Almost everybody, whether on the board, in management, or in internal audit, agrees that internal audit should be “risk-based.”
But I don’t think they are talking in the same language.
Let’s start with four assertions about leading thinking and practice:
- Internal audit should design the audit plan and perform audit engagements that focus on the risks that matter to the organization.
- The risks that matter are those that might have a significant effect on the achievement of the organization’s objectives and delivery of value.
- Internal audit should provide assurance to the board and executive management that those risks, the ones that matter, are managed at acceptable levels by the organization’s processes. If not, their assessment should be supplemented by recommendations to improve those governance, risk management, and internal control processes (best practice is to agree with management on the actions to be taken, such that the audit report identifies those actions rather than including internal audit recommendations and a management response).
- The internal audit report should provide that assurance in a clear manner. That means that it should spell out the auditor’s professional opinion of the adequacy of management’s processes to ensure that the risks are maintained at acceptable levels.
I believe this is leading thinking and practice, but as with any such assertion there are some who will agree and some who will not. Certainly, what I have asserted is not "traditional" thinking, even though a notable and commendable few have been doing it for some time.
For example, there are some who believe that internal audit should not provide an opinion. Instead, they rate the risk levels as high, medium, or low (or use another scale). I believe that this is passing the buck: They are making their customers on the board and in management decide whether management is managing risks effectively rather than sharing their professional opinion on the topic.
Others have a very different view of what “risk-based” means. They still use an audit universe (a list of all locations and process that could be audited) instead of a risk universe. They rate the locations and processes using factors such as revenue, asset size, time since last audit, the significance of prior audit findings, etc. Then they select the locations and processes that rated highest for audit. The scope is based on the risks at those locations or in those processes. In other words, their assessment is of the risks in those processes or at those locations.
The problem with this traditional approach is that it assesses the risks that matter to the locations or processes, not necessarily the risks that matter to the organization as a whole — and its ability to achieve its objectives and deliver value.
One provocative (and even more controversial than me) internal audit advocate believes that internal audit should provide an opinion on whether the residual risk reporting provided to the board by management is reliable. I have stated my objections to this idea several times. The primary ones are:
- The board and management want to know whether they can rely on the organization’s processes to manage risk every day, not just the occasional reporting of risk to the board.
- Internal audit needs to communicate in the language of the business and of the board. Even risk managers don’t talk about “residual risk reporting.” In fact, most risk practitioners don’t use the term “residual risk” any more, they just talk about “risk.”
- The board and top management need to know what objectives are affected when risks are outside accepted levels. They need to know this so they can assess the actions to be taken (which might include changes to strategy), whether management’s forecasts and projections are "at risk," etc.
Some are concerned that this approach will not work when management has not established what levels of risk are considered acceptable (i.e., its risk tolerance, appetite, or criteria). As the IIA
Standards say, in this situation internal audit should use its own judgment (in collaboration, if possible, with management) on whether the level of risk is acceptable. We have been doing that for decades, so I don’t see a problem doing it in 2013. I suggest that internal audit should also take this opportunity to explain to management and the board the value of establishing acceptable risk levels: without them, how will operating management know whether they are taking the right risks?
Others say that their boards and top management are not asking for this assurance. My answer is that their boards are failing them: Either they don’t know what internal audit can do for them, lack confidence in internal audit to address other than financial or compliance risks, or are complacent.
I welcome your comments. I will try to answer the objections I am sure will be posted.