I have been begging for a critical update to the IIA Standards
That is not an exaggeration.
I have spoken to multiple IIA leaders for more than a decade, including a series of chairs of the IIA’s Standards Committee, about the need to update guidance on internal audit’s risk assessment and audit plan.
This month, the IIA published a new Practice Guide: Developing a Risk-based Internal Audit Plan. Practice Guides (PG) are recommended guidance but not mandatory.
I was excited!
I became even more so when I saw that they had taken up a number of issues I had been speaking about (along with many others) for years.
Here are some of the shining lights in the PG (with my highlights):
- In today’s business environment, effective internal auditing requires thorough planning coupled with nimble responsiveness to quickly changing risks.
- To add value and improve an organization’s effectiveness, internal audit priorities should align with the organization’s objectives and should address the risks with the greatest potential to affect the organization’s ability to achieve those objectives.
- Comprehensive risk-based planning enables the internal audit activity to properly align and focus its limited resources to produce insightful, proactive, and future-focused assurance and advice on the organization’s most pressing issues.
- While the annual risk assessment is the minimum requirement articulated in the Standards, today’s rapidly changing risk landscape demands that internal auditors assess risks frequently, even continuously. Risk-based internal audit plans should be dynamic and nimble. To achieve those qualities, some CAEs update their internal audit plan quarterly (or a similar periodic schedule), and others consider their plans to be “rolling,” subject to minor changes at any time.
- Which types of internal audit engagements will provide senior management and the board with adequate assurance and advice that significant risks have been mitigated effectively?
- …. need to continuously assess risks, reevaluate risk priorities, and adjust the plan to accommodate the new priorities.
I am now on page 5 of the PG and things are looking good – very good. On page 7, I even saw a reference to a ‘risk universe’. This is a term I coined many years ago, when I was preaching about the need to replace the obsolete concept of an audit universe with a risk universe.
Why?
Because we are providing assurance, advice, and insight on (as the PG says) “the risks with the greatest potential to affect the organization’s ability to achieve [enterprise] objectives.”
We should be auditing whether management has effective controls to address those risks (you can talk about “auditing the risks”) rather than auditing individual business units, locations, processes, etc.
Audit and provide assurance on the management of the risks, not the management of “auditable entities”.
At the end of the day, the audit committee and top management need assurance from us that the more significant risks are being addressed properly, and you do not achieve that by auditing entities instead of risks.
To repeat what the PG says in its initial pages:
- address the risks with the greatest potential to affect the organization’s ability to achieve those objectives.
- produce insightful, proactive, and future-focused assurance and advice on the organization’s most pressing issues.
- continuously assess risks, reevaluate risk priorities, and adjust the plan.
And, the audit plan should answer the question in the PG:
- Which types of internal audit engagements will provide senior management and the board with adequate assurance and advice that significant risks have been mitigated effectively?
By the way, and this is important, to gain assurance on a single enterprise risk of significance, you may have to consider controls at multiple locations, in multiple departments, and within multiple systems. Auditing what happens at a single “auditable entity” often won’t give you sufficient insight into the management of an enterprise risk.
Providing assurance after auditing auditable entities is not the same as providing assurance on the more significant enterprise risks.
Audit risks to the enterprise, not risks to an auditable entity.
Moving on.
The PG includes one paragraph on page 12 that is important, although not well understood and not explored further by the PG:
…internal auditors should consider that “risks represent the barriers to successfully achieving … objectives as well as the opportunities that may help achieve those objectives.” Indeed, “risks may relate to preventing bad things from happening (risk mitigation) or failing to ensure good things happen (that is, exploiting or pursuing opportunities).”
In other words, it is necessary for management not only to only take risks when justified, but also to seize opportunities judiciously.
Having set the stage, that internal audit should be addressing the more significant risks to the enterprise’s objectives, and making sure that we are agile in responding to changes in those risks (including the emergence of new ones), the PG loses its way.
The PG crashes and burns by talking about an audit universe (a list of auditable entities). It then turns everything to ashes by recommending what we used to call cyclical auditing!
The audit frequency is based upon the level of residual risk determined in the risk assessment. For example, auditable units ranked high-risk may be audited at least annually (or once every 12 to 18 months), those rated with a moderate level of risk scheduled may be reviewed every 19 to 24 months, and those rated low-risk might be audited only once every 25 to 36 months (or not at all)
This approach has been obsolete for at least 20 years.
The idea that you can predict what you should audit in future years is beyond credibility (and contradicted by the first pages of the PG). Over my long career as a CAE, I never predicted with any degree of certainty what we would audit more than 3-6 months out. The PG at one point even mentions moving to a 7 year plan!
To top it all off, the PG recommends a level of detail in the plan and its documentation that goes well beyond what is necessary, efficient, agile, or of interest to the executive team or the board.
OK, enough criticism. Let’s be constructive.
Here’s my advice:
- Understand the business and its environment
- Understand the organization’s strategies, goals, and objectives
- Understand how success is measured by the board and management team
- Determine which are the more significant sources of risk to enterprise objectives and build (and maintain) a risk universe
- Confirm that there would be value in performing an engagement relative to those risks, whether assurance or advisory. For example, consider whether management already has a project underway to address the issue
- Prioritize the enterprise risks based on their significance to the enterprise and the value of an audit
- Determine a strategy for each audit engagement. That may require:
- Assessing the management of multiple significant enterprise risks in a single audit of a single entity
- Assessing the management of a single enterprise risk across multiple entities in a single or multiple audits (examples are in Auditing that Matters)
- Some adaptation of these two
- Being flexible and agile, expanding or contracting the scope and level of work during the audit as needed
- Don’t spend so much time on risk assessment and audit planning that you are not getting enough audit work done
Continuously ask this question (modified slightly from that in the PG):
Which internal audit engagements will provide senior management and the board with adequate assurance and advice that significant risks to the enterprise and its objectives are being managed[i] effectively?
I was one of the members for many years of the IIA’s international committee that worked on PGs and wrote a few myself. I know there is a tension between the need to move the profession forward and the concern about leaving past practices and their adherents behind.
But I can only recommend the first 5 pages of this PG. (If you want practical guidance on enterprise risk-based auditing, please see Auditing that Matters.) Both the PG and the related standards need serious revision.
Should I resume begging?
I welcome your comments.
[i] “Managed” means making intelligent and informed decisions that include taking risk or seizing opportunities where justified, and managing or mitigating risk when appropriate.
Leave a reply to Ian Clegg Cancel reply
Norman Marks on Governance, Risk Management, and Internal Audit 
Risk universe is obsolete.
What do you use instead?
Michael, given that there is no agreement in the world about what the word ‘risk’ means (as is evident from the IIA document which uses it almost randomly …see just one example below) every confected compound noun in which ‘risk’ is either the noun or the adjective is, I would suggest, not only obsolete but without utility.
But look…..here’s a test. Whatever it might be thought that ‘risk universe’ means, explain it succinctly …. but without using either word.
The following statement in the document caught my eye as an example of the R-word problem: “……adequate assurance and advice that significant risks have been mitigated …” How can a risk (whatever that means) that is ‘significant’ (assuming that means large) have, at the same time been ‘mitigated’? And no, I haven’t forgotten that the word ‘effectively’ followed that passage…I just didn’t include it in the quote because it is meaningless. If a risk has been ‘mitigated’ (again, whatever that means) then it has been mitigated.
These problems with the many R-related edifices that act as millstones around the necks of organisations, are why in our recent book ‘Deciding’ Grant Purdy and I have suggested organisations simply rid themselves of all that and focus on making even better decisions. If an organisation wants some assurance in that regard – whether internal or externally supplied – the focus should be on the decision-making practices.
Thanks again for an insightful response to potentially one of the more influential PGs – maybe your next book should be titled “Hitting Nails that Matter”.
Assuming risk universes aren’t obsolete, one aspect which may need further debate is the extent to which CAEs need to spend valuable time and effort building (and maintaining) their own risk universe. I’ve seen too many that have become overly complex and time consuming to maintain (definitely not “nimble”) and have developed a life of their own.
Internal Audit need to be seen to be independent but should still be able to leverage the organisation’s own risk universe; providing regular and objective challenge but minimising duplication and using a consistent risk language for senior management and the board to understand. Maybe this assumes a sufficient level of risk maturity but that itself must be one of any organisation’s key objectives.
I was on the working group and made a number of these points in March and August 2019 as the PG was starting. I gave input based on my time as CAE and 10 years training on audit planning for MISTI.
I stressed in particular that an audit universe/cycle approach has no basis in the standards and – as you say – that risks are not the same as audit universe entities.
I have written to Anne Mercer who led the project to clarify why traditional approaches ended up dominating the PG.
I have asked her about the Practice Guidance writing / review etc. process.
I think there may be a question whether the guidance tries to capture the practices that some CAEs follow (who might be in close proximity to some members of the IIA) or rigorously explains the issues with interpreting the standards and the many many challenges and dilemmas in having a good plan (including the political aspects)
There is also an open question about whether the PG was shared in draft before it was issued – I cant find a record of getting it for final comments, so I’ve asked to clarify how that stage should work as well.
I’ll let you know what I hear.
Cyclical auditing aside, I have a fundamental problem with: ‘The audit frequency is based upon the level of residual risk determined in the risk assessment.’ Risks with a high residual risk rating are already being flagged and via the risk management process as needing attention and presumably are getting the right level of focus – I’m not sure what audit would add other than possibly looking at adequacy of mitigation plans? A high residual risk rating is already a negative control opinion, and should be recognised as such. Where audit should focus is on potentially high consequence risks with low residual ratings i.e. where management think that the control strategies are good. The audit opinion should confirm or challenge this view.
