Home > Risk > Survey results: risk-based internal audit planning

Survey results: risk-based internal audit planning

My thanks to the 232 people who answered my short survey.

I wanted to know how many have shifted to basing their audit plan on risks to the enterprise (perhaps linked to their organization’s ERM program); how many remain with the traditional approach of addressing risks to individual processes, business units, or locations; and how many are somewhere in between.

As a reminder, in the traditional approach, an ‘audit universe’ is built, listing all the organization’s business units, divisions, locations, processes, and so on. That list is then ‘risk-ranked’ using attributes such as revenues; assets employed; number of employees; complexity; time since last audit; severity of issues in last audit; whether new systems have been deployed; whether new management is in place; and so on. The entities that rank highest are included in the audit plan. Prior to each audit, a second risk assessment is performed to identify the more significant risks to that entity.

The enterprise risk-based approach starts with understanding the risks to the organization’s objectives and strategies. The risks disclosed in regulatory filings are considered, as are major new initiatives approved by the board. If the organization has an enterprise-wide risk assessment in place that can be relied upon, it is usually a major driver. The goal is to identify the more significant risks to the successful achievement of enterprise goals, objectives, and strategies. It is more of a top-down approach. When individual risks are considered, such as privacy, cyber, or reputation risk, they are assessed based on their potential effect on the organization as a whole.

Here are the results.

  • 11% Risks to the enterprise
  • 15% Risks to individual auditable entities such as processes, locations, business units
  • 32% A combination of the above. but more enterprise risks
  • 42% A combination, but more at the process business unit, or location level

Clearly, the great majority base their audit plan on some combination of (macro) enterprise-level risks and (micro) risks at a lower level of the organization.

Somewhat more have weighted their plan towards the micro level than the macro level.

So what does this all mean?

My personal assessment is that this reflects solid progress from the traditional (i.e., micro level) towards the enterprise risk-based approach I advocate. But room for improvement remains .

While I agree that certain ‘micro’ risks need to be addressed in audit engagements, I believe that is because they are important to the enterprise as a whole – in other words, although the source of the risk is ‘micro’, I would actually call them ‘macro’ risks. For example, the safety of workers at a single factory might be considered a micro risk. But, I would include a related engagement in the audit plan if I believed that a failure to manage safety risk in that single factory represented a significant risk to the enterprise as a whole. I would not address it otherwise (absent other factors, such as a request from the board or CEO), because there are always more significant (to the enterprise) risks than I have resources to address.

So, I think the results are encouraging.

Hopefully, this will trigger the consideration of the enterprise risk-based approach by those with a more traditional methodology. Let’s audit the risks that matter to the leadership of the organization, what KPMG calls “critical risks”. If we don’t do that, the value gap between board and C-suite expectations (that we provide advice, insight and assurance on the issues they face as they lead the organization) and what IA delivers will persist.

I also believe that The IIA Standards Board should review its risk assessment standards. Do they support the enterprise risk-based approach, or are they only directed towards the traditional methodology. I believe that when they say that a risk assessment should be done for every engagement, focused on risks to the entity being audited, they are falling behind emerging best practices.

I welcome your comments.

  1. April 8, 2016 at 9:55 AM

    While I agree with the enterprise wide, top-down, risk approach, I think you are too ready to ignore the ‘micro’ risks. I would argue that all risks should be assessed, with no attempt to distinguish between enterprise-wide and other risks. If the enterprise-wide risks are critical they will naturally appear at the top of the list for auditing. It is up to the board/audit committee to draw the line across the list at their risk appetite. If they want to include audits of accounts payable and credit control, alongside audits of enterprise-wide risks, that is their decision. However, it is equally their responsibility to provide internal audit with the resources to do those audits. Your phrase ‘because there are always more significant (to the enterprise) risks than I have resources to address’ worries me. When I appeared before the audit committee I was required to assure them that I had the resources to complete those audits which would provide assurance that risks were being properly managed. OK, we can always do with more resources but there comes a crunch point below which we cannot provide a reliable opinion.

    • Norman Marks
      April 8, 2016 at 10:34 AM

      David, I agree that all risks should be assessed – but against what? Their significance to a business process/unit, or their significance to the enterprise as a whole? I advocate the latter.

      With respect to the audit committee, may I suggest that there are always more risks than we can ever audit – unless we have 50% or more of the employees on staff. We have to focus on those that are more significant, and my measure is significance to the enterprise objectives. Even so, there will be more than we can address. I suggest to the audit committee where the resource and budget line should be drawn, but they can always move it to include more or less risks.

