Many teams scramble when an internal audit is announced, rushing to update stale risk registers and locate control evidence. This reactive approach leads to stress, incomplete information, and unfavorable audit findings. With proper preparation, audits become an opportunity to demonstrate effective risk management.

i

What You'll Achieve

By the end of this tutorial, you will have an audit-ready risk register with complete documentation, gathered control evidence, and prepared responses to common auditor questions.

Step 1: Understand What Auditors Assess

Knowing what internal auditors look for helps you prepare effectively. Auditors typically evaluate three areas:

1. Design Effectiveness

Is your risk management framework properly designed?

  • Are risk identification methods comprehensive?
  • Is the scoring methodology appropriate and documented?
  • Are controls mapped to risks?
  • Is ownership clearly assigned?

2. Operating Effectiveness

Is the framework being followed in practice?

  • Are reviews happening as scheduled?
  • Are controls actually operating?
  • Are action items being completed?
  • Is the register current?

3. Risk Coverage

Does the register capture material risks?

  • Are all key risk areas represented?
  • Are emerging risks being identified?
  • Does prioritization align with business reality?

Step 2: Verify Risk Register Completeness

A complete risk register has all required fields populated with current information. Auditors will notice gaps.

Required Fields Checklist

For each risk, verify you have:

  • Risk ID: Unique identifier
  • Description: Clear cause, event, and consequence
  • Category: Appropriate classification
  • Likelihood score: Current, with rationale
  • Impact score: Current, with rationale
  • Risk score: Calculated correctly
  • Owner: Named individual, not just a role
  • Controls: Existing mitigations listed
  • Treatment actions: Plans for unacceptable risks
  • Last review date: Recent and appropriate
  • Status: Current state

Inherent vs Residual Risk

If your methodology includes inherent and residual risk, ensure both are documented. The gap between them demonstrates control value.

Example

Completeness Check

Before: Risk R-2024-015 shows Impact: 4, but Likelihood is blank. Owner is "Finance Department."

After: Likelihood added (3, with rationale). Owner changed to "Sarah Chen, VP Finance."

Step 3: Gather Control Evidence

Auditors will test whether controls are working. Prepare evidence in advance.

Types of Control Evidence

Control Type Evidence Examples
Approvals Signed approval forms, email trails, system logs
Reviews Meeting minutes, sign-off documents, review checklists
Segregation of duties Access permissions, role assignments
System controls Configuration screenshots, audit logs
Training Attendance records, completion certificates
Monitoring Dashboards, exception reports, KRI data

Evidence Organization

Create a folder structure that maps to your risk register:

  • By risk ID: /Evidence/R-2024-015/
  • By control: /Evidence/Controls/Approval-Process/
  • By time period: /Evidence/Q4-2024/
!

Evidence Must Be Current

Evidence from two years ago doesn't prove the control is working today. Gather recent examples—typically from the past 3-6 months—to demonstrate ongoing operation.

Step 4: Document Methodology

Auditors need to understand how you assess risks. Document your methodology clearly.

What to Document

  • Scoring scales: Definitions for each likelihood and impact level
  • Score thresholds: What scores trigger what actions
  • Review frequencies: How often risks are reviewed by level
  • Escalation criteria: When and how risks are escalated
  • Roles and responsibilities: Who does what in the risk process

Reference Documents

Have these available for auditors:

  • Risk management policy or framework document
  • Risk appetite statement (if applicable)
  • Scale definitions with calibration examples
  • Process documentation or procedures

Step 5: Review Action Item Status

Overdue action items are a common audit finding. Address them before the audit.

Action Status Categories

  • Completed: Document completion date and evidence
  • On track: Update expected completion date
  • Delayed: Document reason and revised timeline
  • Cancelled: Explain why and document approval

Address Overdue Items

For each overdue action:

  1. Determine root cause of delay
  2. Assess if the action is still relevant
  3. Set realistic new timeline
  4. Escalate if resources are needed
  5. Document the delay and new plan
i

Honesty About Delays

Auditors understand that timelines slip. What matters is that you've acknowledged delays, understand why they occurred, and have a realistic plan. Hiding overdue items is worse than explaining them.

Step 6: Prepare for Questions

Anticipate what auditors will ask and prepare thoughtful responses.

Common Auditor Questions

Question Bank

About the Register

  • "How do you identify new risks?"
  • "Who decides what risks are included?"
  • "How often is this reviewed?"
  • "Why is this risk rated High rather than Critical?"

About Controls

  • "How do you know this control is working?"
  • "Who is responsible for this control?"
  • "When was this control last tested?"
  • "What would happen if this control failed?"

About Treatment Actions

  • "Why is this action overdue?"
  • "Who approved this timeline extension?"
  • "How will you know when this is complete?"

Prepare Risk Owners

Auditors may interview risk owners directly. Ensure they can:

  • Explain their risks clearly
  • Describe controls and their effectiveness
  • Discuss treatment progress
  • Articulate how they monitor for changes

Common Mistakes to Avoid

1. Last-Minute Updates

Rushing to update the register right before an audit creates inconsistencies and raises questions about why changes weren't made earlier.

2. Missing Evidence

Claiming controls exist without evidence to support them results in audit findings. If you can't prove it, auditors assume it's not happening.

3. Outdated Ownership

Risk owners who have changed roles or left the organization create confusion. Keep ownership current.

4. Unexplained Score Changes

Scores that change without documented rationale look arbitrary. Always record why ratings changed.

5. Defensive Responses

Auditors are there to help improve risk management. Being defensive or dismissive creates adversarial dynamics. Engage constructively.

Key Takeaways

Summary

  • Understand auditors assess design, operation, and risk coverage
  • Verify all required fields are complete and current
  • Gather recent evidence for each control
  • Document your risk assessment methodology
  • Address overdue actions before the audit
  • Prepare risk owners to answer auditor questions

Outcome Checklist

Before the audit begins, confirm:

  • All risk register fields are complete
  • Scores have documented rationale
  • Ownership is current (named individuals)
  • Control evidence is gathered and organized
  • Methodology documentation is available
  • Overdue actions are addressed or explained
  • Risk owners are prepared for interviews
  • Recent review dates are documented