I agree
I agree w Norman’s positive comments.
Also agree w Mr. Clegg re: necessarily mapping audit frequency to residual risk. Seems like it would be preferable to implement additional risk mitigation measures to reduce the residual risk, which, in turn, would not require attention as often.
I think the approach suggested by the IIA seems sensible and practical.It’s in-line with my Book 2 (Compiling a Risks and Audit Universe – now being revised to take account of decision making processes) available on my website (www.internalaudit.biz). I’m not so bothered about the recommendation on audit frequency since it can help resource planning. However, it must be accompanied by a willingness to ditch the audit plan at any time if more important ‘high risk’ audits are necessary.
In relation to Roger’s comment – the decision making process is very important (Suggestions on auditing are at https://www.linkedin.com/feed/update/urn:li:activity:6668194243464589313) but it doesn’t require the abandonment of risk and controls. If that were the case we wouldn’t be bothered about having virus checking on our computers.
Hi dmgriff
I’m not sure what ‘abandoning risk’ means (as in, there is no agreement about what ‘risk’ means, but whatever any individual might think it to mean, quite how one ‘abandons’ it, I have no idea). What we suggest be ‘abandoned’ is ‘risk management’ (whatever that means). I hope you might have a chance to read our book and get a fuller appreciation of why we say this (see https://www.amazon.com/dp/B086PSL6PS) as it recognises that (i) there is always some uncertainty in relation to the outcomes of decisions, and (ii) the Decider gets to determine the degree of that uncertainty when making the decision.
So if, to use your example, one wants to buy a new laptop in order to be able to consistently carry out various tasks, vulnerability to viral attack will be a part of the decision along with price, weight, size, capacity, software etc. And if more certainty about functionality and availability is needed, the purchasing decision will no doubt include virus protection.
So we have ended up at the same place except that I’ve not had to use vague words like risk and controls (and all the associated architecture that is so amorphous as to be forever debated in these columns). Far from ‘abandoning’ such unnatural and essentially meaningless notions, I’ve simply not needed them and nor has any other Decider. Which is why, of course, that most organisations and individuals get on quite well without them and why (as is also evident so often in these columns) organisations that attempt to use them, tie themselves in knots with no commensurate benefit, despite the institutional cost.
Roger, why did you include virus protection in your decision to buy a laptop? There are plenty of other programs you won’t have considered, yet anti-virus programs consume computer resources and usually require an annual subscription without seemly adding value. Could it be that you wanted to reduce the risk of viruses corrupting your data?
What influenced your decision about which anti-virus software to purchase? You could have installed a free program but maybe it didn’t reduce the risk of a successful virus attack to below your risk appetite?
I agree that the terms around ‘Risk Management’ are difficult to define but that doesn’t mean that they are ‘unnatural and essentially meaningless notions’. As someone (can’t find who) once said of an elephant, ‘they are difficult to describe but I know one when I see one’. The difficulty in describing doesn’t render elephants unnatural.
If we agree that an anti-virus program is an essential control, is it not reasonable for an organization to employ internal auditors to ensure such programs are installed and operating properly? In other words, to make sure that decisions made have been implemented? OK, it’s a valid argument to say that this is management’s job but experience suggests that they are not 100% reliable in all areas.
I think my comment answers your question (see my point i & ii). The virus protection, together with the other components of the decision provided me with sufficient certainty of achieving my purpose. That’s why we make decisions. There is no reason why any one component of the decision should be labelled a ‘control’ – the label, which cannot be coherently defined anyway, adds nothing.
As to elephants, I don’t know how that is analogous to what you are claiming. Everyone who sees an elephant will identify it as such, No one will call it a crocodile or a pint of beer. That is absolutely not the case with the word risk. Although I haven’t counted them, there are apparently 40 different formal meanings attached to that word in the thousands of publications of the world’s principal standardisation organisation. Add to that, statutory definitions, common law definitions and those of everyday language. Last night the TV weather person said there was a risk of rain. He meant a chance of rain.
Hope this helps.
Roger, you state above, ‘There is no reason why any one component of the decision should be labelled a ‘control’ – the label, which cannot be coherently defined anyway, adds nothing.’ I would say there is a reason for labelling one component. In this example an anti-virus program does not stop with the decision. It carries on using computer resources, costing money and adding value. My question was, ‘Why does it add value?’. My answer would be that it is a process (i.e. control) which reduces the chance of data corruption and theft (i.e a risk). Even if we agree that the terms ‘control’ and ‘risk’ can’t be properly defined, the concept of them is still valid. Otherwise why would organizations be spending a small fortune on processes to prevent or detect nasty events happening?
