When I became a chief audit executive (CAE) for the first time in 1990, I determined a risk-based approach was inadequate.
A risk-based approach focuses on how well management can handle a potentially bad event or situation. It assesses the design and operation of the internal controls relied upon to prevent losses or other bad effects, such as financial statement errors, fraud or reputation damage.
The risk-based approach is suggested by IIA Standards, as described in Risk Assessment in Audit Planning (pdf) from IIA Belgium (thank you Marinus de Pooter for sharing with me). It quotes relevant IIA Standards:
- IIA Standard 2010 requires, "The chief audit executive must establish risk-based plans to determine the priorities of the internal audit."
- IIA Standard 2010.A1 requires, "The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process."
- These standards require the Head of Internal Audit (HIA)2 to develop a risk-based plan. The HIA should take into account the organization’s risk management framework, including risk appetite levels set by management for the different activities or parts of the organization. If a risk management framework does not exist, the HIA uses his/her own judgment of risks after consideration of input from senior management and the board. The HIA must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems and controls.
- The main challenge faced by majority of internal auditors is how to allocate limited internal audit resources in the most effective way — how to choose the audit subjects to examine. This requires an assessment of risk across all the auditable areas that an auditor might examine.
I do not recommend the IIA Belgium guide for several reasons, including the fact that in the detail it talks about identifying and assessing the risks to the objectives of auditable entities (the audit universe, a concept that should be retired) instead of the risks to the objectives of the enterprise (captured in a risk universe).
When I became CAE, the prevalent thinking was to risk-prioritize auditable entities. I started talking instead about enterprise-risk-based auditing.
High Audit Value With Low Risk vs.
There are times when we should be focusing more on where we can add value rather than where the greatest sources of enterprise risk lie. While they are more often than not the same, that is not always the case.
First, are situations where the level of risk is and should be considered low, but great value could be mined and delivered by internal audit.
The first time I experienced this as CAE was highlighted by the chair member of the audit committee, Clarence Frame. Tosco at that time was a $2 billion revenue oil refining and marketing company. However, its roots were in its name.
In a previous era, the name of the company was The Oil Shale Company, abbreviated to TOSCO and later changed to Tosco when it found there was no money to be made mining oil shale. It acquired a number of oil refineries and concentrated on that space. However, it continued to own land with oil shale deposits and the water rights crucial to any future mining activity.
Frame wanted the company to comply with the rules that mandated certain continuing activities if it were to maintain those water rights. There was no associated revenue, only costs, and management had no desire to spend any time on the past dreams of its founders. The risk was we would lose the rights, which we all knew would have no effect on the company’s operations or results in the foreseeable future.
But Frame and the audit committee, with some support from the CEO, saw value in knowing that appropriate actions were being taken to preserve the potential long-term revenue from oil shale. If the price of crude oil rose significantly (seen then as highly unlikely), the oil shale and water rights would be of high value.
We know now that Frame was right and the rights needed to be preserved. By the time the oil shale became viable, Tosco had been sold to Phillips Petroleum (now part of Conoco) and I had moved on.
We completed the audit and found certain actions were required to preserve the rights. Management reluctantly agreed, to the benefit of the shareholders of the successor companies.
We should always pay attention and consider audit projects that are of high value to the audit committee or CEO. They are not, in my opinion, automatically included but should be given strong consideration.
Related Article: Getting the Most Out of Internal Audit
... High Risk With Low Audit Value
Then there are situations where the risk is high, but the value of an audit is low.
For example, when I started as CAE at Solectron, the company was still engaged in acquiring smaller businesses and their assembly plants around the world. It was a contract manufacturer for electronics companies like IBM and Intel and our 120 plants served their needs around the globe. But 120 was too many and the average utilization rate (which measured how much of our capacity we were using) was well below 50%. Costs were rising at the same time as our competitors were pushing sales prices down. They were able to use their factories more efficiently and it showed in their competitive bids.
There was a serious possibility the market would continue to put pressure on sales price, maybe even more pressure, and if we didn’t do something to rationalize our footprint we would go out of business.
I had this as a high-risk issue.
But when I started looking further into the problem, I found management had already established a high-power task force to assess the situation and make recommendations.
It was clear the right work was being done by the right people, with access to and support from top management.
There was little to no value to any audit project, whether assurance or consulting. I considered an audit to evaluate whether management had sufficient reliable information to enable an informed decision, but the task force leaders assured me they did.
I continued to monitor the project through periodic meetings with the task force leaders.
Related Article: Are You Too Risk Averse?
Stop Focusing on Potential Harm
The risk-based approach tends to focus on the possibility for harm. But auditors should also consider whether management has controls and procedures to ensure they are seizing opportunities.
For example, I have seen:
- Situations where controls could have been improved to ensure management is aware of and putting the best resources towards not only winning a sales contract but optimizing it.
- Opportunities that were unrecognized by management to deploy new technology and realize great benefits. Sometimes, it was technology that had been acquired but was under-utilized. Sometimes, it was because management didn’t have any discipline about understanding how new technologies could be used in its business.
Finally, there are situations where there really isn’t a risk as such. I am talking about where the concern is not about something that might happen at some point in the future, but with the current situation.
For example, at Maxtor the cost of our manufactured product (hard disk drives) was greater than our competitors. The reason was two-fold: we had some manufacturing operations in high-cost California, while our major competitor had similar manufacturing in China; and, we had outsourced some manufacturing of essential parts to a Taiwanese company where we were a minor customer, while our competitor had it all in-house in China. As a result, we were unable to develop a next-generation hard drive at a cost that would enable us to make money.
I spent a fair amount of time on a consulting project, looking to see whether there were opportunities to realize cost savings and then sitting in with management as we planned a new site in Thailand or Vietnam to replace that high-cost California operation.
A Rethink of Risk-Based Audit
Putting this together, I believe in a tweak of the risk-based audit approach. It should be enterprise risk and value auditing.
What do you believe in?