Survey results: risk-based internal audit planning
My thanks to the 232 people who answered my short survey.
I wanted to know how many have shifted to basing their audit plan on risks to the enterprise (perhaps linked to their organization’s ERM program); how many remain with the traditional approach of addressing risks to individual processes, business units, or locations; and how many are somewhere in between.
As a reminder, in the traditional approach, an ‘audit universe’ is built, listing all the organization’s business units, divisions, locations, processes, and so on. That list is then ‘risk-ranked’ using attributes such as revenues; assets employed; number of employees; complexity; time since last audit; severity of issues in last audit; whether new systems have been deployed; whether new management is in place; and so on. The entities that rank highest are included in the audit plan. Prior to each audit, a second risk assessment is performed to identify the more significant risks to that entity.
The enterprise risk-based approach starts with understanding the risks to the organization’s objectives and strategies. The risks disclosed in regulatory filings are considered, as are major new initiatives approved by the board. If the organization has an enterprise-wide risk assessment in place that can be relied upon, it is usually a major driver. The goal is to identify the more significant risks to the successful achievement of enterprise goals, objectives, and strategies. It is more of a top-down approach. When individual risks are considered, such as privacy, cyber, or reputation risk, they are assessed based on their potential effect on the organization as a whole.
Here are the results.
- 11% Risks to the enterprise
- 15% Risks to individual auditable entities such as processes, locations, business units
- 32% A combination of the above. but more enterprise risks
- 42% A combination, but more at the process business unit, or location level
Clearly, the great majority base their audit plan on some combination of (macro) enterprise-level risks and (micro) risks at a lower level of the organization.
Somewhat more have weighted their plan towards the micro level than the macro level.
So what does this all mean?
My personal assessment is that this reflects solid progress from the traditional (i.e., micro level) towards the enterprise risk-based approach I advocate. But room for improvement remains .
While I agree that certain ‘micro’ risks need to be addressed in audit engagements, I believe that is because they are important to the enterprise as a whole – in other words, although the source of the risk is ‘micro’, I would actually call them ‘macro’ risks. For example, the safety of workers at a single factory might be considered a micro risk. But, I would include a related engagement in the audit plan if I believed that a failure to manage safety risk in that single factory represented a significant risk to the enterprise as a whole. I would not address it otherwise (absent other factors, such as a request from the board or CEO), because there are always more significant (to the enterprise) risks than I have resources to address.
So, I think the results are encouraging.
Hopefully, this will trigger the consideration of the enterprise risk-based approach by those with a more traditional methodology. Let’s audit the risks that matter to the leadership of the organization, what KPMG calls “critical risks”. If we don’t do that, the value gap between board and C-suite expectations (that we provide advice, insight and assurance on the issues they face as they lead the organization) and what IA delivers will persist.
I also believe that The IIA Standards Board should review its risk assessment standards. Do they support the enterprise risk-based approach, or are they only directed towards the traditional methodology. I believe that when they say that a risk assessment should be done for every engagement, focused on risks to the entity being audited, they are falling behind emerging best practices.
I welcome your comments.