Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

​Is Every Risk "Auditable"?

Comments Views

Last week, I was privileged to address IIA–Sweden and then the internal audit team of a Stockholm-based bank. The continuing theme was that we need to focus our limited resources on the risks that matter. I was a​sked this interestin​g question: Are all risks auditable?

The question was asked after I had described some of the risks that we had identified at some of my companies, such as competitor risk at Business Objects (a software company, since acquired by SAP). How can an internal audit engagement add value by "auditing" such a risk?

The answer I gave is that we don't really "audit" the risk. We are not in the business of second-guessing management decisions.

We are in the business of assessing the controls that are relied on by management to manage the area of risk, including related management decisions and actions. We do that by:

  1. Understanding the risk area and its related processes.
  2. Identifying the controls and such that management is relying on to provide reasonable assurance that the risk is maintained at desired levels.
  3. Assessing the design of those controls.
  4. Testing and assessing the operation of those controls.
  5. Providing management and the board with our assessment of management's capability to manage the risk.

The following questions about decision-making may help:

  • ​Are the right people making the decisions?
  • Do they have all the information they need to make informed, intelligent decisions?
  • Is that information reliable, current, and timely?
  • Have they consulted all relevant parties, including all those who might be affected by the decision?
  • Do they have an appropriate understanding of risk levels and the effect their decision would have on risk levels?
  • Do they have an appropriate understanding of the risk levels acceptable, even desired, by more senior management and the board?
  • Is there reasonable assurance that actions will be taken that are necessary to support the decision?

These and similar questions can be used to assess the processes by which risks that matter are identified, assessed and evaluated, and treated.

For example, when we considered competitor risk at Business Objects, I looked at:

  • Who was monitoring competitor risk in all its forms (e.g., changes in their pricing model or in marketing; whether major companies like IBM were acquiring our competitors)?
  • Are they the right people, with the necessary contacts and network — intelligence if you like — to monitor and assess competitor risk for all relevant competitors?
  • Is their information reliable, current, and timely?
  • Are they working with everybody required to address changes in competitor list?

​In World-Class Internal Audit: Tales From My Journey, I mentioned how I had conducted an audit of creativity and ideas (for marketing) at the Tosco Marketing Co. I considered the processes and related controls over:

  • Who was responsible for identifying new ideas that could be used in marketing?
  • Was there an appropriate process for encouraging and soliciting these ideas?
  • Were all employees motivated to participate?
  • Was there an appropriate, unbiased process for evaluating all ideas?

In this way, I was able to assess the system of internal controls relied on by management to deliver useful ideas that could be used in marketing initiatives, delivering revenue to our convenience stores and gas stations.

I believe we can make a contribution in this manner, assessing the controls relied on to manage such nontraditional areas of risk.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • SCCE_July 16-31_July2018_Blog 1
  • IIA Symposium2018_July2018_Blog 2
  • IIA Quality_July2018_Blog 3