What Your Auditor Looks for in Your Risk Management Process


12 Jul 2023

What your auditor looks for

TrustCloud teamed up with Dansa D’Arata Soucia on our Risk Rodeo webinar, to discuss everything you need to know to wrangle up risks with confidence. 

Our panelists weighed in on the four things that auditors look for in risk management processes:

  • Clear Process
  • Documentation & Monitoring
  • Rationalization Over Time
  • Executive Responsibility

Read on to see what they had to say, or check out their conversation on Youtube.

Meet our subject matter experts

Taylor Gavigan has experience in assurance, attestation, and consulting services for small to middle-market organizations. He has deep experience in System and Organization Control (SOC) 1 and 2 examinations, ISO 27001 internal audits, NIST CSF/800-53/800-171 assessments, and compliance examinations related to regulations such as HIPAA, GDPR, and CCPA.

Satya Moutairou is a Compliance Director at TrustCloud, is responsible for designing and developing controls to address various security standards and frameworks and assist TrustCloud’s customers in their journey to compliance. Satya was previously an auditor at Schellman and PwC. 

Molly Mullinger is a Director of Product Solutions at TrustCloud. Molly has spent her career developing GRC solutions to meet client needs, with prior experience at AuditBoard and EY. 

A Clear Process

Identify Stakeholders & Risk Owners

The initial step is to identify the stakeholders or risk owners. Once identified, you can proceed to establish a policy or procedure and adopt a suitable risk program framework. It is crucial to effectively communicate this framework throughout the organization, ensuring transparency and awareness among all members. 

Execution of the Risk Management Process

It is essential to start with an inventory list that identifies all hardware, software, information, and other assets that could be threatened. Failing to recognize and protect all these assets can be challenging and may leave vulnerabilities in the organization. Then, a comprehensive risk assessment must be performed along with the creation of a risk register. 

Many organizations face difficulties in maintaining an updated inventory while conducting regular risk assessments. The process involves identifying risks, assessing assets, measuring the likelihood and impact of risks, and determining the need for implementing controls to mitigate risks to an acceptable level. This decision-making process considers resource availability and priority. Auditors examine whether management has given due consideration to these factors and had thorough discussions. 

Documentation & Monitoring 

After deciding on the implementation, it is crucial to ensure proper execution and monitoring of the controls. This moves the focus from risk assessment to risk management, where the effectiveness and operation of the controls are regularly monitored. Clear communication within the organization regarding control responsibilities is essential, ensuring everyone is aware of their role in operating and maintaining the controls.

Additionally, auditors value proper documentation as evidence of implementation. Having tangible proof or records is essential for verification and evaluation.

Rationalization Over Time

The more risk reporting, the better

Depending on the organizational structure, it is important to report and communicate the risk management efforts on an annual basis. For larger enterprises with a board of directors overseeing operations, they should receive a comprehensive report card detailing the actions taken to mitigate risks and provide insights into what to anticipate in the upcoming year or as the company undergoes significant changes. 

However, it is worth noting that risk assessment and reporting need not be limited to an annual occurrence. It can be conducted quarterly or triggered by substantial company changes. In fact, from an auditor’s POV, it is highly favorable to observe organizations conducting multiple risk assessments throughout the year, demonstrating their proactive approach. While it may be rare for an organization to perform five or six risk assessments annually, the more frequent assessments, conducted with genuine intent, the better.

Risk management doesn’t have to be hard. With TrustCloud’s predictive risk management tool that continuously monitors, identifies risks, and provides revenue impact reports, you can feel assured knowing you constantly have a pulse on your org’s state and health.


Risk management is a continuous process

Auditors simply cannot simply take your word for it. They require reasonable assurance that risk management is being conducted correctly. Often, companies mistakenly focus on meeting the minimum requirement of an annual frequency, failing to recognize the true value that risk management can bring to their organization. 

Risk management should be a continuous process, integrated into every aspect of the business. When it becomes automatic and ingrained in daily operations, the need for extensive documentation diminishes because it becomes a natural part of what you do. Some companies conduct risk assessments multiple times a year, as they understand that new risks emerge constantly. 

As you develop a mitigation plan, it may involve multiple steps, and you may complete some of those steps while others are still pending. This necessitates revisiting the risk register and potentially updating the plan as circumstances change. For example, if you were using JavaScript, which had vulnerabilities that have since been addressed, you may need to update your mitigation strategy. 

If risk management is a part of your daily routine, satisfying auditors and regulatory bodies becomes effortless because the evidence they seek already exists. Instead of scrambling at the last minute, you will have the necessary documentation readily available. 

Executive Responsibility

Teamwork makes the dream work

For smaller organizations and those experiencing growth or significant changes, such as mass hiring or layoffs, these events should serve as triggers for reassessing risks and impact on the organization. Even if you recently conducted your annual risk assessment, it would be prudent to conduct another one in response to such events. 

Similarly, larger enterprises undergoing processes like acquisitions, mergers, or leadership changes, such as turnover in CEO, CFO, or other key positions, should also consider these as triggering events for conducting more frequent risk assessments. 

While some events may be planned and anticipated, unexpected circumstances require more frequent assessments than just an annual basis. Every individual within the organization carries some level of responsibility, whether it involves implementation, monitoring, or designing risk management processes. It is crucial for everyone who has a vested interest in the company’s success, including the CEO and other executives, to be involved in these efforts. Their involvement not only creates a sense of accountability but also fosters a shared goal among the entire team. 

While risk management may not always be seen as glamorous compared to sales or marketing, its impact is undeniable and its significance should not be overlooked.

More resources around Risk Management