The other day, I was talking to an internal audit leader for whom I have great regard. I was stunned to hear him say that you do two risk assessments: one when you develop the audit plan to identify the processes, locations, and business units to audit, and a second one when you start each audit so you can identify the risks to assess in each area.
That is the way I learned to build the audit plan more than 20 years ago; one of the best at explaining the process was David McNamee (see here for his book on the topic).
Essentially, you build a "risk"-ranked audit universe. The first step was to identify all the potential areas for audit, including business processes, locations, data centers, etc. (A frequent question among auditors was "how large is your audit universe?"
You then considered (and some had very sophisticated models for this) various factors such as:
- Revenue generated or accounted for at that location, by that process.
- Asset size.
- Time since last audit.
- The significance of any findings in the prior audit.
- The level of change in systems, process, and personnel.
- Management and board input on risk.
The audit plan included engagements at these locations or of these processes.
I moved away from this process in the early 1990's because I didn't believe it was helping me address the areas of significance to the board, top management, and the company. While it was "risk"-based, we were not talking about risks to the objectives of the organization. We were instead talking about the potential for any deficiencies in internal control to have an impact (in monetary terms) of some size. The difference may be subtle, but it is important. I want to focus my audits on ensuring the organization has the ability to achieve or surpass its objectives.
A jaw-dropping moment happened when I explained my risk assessment and audit plan to the audit committee of the oil company where I was CAE (Tosco Corp.). The CEO asked whether I had considered risks relating to the blending of gasoline, diesel, and jet fuel. As it happened, I had — but it was not considered high risk; it was more a compliance issue than anything else. But, when I talked to the company's executives I heard that when Exxon performed an enterprise-wide risk assessment, this area had been identified as their #1 risk! Poorly-blended jet fuel could lead to Boeing 747s dropping out of the sky into densely-packed urban areas — with the potential to bankrupt the largest (at that time) company in the world. A few years later, I saw the effect of poor blending of diesel fuel when Southern California drivers had major problems and fingers were pointed at us as well as a few other oil companies.
So, I moved to an approach where I identified the top risks to the achievement of the company's objectives (a risk universe), and then identified the engagements I could perform to provide assurance that the controls were adequate with respect to those risks and advice where they did not.
This, for me, is modern risk-based auditing.
I use a metaphor to explain my goal. In the old days, I might decide to perform an audit of my car. After all, it is a high-risk area. So, I will assess the quality and condition of the engine, steering, tires, air conditioning, etc. Perhaps I will find some defects and recommend service and repairs. These days, I would consider my objective: traveling from my home in San Jose to the airport in San Francisco (42 miles). The risks are a breakdown of the car, an accident involving my car or others, traffic congestion, and weather. My audit would include looking at aspects of the car that I rely on to address these risks, including whether I am tuned in to traffic and weather on the radio. I would also consider how I would ensure I am sufficiently awake (my flight is at 6am) and how I would know whether to take an alternate route.
The older audit is focused on auditing the car; the second is auditing my capability to arrive safely and on time.
This is how
the IIA (UK and Ireland) defines
risk-based auditing: "a methodology that links internal auditing to an organisation's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite".
Some prefer to focus on risks to value creation rather than to specific objectives. I am generally fine with that approach, as illustrated in a
piece from the co-sourcing firm of Vonya Global.
IIA Practice Advisory (2120-3) (PDF) reinforces this view, as do Practice Advisories 2010-2 (Using the Risk Management Process in Internal Audit Planning) and 2200-2 (Using a Top-Down, Risk-Based Approach to Identify the Controls to be Assessed in an Internal Audit Engagement). However, I must admit that the older IIA guidance is at best unclear whether it supports the older and more traditional approach or modern risk-based internal auditing. I believe this merits attention from the various IIA standards and guidance groups.
What do you think?
Are you a proponent of the traditional or the modern risk-based internal audit approaches?