When to audit business locations
One of the readers of my work sent me this message.
I was reading your article about modern risk based audit [link added] published in the IIA journal. I find the approach very interesting.
In developing my plan I used to do the traditional risk assessment by identifying the audit universe then prioritizing entities based on risk. In your suggested approach, an auditor should start from the company strategy and objectives, identify the risks that jeopardize these objectives (this could be done through risk management) then audit controls related to those risks.
I had a discussion about that approach 4 months back and I got a lot of opposition from CAEs who audit banks. Their opinion is that they have to audit the big branches every year. I would really appreciate your opinion on that as, for some industries, it seems that covering the audit universe is as important as starting from the risks to objectives (such as expansion in a certain country).
I have seen a lot of CAEs surrender to the old approach simply because they are not politically strong to raise big strategic alarms to their board audit committees and senior management.
Apologies for reaching out to you this way, but I’m very passionate about what I do and I would like to learn and implement new good ideas such as the one suggested by you in the IIA journal.
I will start working on my annual plan now changing the lens to start from the risks on objectives and not from the audit universe. I appreciate the opportunity to be able to reach out for you if I had a difficulty in implementing this?
I enjoy the opportunity to mentor others and to evangelize internal auditing, so I replied straight away.
I used to be in internal audit at a bank, in ancient history, and understand the perspective. The idea is that the larger branches are a significant source of risk. I don’t quarrel with that, but how much work do you need to do there – that’s the key question! Do you look at every risk that is significant to the branch, or only those that are significant (in aggregate) to the bank as a whole?
The risk (pun intended) is that by focusing on details at the branch level you miss the big picture. I write about this in my internal audit book. At Solectron, we had about 120 factories (sites) and margins were so small that a serious issue at any one site could be significant to the business as a whole. My predecessor had an audit plan that spent 90% of the time auditing the sites.
Soon after I took over as CAE, I went over to my IT auditor who, like the rest of the team, was preparing for the next site audit. I asked what he was working on – perhaps looking at some analytics to improve his understanding of the business before he arrived. No. He was starting to draft the audit report! He told me that he found the same issues at every site, so he knew in advance what he would find at the next one!
I asked what corrective actions came from his findings and he explained that local management would upgrade the security, etc.
But, when I asked whether he or the former CAE had thought about whether this pervasive problem should be escalated to corporate and the office of the CIO, he said “no”. No audit had been performed of corporate IT, even the corporate IT security function.
Down in the weeds, missing the big picture.
I changed the approach to the one I discuss in my writing. We looked at the business risks to the enterprise should IT fail in some fashion. That led us to audit the way in which the company approached IT security, the leadership and capabilities of the corporate IT function, and so on.
Recently, Paul Sobel and I were on an OCEG webinar and talked about the topic of my book, world-class internal auditing. One of the survey questions asked whether those listening based their audit plans on risks at the location level or at the enterprise level. Unfortunately, the great majority used the ‘old’ approach, but we were heartened to hear that they intended to move to the ‘newer’ enterprise-risk based approach.
Where are you now and are you changing?
What should be audited at each location or within each business process? The risk to the process or the risk to the enterprise?
By the way, look at a related post on the IIA blog (it will appear this week) where a board member says that most internal audit ‘findings’ are mundane. I believe that is due, in part, to auditors being focused on risks in the weeds rather than to the enterprise.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Good evening Norman,
The article implies that IA can review risks at an entity strategy/objectives level without focusing / isolating risks at business location levels.
I work in a bank and improved profitability / bottom line is a core objective. Needless to say,some branches are bigger contributors to the bottom line than others; either negatively or positively.IA role is to establish root cause as to why each contributor is on either spectrum and give assurance on grc with appropriate advisory and value adding recommendations.
It is not possible to identify these risks/root causes without having audit programs that focus on business processes and units.
What matters is the how . How you go about auditing these units and their processes.
Mbatia, what I am suggesting is that IA should build the audit plan to address the more significant risks to the enterprise rather than risks to the location.
In your bank, if processes relating to profitability are key risks, then I would audit those processes at significant branches. I would not audit risks that might be significant to the branch manager but never would be to the organization, even in aggregate across multiple branches,
Another example.
In a refining company, the source of most significant risks to the enterprise is at the refineries. What my team does is identify the sources of risks at each refinery that aggregate to enterprise risks – and that is what we focus on. However, I have seen other audit teams include matters such as adhering to speeding limits with the refinery in their audit scope.
I start with enterprise risks, then identify the sources of those risks and where the controls reside – and then determine which audit engagements would address them.
Does that help?
My experience is that audit findings at branches are the same.
I used to carry out a risk based assessment of the branch processes, identify tesodual risks and make recommendations to rectify them.
Once done, then minimum audit should be done on a location basis.Better to use a hplistic approach and IT analysis.
The insurers however insist on covering
all branches once every three years.
It makes sense to cover all the branches, if not all the major ones, but how much work do you need to do? The idea of a full scope audit should be obsolete.
Thank you Norman for your advise. I work in an Electricity utility company where I prepare the annual program based on the enterprise risk assessment and then visit the branches based on their significance in terms of identified corporate risks. However, our organization has been undergoing significant changes due to change in leadership. At times the strategies change midway due to political influence, thus making political risks quite significant. How best can you address this type of risk especially in a situation where government owns majority shares in the organizations and the leadership has to dance to the tone of government and at the same time make profit?
Good question, Regina. I would like to think IA remains objective and focused on risks to the achievement of the corporate objectives. Where political influence appears to lead management astray, I hope we have the courage to inform top management and the board of the level of risk.
I am a practicing auditor and primarily carry out the Internal Audit assignments for the clients in manufacturing and trading. Obviously, my experience as regards ‘branch audits’ defer from all those who are primarily discussing from ‘bank’ perspective.
To my mind, the operations at the branches depend on the management’s definition of risks, documentation of the risk mitigation plans and effective execution of the same. In absence of the same, it has been noticed that the branches (people at) identify the risks and try to mitigate the same in the manner this think appropriate, without having any relevance to the organization as a whole.
Milind, is it possible that actions taken to identify and mitigate risks from a local perspective might be inconsistent with the goals of the enterprise as a whole?
As an example, what if IT decided to stop work on a major project because it was running our of budget, or was concerned about security? That would have a major impact on business units dependent on that project.