing so focuses attention on those areas that could trigger major problems for a company, and so are deserving of ongoing attention. However, the risk profile of a business changes over time, as the nature of its operations and the general business environment change. Consequently, just copying the audit program from the year before is not always good management.
A better approach to dealing with the risk profile of a business is to create a control assessment of the business, and to then update the assessment at regular intervals. The assessment should highlight changes in the business since the last assessment, and how these changes could impact the system of controls currently in place. If the company has disparate divisions, it may make more sense to create this assessment at the business unit level.
Whenever the control assessment is updated, the internal audit manager should review it with senior management and/or members of the audit committee, so that these people are aware of recent or upcoming control issues, as well as how these issues may be resolved. The document can also be used within the internal audit department as the basis for changes to audit programs.
A high-quality control assessment should require a considerable amount of time to create and update, but its impact is substantial enough to justify the cost. The report is also useful for increasing the general knowledge of the control environment of a business, and the risks that certain controls are designed to detect and/or mitigate.