      I agree that we should “provide assurance that risks were being properly managed”. I do that by first providing assurance on risk management broadly across the organization (i.e., framework and processes) and then with assurance on a number of the more significant areas of risk.

      Is that consistent with your approach?

      • April 8, 2016 at 12:22 PM

        I fully agree that risks should be assessed against the enterprise as a whole, although in practice this may mean some smaller subsidiaries never get audited.
        I hope that the approach detailed in my books (www.internalaudit.biz) is broadly in line with yours, since I agree with your approach! I probably need to revise some of the books to emphasise the need to address enterprise level risks, although my main aim is to suggest a methodology to cover the assessment of any level of risk.

        I fully support your view that the IIA standards need revision.

  2. daniel kalwiji
    April 8, 2016 at 10:58 AM

    Some Board members have expressed concern that IA focuses on Micro risks at the expense of strategic risks. This concern is likely to arise when too much focus is placed on audit units.
    Your views are are very helpful in helping internal meet the expectations of both management and the Board.

  3. Acquaintance of Norman's
    April 8, 2016 at 11:12 AM

    Lets say hypothetically – you have a staff of 100 auditors. 20 of them are right out of college, 40 of them have general audit experience but knowledge in the areas they are tasked with auditing, 10 of them manage the audit department itself (tracking findings, management action plans, presentations for committees and board), 10 of them perform QA on the other auditors, and 20 of them are actually experienced audit managers who lead projects and actually know a thing or two about the process they are reviewing. This department has to meet the expectations of its regulators – and 3/4 of the audits are regulation-driven. How can we expect this department to “first provide assurance on risk management broadly”, when most of them aren’t even familiar with even likelihood vs impact matrices, much less other risk tools? Their ‘risk-based’ approach will be window dressing, for show. Because they are struggling to just interpret the regulations, so that they can even provide basic assurance that the organization is in compliance; they don’t have the luxury of learning about “risk management – broadly”. They live in the world of tight timelines, work papers, audit reports, meetings w/ stakeholders and regulators to discuss findings and action plans. And of course – uploading evidence to some system where the audits themselves are stored. The firm is not going to throw $ for more resources at them, and half of them wish they weren’t in audit. This is the hand they have to work with and it is IMO, why their audits will inevitably focus heavily on the micro. Its easier. Its t he path of least resistance. Imagine asking your local car-repair shop to assess feasibility of switching out your engine to an electric one – as part of your scheduled maintenance. The garage will give you a bone to chew on, but it won’t be a substantial assessment. At the end of the day, they really want to change your oil, replace your breaks, and get your car out of the shop as soon as possible.

    • Norman Marks
      April 8, 2016 at 11:39 AM

      Dear Acquaintance, sounds like you need to change your staffing model! 10 people doing nothing but QA! Only 20 have an understanding of the business and know what they are doing?

      A staff of 100 but able to do the same work as 40 experienced people.

      Time to do an audit of this audit department.

  4. April 9, 2016 at 3:02 AM

    Norman I think you have the right idea. I think the risk is often in the detail, so micro risks are all linked to macro. Very few discrete macro risk really exist they are mainly webs of detail, systems, culture and processes. All of these are important. I am attending your session in London soon, so perhaps we can pick this up then? Kind regards Anthony

  5. Kaya Kwinana
    April 9, 2016 at 7:48 AM

    Norman, in your response to David you concede that “there are always more risks than we can ever audit.” I would suggest you add, “even in a million years.” In short, you concede that whatever assurance you may provide is illusionary.

    You then say, “I do that by first providing assurance on risk management broadly across the organization (i.e., framework and processes) and then with assurance on a number of the more significant areas of risk.” Your posts suggest otherwise – a determined focus on the latter.

    The first part of the above paragraph should properly relate to governance, risk management and control processes, to be pervasively implemented in each organisational unit, rather than just “more significant areas of risk”.

    Also, as long as you exclude internal audit consulting, the assurance you provide will be that things are not going as they should.

    You can never provide independent and current assurance on all of the organisation’s activities. The organisation operates on a daily basis on activities internal auditing cannot provide current assurance on. Therefore, the non-independent assurance is even more important than the independent assurance and that is where the focus should be and is required by the IIA standards (2100), to get that to be reliable so that internal audit effort can be directed where it is needed most.

    Internal auditing is focused on the managers as the risk owners. Each is responsible for his/her area (and whatever risks are there). The VW CEO cannot be expected to know what each and every device in each car does. He/she is expected however to ensure that there are sufficiently adequate and effective governance, risk management and control processes throughout every corner of the organisation for any irregularity to be flagged and resisted.

