Internal audit should have a plan for the work it will do, and by now we all know that audit plan should be continuously updated. It should be designed to address the more significant risks to the enterprise and its success.
Management should have an enterprise risk management (ERM) program that helps them identify and anticipate all the things that might happen (both risks and opportunities) that might affect the achievement of its objectives, its success. That information enables them to make the necessary informed and intelligent tactical and strategic decisions.
While there is synergy between the two, it is not 100%.
Internal audit should try to take advantage of the work management and the CRO have done. But first it must audit their ERM program to ensure it is reliable.
Assuming it is reliable (meeting the needs of the organization, not just a compliance activity), it should provide the audit team with valuable information about management’s view of threats and opportunities.
The Role of Internal Audit
The audit team doesn’t simply take those same top risks and opportunities and slot related audits into the audit plan. It has to do at least these two things:
- Determine whether any assurance, advice and insight from internal audit on those top risks and opportunities would be of value to top management and the board. Would there be a satisfactory ROI on the cost of the audit? I have discussed this in earlier blog posts. For example, if there is already a high-powered initiative to address the risk, an audit engagement might not add sufficient extra value.
- Identify the root causes or drivers of the risk or opportunity. This should help determine where and how an audit should be performed. An audit is usually focused at a more granular level than what is reflected in the ERM program. For example, at Solectron one of our greatest sources of risk was our ability to source critical components of the necessary quality, to be delivered on time, at a low cost. We had more than 100 factories and we needed to decide which locations and which (if any) corporate functions to include in the scope. I selected four factories on three continents and the corporate materials sourcing department. The team performed four consecutive audits, each with its own audit report, followed by a report with an overall assessment and insights.
But there is one more very important point to be made.
The ERM program assumes that the controls relied upon to manage risks and assure opportunities are functioning as needed.
That is not always reality.
In fact, one of the values of internal audit is to tell management when those controls are not working, almost always surprising leadership.
Related Article: How Do We Fix Risk Management?
Inherent Risk vs. Control Risk
I am not a big fan of the term ‘inherent risk’ because it is often defined as the level of risk in the absence of controls. (There are other definitions, especially when talking about the risk of a material misstatement of the financials, but let’s stay with this one.)
The best argument against the term is that it is highly unlikely that all related controls will fail. But there remains a possibility that one or more controls will not perform consistently as required to maintain risk at desired levels or better.
The possibilities of one or more controls failing and the range of effects of such control failures represent what I call "control risk."
What this means is that even though management may assume that a risk is low because of its related controls and procedures, there is no certainty that the latter are:
- Adequately designed to address the risk, and
- Operating consistently and effectively as designed.
An Example From Brisbane City Council
I wrote about the approach Andrew MacLeod used to develop the audit plan as CAE for Brisbane City Council in "Auditing that Matters."
He starts with the level of (current) risk defined in the enterprise risk assessment. But then he considers the likelihood that the controls relied upon to manage risk at that level might fail.
Sources and indicators of control risk might include:
- A history of control failures, especially those detected in prior audits
- Inexperienced process and control owners
- Changes to systems
- Concerns about management and their supervision of the work performed
- Changes to the business, especially if there is high volatility
- … and so on.
MacLeod would also consider other factors in his assessment of the likelihood that controls might fail. An example would be the time since the last audit of related controls.
The table below illustrates my interpretation of the Brisbane City Council approach.
Effect of Controls
Confidence in Controls
Adjusted Effect of Controls
Adjusted Residual Risk
The first column shows the level of inherent risk. Customer Credit rates highest of the three in the example, followed by Inventory Valuation and Investments.
The second column shows the level of residual risk, with the third column representing the effect of controls. For example, inherent risk for Customer Credit is assessed as 300, but if the controls over Customer Credit are working as they should the level of risk (i.e., residual risk) is reduced to 50.
Taking multiple factors (such as discussed above) into account, internal audit determines how confident they are that the controls are in fact operating effectively as desired. (This is not as quantitative as it looks. The 90% confidence level for Customer Credit is very much a matter of judgment and experience.)
Based on that, internal audit calculates an adjusted value for controls and, accordingly, for residual risk.
For Customer Credit, the 90% confidence level (or 10% lack of confidence) reduces the effect of controls from 250 to 225. Audit’s adjusted residual risk changes from 50 to 75.
Looking at all three areas of risk, this model has changed the risk priority. Customer Credit has moved from first to third.
Prioritizing Audit Projects
I develop a prioritized list of potential audit projects based on a combination of a) where I can add value to what management and the board consider to the top risks and opportunities facing the organization (which tends to assume controls are present and functioning), and b) an analysis like MacLeod's.
I don’t commit to any timeframe beyond three months for performing any of the projects on the list, because business conditions, risks and opportunities are changing all the time.
In a fluid environment, my commitment is not to performing these audits at a specific future date. My commitment is to perform the right audits all the time.
I welcome your thoughts.
Learn how you can join our contributor community.