New Paper on Risk Assessment and the Audit Plan
One of the software vendors that have been providing solutions for internal auditors for many years is Thomson Reuters. With annual revenues of nearly $13 billion, they are one of the few large software companies in this space. So when they speak, I tend to pay attention.
Thomson Reuters recently published a paper written by a former senior manager with E&Y. Entitled “Get Your Internal Audit Risk Assessment Right This Year” (registration required), the paper purports to share best practices for internal audit risk assessment.
Unfortunately, it fails to deliver on that promise.
While it includes some useful guidance for the discussions every internal audit team should have with management, it barely touches the surface of the issue.
I do agree with this statement: “the Internal Audit Risk Assessment presents an oft-missed opportunity for internal auditors to understand their organization’s evolving objectives and implement a more dynamic risk-based approach to the internal audit process.”
The last sentence in the report starts to get to the real point: “With no sign of the pace of changes affecting your organization slowing down, internal audit’s risk assessment must be dynamic, not static, and needs to be improved from year to year, using a top down approach, beginning with management interviews and input.”
Here are the two main problems with that last sentence:
- The internal audit assessment of risk and updating of the internal audit plan should be far more frequent than the annual cycle implied by the report. Many departments are moving to a quarterly update, and best practice (in my opinion and which I personally followed) is a rolling quarterly plan that is updated as often as the risks change.
- While management interviews and input are useful, they are hardly the best place to start. The internal audit team should understand whether and how the organization as a whole has identified the more significant risks to the achievement of its objectives. While not clearly stated in this report, I will give credit to the author for understanding that internal audit should focus on risks to the organization as a whole, and not risks to a location, business unit, or process. However, the organization’s risk management program is not mentioned as a source of information that drives, at least in part, the audit plan! It is also critically essential that internal audit has a deep understanding of the business, its processes, systems, organization and systems, sufficient to challenge management’s assessment of risk – or make its own assessment when there is no ERM in place.
My recommendation: read the report for tips on how to interview management. But, go into that set of discussions with either the organization’s risk ‘register’ or another document that can drive a discussion about which are the risks to the organization that matter – and where the assurance and consulting/advisory services provided by internal audit can be of value. (I have shared a number of files on Box, including a Risk Universe slide you may find useful. Please go to this tab on my web site to download.)
Ask yourself this: do your internal audit plan and the process around it ensure that appropriate engagements are performed on the risks that matter to the organization, when that assurance or advisory service is needed?
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
I appreciate the feedback. In writing about this topic, I wanted to discuss the use of the more frequent risk assessment activities, but unfortunately, I don’t see enough Internal Audit Departments using the incremental feedback to adjust their Internal Audit plan of activities. Why? It is easier not to make, document, and defend incremental changes to the Internal Audit plan of activities. It sounds great to be that flexible of an Internal Audit Department to have the ability to alter the Internal Audit plan of activities, however it takes a bold Internal Audit Department to be able to defend both scheduling and re-prioritization of Internal Audit activities to all stakeholders.
The second item is a great one, but I think it requires a bit more than walking around with the organization’s risk register or risk management’s list of significant risks. The discussion of three lines of defense hints that they are not just tackling dummies and that they actually work together, however not enough Internal Audit Departments understand their organization’s approach towards risk. They are too caught up in providing their own assessment, that they don’t take the time to understand the 1st line of defense and the 2nd line of defense. I hear too often that 1st line of defense is insufficient and the 2nd line of defense is not objective enough, so Internal Audit does has to do their own work. In reality, Internal Audit needs to conduct an audit of the 2nd line of defense to understand their approach to risk management. Upon completion of that audit, Internal Audit can begin to work with the 2nd lines of defense around how they define the organization, systems, processes, and everything else. My Whitepaper goes through the characteristics of an Organizational Assessment Methodology.
Thank you again for the feedback and I think you raise some valid points that were definitely considered in writing the whitepaper.
Noah, thank you very much for your comment and discussion. May I suggest that when you present a white paper on best practices that you should not be deterred by the fact that some have difficulties following them. Those who influence should always, IMHO, lead with what is desired practice and not just what is minimal accepted practice. BTW, a fast-growing number of companies have adopted flexible audit planning with enthusiastic support from the board and top management.
Thanks Norman and for the reply from Noah. I also think along the lines that Noah has expanded upon in reply to the critique of the whitepaper. We are trying to have assurance developed by management alongside the risk register entries so when we plan and discuss risks with management we can also discuss the sources of assurance at the same time.
Brian, what kind of “assurance” is developed by management? They own the assessment so I am unclear how they can provide assurance.
This is along the lines of the three lines of assurance model. We are trying to get management to identify and consider what and where they are getting assurance from (or provide assurance) i.e. line one and two of the three lines and where line three assurance is required. I know the word “assurance” is used quite losely with this model.
I agree with Noah’s main point which is that IA risk assessments are often inadequate. I have witnessed this myself many times throughout my own career in risk advisory. I also agree with one of the points you bring up which is that the audit plan should be revisited and updated throughout the year. Regarding your second point however, I think the importance of ERM as a driver for IA planning is frequently overstated. We must keep in mind that ERM is a Management function (typically reporting to the CEO or the CFO) the main purpose of which is to mitigate risks affecting corporate/strategic objectives, whereas IA is a surveillance function with different concerns, such as the efficiency/effectiveness of internal controls, fraud, the technical or managerial proficiency of staff, etc. While IA plan must certainly consider the output of ERM, there are many other factors for IA to consider as well. ERM will focus on the achievement of strategic objectives but IA will consider things like the level of efficiency of the processes engaged in the achievement of those objectives, the ethical climate surrounding those processes, the effects of the corporate culture, etc.
Jean-Michel, while I concur that IA should not follow management’s assessment of risk blindly, I believe that IA should be focused on providing assurance and consulting/advisory services to improve the management of risks to the corporate objectives. Yes, we are concerned with efficiency and culture, but just like management we should only be concerned to the extent that they affect the achievement of objectives.
I respectfully disagree. Case in point: Enron. The control infrastructure (budgets, performance measures, standard operating procedures and performance-based remuneration and incentives, etc) was in place to elicit behavior that would achieve the strategic objectives of an organization, yet there was obviously a lot more going on beneath the surface. My point is that an IA function that focuses uniquely on the activities designed to achieve corporate objectives is shortsighted to the point that it could be missing something big.
Jean-Michel, I think you have only made my point! The culture was the root cause of failing to achieve all the objectives, which include reliable financial reporting!
Reliable financial reporting is a control not an objective. But I think we are getting caught up in semantics here – I suppose any type of organizational failure can somehow be interpreted as failing to meet objectives. My point is that control systems do not always promote the achievement of objectives – sometimes they present obstacles necessary for the protection of assets, shareholders, even the environment and the public at large.
1000% disagree. reliable financial reporting is an objective for which you have controls. Safeguarding of assets is another objective. On the second point, if you have controls that don’t relate to the achievement of objective, why keep them?
We’re getting caught up in semantics – it all depends how you define an “objective.” To me an objective is something like to become an industry leader or to grow by X% per year. Reliable financial reporting is not a strategic objective, it is a tool to measure the level of achievement of real objectives such as growth, changes in market share, etc. But let’s entertain the notion for a second that reliable financial reporting can constitute a valid objective. Now what happens when a company does not identify this as one of their objectives? According to your argument, IA will want to focus only on the achievement of management’s objectives, but effective financial reporting is not one of them! So what does IA do in that case, simply ignore reporting processes?
Let me quote from the COSO Internal Control Framework:
“Internal control is broadly defined as a process, effected by an entity’s board of directors,
management and other personnel, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories:
1. Effectiveness and efficiency of operations.
2. Reliability of financial reporting.
3. Compliance with applicable laws and regulations.
The first category addresses an entity’s basic business objectives, including performance and profitability goals and safeguarding of resources. The second relates to the preparation of reliable published financial statements, including interim and condensed financial statements and selected financial data derived from such statements, such as earnings releases, reported publicly. The third deals with complying with those laws and regulations to which the entity is subject. These distinct but overlapping categories address different needs and allow a directed focus to meet the separate needs”