Which risks does IA audit?
I need your help.
A couple of weeks ago, I chatted with representatives from the IIA Standards Board and IIA staff about their proposed changes to the Standards.
Unfortunately, they feel that few internal audit departments have moved to what I call enterprise risk-based internal auditing – auditing the risks that are critical to the success of the organization as a whole, rather than micro risks at the process or location level. So, no change in risk assessment guidance is planned at this time.
Please take a couple of minutes and answer the single-question survey at this link. I am hopeful that it will help us move the profession forward and close the value gap between what IA does and what stakeholders need. (See here for more on that topic.)
Leave a reply to chiefauditexecutive Cancel reply
Norman Marks on Governance, Risk Management, and Internal Audit 
Hmm, I don’t think there are quite enough options in your survey, Norman! When I was chairing Audit and Risk Committees, I didn’t want to waste scarce audit resources on risks of any kind — those were the responsibility of line managers. I wanted the audit teams to focus on critical controls, those controls that limit how far things can get out of hand (or in risk terms, those controls relating to low risks for which the exposures would be high if the controls were to fail).
Kind regards,
Dale
Dale, surely you asked IA to audit the controls over risks – and the question is whether these were risks to the enterprise as a whole or risks to a process or location within the organization.
How did you select which controls should be audited?
We selected controls based on the potential impacts on the organisation if the controls failed to work. Since we defined risk is the effect of uncertainty on objectives, and those objectives as the objectives of the organisation, does that make them enterprise risks? I suppose it does, although I don’t find that description particularly helpful, and many of the ‘enterprise risks’ arose in projects or specific areas or activities.
Dale, the distinction I am trying to make is between risks to the objectives of the enterprise and risks that are limited in their effect to just a part of the organization. An example would be risks to inventory or accounts payable at a business unit, where those are not considered areas where a problem would be significant to the enterprise as a whole.
Norman, while I can see the distinction between ‘enterprise’ risks and other risks, do we need to make such a distinction? Isn’t the first task to define the objectives of the enterprise and the sub-objectives which ‘trickle’ down, to business units, functions, departments and employees. Each of these levels should identify and assess the threat of risks to their objectives (measured on the organisation’s scale). It should then be possible to highlight the risks presenting the highest threat to the organisation’s objectives. These will normally be risks to the enterprise objectives, but not exclusively so. In the UK they are defined as ‘principal’ risks which have to be listed in the published directors’ report. There will be many more risks above the organisation’s ‘risk appetite’ (i.e. the level above which risks are not acceptable). For example, Tesco (a major UK retailer) does not list among its principal risks loss of customer data or the issuing of incorrect accounts There is therefore the danger that these are not considered to be ‘enterprise’ risks (although they surely are). Hence my reluctance to characterise risks other than by those at a level considered unacceptable to the board.
David, there are two primary approaches to building a “risk-based” audit plan.
The traditional approach defines an audit universe, which includes all business locations, units, processes, and so on. These are then risk-prioritized, using factors such as revenue, assets, complexity, time since last audit, change in systems, and so on. The top ranking entities are included in the audit plan. Before the audit starts, a second risk assessment is performed – of risks to the entity to be audited.
the second approach, which I see as emerging practice, is to build of the organization’s enterprise-wide risk assessment (if they have one) to identify risks that are important to the enterprise as a whole.
The first is a bottoms-up approach. While it may identify important risks, it may not identify the true risks to the enterprise as a whole (such as competitors) and may lead to auditing areas where even significant failures would not lead to board action – maybe not even board attention.
The second is more top-down. It is likely to include most if not all the critical risks to the enterprise. However, it may also miss some where the enterprise objectives are not stated – such as loss of customer data.
I am trying to see where people are: the first, the second, or a combination with greater weight on the first or second.
Does this help?
Norman, my suggested approach starts with the organisation’s objectives and risks threatening them, identified in a risk workshop of directors. So it should pick up critical risks such as those from competitors. So I don’t see it as bottom up. If the risks are properly assessed there should be no audits not requiring board attention.
Your second approach builds on the organisation’s enterprise wide risk assessment. Surely this must also start with the organisation’s top level objectives and board risk workshop?
I see the traditional approach as an audit universe compiled by auditors identifying risks with no reference to the organisation’s objectives or management input.
Norman – I think the binary view of macro and micro risk auditing is a false one. You mention critical risks as if they are few and significant in themselves. Risk is in effect a web and portfolio of sub risks. Very few risks are, of themselves, ‘strategic’ i.e. significant in size and volume to affect an enterprise at the enterprise level. These so-called strategic risks are webs of risks managed through complex sets of systems and processes. So in my view, as long as internal audit is linking its tactical and even operational risk work to the overall web of risks, and the top level strategic aggregations of risk, this is fine. Sure, if strategic risks exist then IA should audit them, but I would contend they are few in most portfolio enterprise organisations of any size.
David and CAE, I think your approaches are ones I would include in enterprise risk-based auditing. Thanks
“Unfortunately, they, (the IIA Standards Board and IIA staff), feel that few internal audit departments have moved to what I call enterprise risk-based internal auditing – auditing the risks that are critical to the success of the organization as a whole, rather than micro risks at the process or location level. So, no change in risk assessment guidance is planned at this time.”
If internal audit departments moved in the direction of “enterprise risk-based internal auditing”, as you have explained it, they would be regresssing faster than they are now and .not conforming to current mandatory IPPF guidance or common sense.
Internal auditing has two distinct mandates, assurance and consulting, appropriate in different circumstances, (2201 identifies the four elements to be considered in assessing which circumstances prevail), which is the essence of the internal audt concept of “added value.”
Internal auditing is concermed with governance, risk management and control processes throughout the whole organisation, not specific risks at whatever level.
An internal audit plan should be a well thought out plan of how internal auditing is to get to a stage where it can provide an overall opinion worth being called an “overall” opinion. Because of the concurrent consulting mandate, that overall opinion is also a reflection on the internal audit department itself.
The internal audit focus on certain risks – “risks that are critical to the success of the organization as a whole, rather than micro risks at the process or location level” – is what informs the organisation to do the same. Such risks are almost always plucked out of the air from the internet – top risks for 2016. – always discrete, always infinite, always relevant to the extent that they are fashionable at the time. Management throughout an organisation are left as ignorant as ever of the governance, risk management an control processes that objectives, risks and controls are outputs of.
The VW cheating device is something that happened at the micro level. By the time it was a macro level issue, the damage was already done and such that it could even obliterate that organisation! So much for not being concerned about the micro-level.
seems like you are trying to squeeze the evidence into an either/or instead of looking at it for what it says. The question is flawed because the way you have defined the possible responses, while it may align with your presumptions, doesn’t seem to align with how many others see the world.
DS, how do you see the world? How do you build the audit plan?