David, you say [1] “Even if we agree that the terms ‘control’ and ‘risk’ can’t be properly defined, the concept of them is still valid.” And then you go on to say [2] “Otherwise why would organizations be spending a small fortune on processes to prevent or detect nasty events happening?” Let’s consider each in turn:
[1] If you agree (which you appear to do so) that these expressions can’t be defined, how on earth can the ‘concept of them’ be ‘valid’ (or, therefore, invalid)? I mean society does not function on the absence of meaning in the words it uses. If words have no value, how are we expected to communicate?
As to [2] most organisations (fortunately) don’t spend ‘a small fortune’ on such processes and do perfectly well by focusing on their purpose and having regard to uncertainty (as I did with my laptop) unless of course they have found themselves in the thrall of advisers who encourage them to waste (you say ‘spend’) money on such ‘processes’,
[1] Back to my elephant; it may be difficult to describe but that doesn’t stop it existing. Just as most people can recognise an elephant, I think they can recognise a risk, otherwise no-one would buy anti-virus software.
[2] I won’t disagree except to say that I don’t think good internal auditors fall into the ranks of ‘advisers who encourage them to waste (you say ‘spend’) money on such ‘processes’,
I think you have just been kind enough to further make my case DMG! No one….not even small children…..have any difficulty in describing an elephant. By contrast, even seriously minded grown-ups such as those who contribute to these columns (and most other people besides) are not able to say what either ‘risk’ or ‘a risk’ means (as either noun or adjective) or what ‘to risk’ means …… at least not in a consistent way or with any agreement.
dmgriff,
You say that most people can recognise a risk. Well, can you tell me if that word is a noun, a very or an adjective – because all three forms are used by the IIA and most people in normal conversation? Some say it’s an ‘event’, others a ‘thing’ or a scenario. Some say that it’s the consequences after an event while other use it as the likelihood of an event or of the consequences after an event.
If can explain what a ‘risk’ is, then maybe I’ll accept that most people can recognise one.
And while you are at it, maybe you could tell me what ‘control’ is? Is it a noun or a verb? The IIA never could!
Roger, I have a suspicion that a small child would have no difficulty in describing a risk (‘something nasty’) while seriously minded grown-ups would never agree on the definition of an elephant (‘But what is its exact shade of grey?’).
Roger and Grant. We’re never going to agree on this one. You’re right in that we use the word ‘risk’ in a very sloppy manner (in English, other languages may be different). We talk about ‘taking a risk’, ‘a risky venture’ ‘the risk of rain’. But that sloppiness and our related ability to exactly define ‘risk’ (and ‘control’) doesn’t mean that the achievement of our objectives is not under threat from circumstances which we choose to call a ‘risk’ and that we mitigate this risk by processes which we choose to call ‘controls’.
A risk by any other name would be as threatening (with apologies to Shakespeare – Romeo and Juliet, Act II scene II)
I’ve been performing risk-based internal audit since it was first established around 15-20 years ago… it’s great that there’s now a global PG to help promote the methodology internationally! I remain optimistic that stakeholders will now raise their expectations toward how CAEs deliver internal audit – since there are far too few opportunities to pursue it – and a general sense that the control-centric status quo must be maintained!
Paul, it was established and practiced well before that. Sorry. The practices in the PG go back to at least the 1980s and my approach dates to 1990.
Thank you for reminding me to look at the UK guidance. It was shared in 2003:
file:///C:/Users/nmark/Documents/Other%20Files/IIA%20materials/IIA%20UK%20on%20Risk%20Based%20Internal%20Auditing.pdf
Yes apologies – I meant to say ‘established as a UK guidance’ but I was not aware of the exact timeline and origin!
Norman, the PG states, ‘The audit frequency is based upon the level of residual risk determined in the risk assessment’. Isn’t there a fundamental flaw here? The audit should be checking the existence of the controls which reduce an inherent risk to a residual risk. By basing audit frequency on the residual risk the assumption is being made that the controls are sufficient and operating – before the audit has been conducted. The danger is therefore that the level of residual risk could be assessed as too low, with the result that the corresponding high inherent risks rarely have their controls checked?
Absolutely! But it is the assessment of risk (prior to auditing to confirm) that is used.
Hi Norman. I follow you avidly and really like this article of yours. I have evangelised objective (strategic and business), risk and control based auditing for years and years as our software was designed with this approach in mind many years ago. It has been an uphill battle with so many auditors still fixated on a rolling plans (annual and 3 years); so I was most encouraged by your article. I am presenting to an audit forum next week and wondered whether I could use some of your points in my presentation. I will reference you and this blog. Please advise? Kind regards Jonathan Crisp, Director, BarnOwl GRC and Audit sofware, South Africa
Absolutely!