Risk registers can be a useful resource for internal auditors. They can give us clear insight into the risks prevalent in our auditing environment. As most of our clients exist within the same field, that of education, we can use this information to identify the most pressing risks within the field. While it is important not to neglect risks which may not have been highlighted, we can give our clients greater assurance by addressing the issues they have already self-identified as being the biggest impact to them collectively. Depending on how thoroughly these are completed they can also give us insight as to the reasons behind why potential gaps or risks exist and the controls already in place to mitigate them and their impacts.
By looking at the information held in these registers we can also identify upcoming risks which we may not have focused attention on previously. In short, we can use these risk registers as guides to the major concerns of our clients and help tailor our support to make the biggest influence to the achievement of their objectives.
It is important to remember that risk registers are individual documents for use by our clients. So as such, they are not created for comparison. There are no rules which the RiskRegisters must abide by which creates a varied spectrum. From the twenty-one which we looked at we were able to see that there is a vast array of information which can be included. Though there were no specifics that all clients in our sample contained we can still extract useful information. Most of the clients do subscribe to rating their risks as low, medium, or high, though for some there is more of a sliding scale including additional subcategories in between, and in one case that we looked at risks were given no ratings.
The average number of risks per register was 27.8, these can be broken down in the below fashion.
The number of risks input into the registers differed vastly as the above chart shows. The lowest number of risks entered on any of these registers being 4 and the most being 73. The way in which clients rate their risks is also vastly different with three clients not labelling any risks as high, two not rating any as medium and eight not rating any as low.
From this information it may not seem as if there is much to compare across these registers, but we were able to identify five top risks that are affecting our clients.
The top risk faced by all our clients was Finance, specifically failing to be able to generate adequate funding. Out of twenty-one registers this risk was mentioned in every count.
The next most frequently appearing risk was Staff Recruitment, the failure to be able to hire the appropriate staff for the positions. This is something which has often been reflected in conversations with clients during audits, with them struggling to appeal to the best candidates. This risk appeared in eighteen out of twenty-one registers we compared.
IT security was a high risk, appearing on seventeen of the twenty-one registers. Dangers of cyber attacks were registered in a variety of manners and their entry on the risk register often listed various outcomes from cyber attacks such as data from learners being leaked and the reputational damage this might cause, as well as listing related causes such as not having the available income to maintain and update necessary IT equipment to ensure that they are protected against cyber-attacks.
Learner recruitment also featured prominently, appearing in sixteen risk registers. It should be pointed out that even though this risk did not appear the most times out of the most common risks it was rated as a high risk the greatest number of times. As learner funding is the biggest income for our clients these number directly affect their economic survival. This is made even more complicated as the funding received from learners is received the year after the learner has enrolled so over enrolment can be an issue as the client may not be able to provide full services to a significantly increased number of learners.
The final most common risk from the twenty-one registers is Ofsted, appearing on sixteen of the risk registers. Ofsted rating can have huge consequences for our clients affecting their long-term reputation and ability to encourage learners to apply.
From these comparisons we can see the areas which most concern our clients. What we do with this information is important. While we should not allow data such as this to blind us to other areas and try and consider risks that our clients may not have been aware of or seen the dangers in, we can use this information to guide us to audits which we can consider planning for the future.
We can use clients’ own Risk Registers to assist in justifying why certain audits might be of greater benefit to them, or why they may wish to consider a more thorough audit in certain areas. We can ensure that we are not allowing high risk areas to go uncovered helping our clients create more robust controls against these risks, as well testing the controls they have in place to ensure they are fit for purpose and help to develop long-term solutions to have real impact on the ability of our clients to deliver their services and meet their goals.