    The practices that you suggest, the impossible focus on particular risks, only give a false sense of security at huge cost to organisations. How huge? VW is finding out, as have other companies in recent years.

    What is the difference between risk-based internal auditing and risk-based auditing, as these seem to be used interchangeably?

    • Norman Marks
      April 10, 2016 at 9:20 AM

      Kaya, the assurance is not “illusory”. It is on what matters the most. Just as you cannot be certain that when you step forward you will not injure yourself. You only spend as much time looking at your feet as you can afford. You also have to look ahead.

  6. April 9, 2016 at 6:44 PM

    Interesting discussion Norman. I dont think, however, the traditional approach, as described, is a substitute for enterprise risk based approach. Rather, they are complements in the same way macro-economics and micro-economics complement each other. They (the ‘traditional approach’ and ERM approach are dealing with different dimensions of the risk management system. Leave one dimension out and you have potential for uncovered risk.

    • Norman Marks
      April 10, 2016 at 9:16 AM

      David, I don’t understand how they are “different dimensions”. Yes, there may be risks to the objectives of a part of the organization, just as there can be risks to an individual’s or team’s objectives. But when it comes to which matter to the leaders, surely the measuring stick is their effect on organizational objectives.

  7. Paul Haley
    April 10, 2016 at 8:26 AM

    Are you able to analyse your results by country? I suspect the UK is more RBIA in its approach as not only did the RBIA Position Paper originate here, it has been a central part of the old Chartered Internal Auditor exam syllabus. So anyone trained in UK on last 10 years would be well versed in RBIA approach. The problem though is that the IIA Standards only mentions the term “risk based” once. So no real mandatory requirement. Then there is no direction on some kind of scientifically repeatable process to select risk areas for auditing… hence we can all look at risk registers and not end up selecting the same areas… leaving a gapping hole in the “science” of internal audit.

    • Norman Marks
      April 10, 2016 at 9:19 AM

      Paul, I wish I could analyze by country. My personal view is that this is a topic that requires the attention of the IIA Standards Board. Too many are not really taking a risk-based approach. When you see responses to this and similar blogs talking about auditing an area every so many years, you can see that the focus of many is not on addressing the risks that matter now.

      Thanks for your comment.

    • Kaya Kwinana
      April 13, 2016 at 3:23 AM

      Paul, regarding RBIA, the Chartered Institute of Internal Auditors said last year, 11 years after its position paper on RBIA, “it is an area that is evolving rapidly and where there is still little consensus about the best way to implement it.” Even so, it is now proposed that RBIA (or RBA as IIA Inc President and practice suggest) be mandatory.

      There are actually 2 such references to “risk based”, 1110 interpretation which refers to the primary reference, 2010.

      The new mission calls for insight and yet and seems to be missing in RBIA/RBA. Its focus on risks per se is misleading.

      It is adequate and effective governance, risk management and control processes that provide reasonable assurance that organisational objectives will be achieved, not internal auditors.

      When assuring, internal auditors provide reasonable assurance on whether or not adequate and effective governance, risk management and control processes are being implemented.

      Since internal auditors cannot be everywhere in an organisation, consulting – the transfer of the skills to implement and assess governance, risk management and control processes to management – is crucial to internal auditors being likely to conclude that indeed, adequate and effective governance, risk management and control processes are being implemented.

  8. Sumaya Jaffer
    April 12, 2016 at 11:03 PM

    Hi Norman,

    I appreciate the topic as I have worked on both sides, risk and internal audit. I am from South Africa and therefore speak from current practices here. As much as I agree that risk should be the focus area of internal audit plans, I also think that we should not turn a blind eye to some of the compliance approach methodology. Some processes are key to the organisation, however they do not make it to the risk register as they are seen as by the business as extremely well controlled and therefore not a risk. Organisations more focus on the residual risk then inherent risk, which is correct but might pose an issue when developing audit plans. I think the problem lies a little in the understanding of risk based auditing and the application thereof. In many instances you find that risk is viewed as a tick box exercise and therefore not given the importance that it deserves. This also poses a problem as the “critical risks” might not be defined as accurately as they should. Another issue that we face here is cultural issues, risk is seen as “whip” as and when necessary and therefore there is a fear among employees. I also agree that the IIA should review their risk assessment standards. In many cases you find internal auditors struggling with risk methodology and their role in the risk management process. I think a lot of focus needs to be driven on the understanding and implementation of risk management before the process can be totally used to develop audit plans.

    Thank you for the results of the survey.

  1. June 5, 2017 at 8:14 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: