Is risk-based audit the best approach?
When I became a chief audit executive (CAE) for the first time in 1990, I determined that a risk-based approach was not sufficient.
A risk-based approach focuses on how well management can handle a potentially bad event or situation. It assesses the design and operation of the internal controls relied upon to prevent losses or other bad effects, such as financial statement errors, fraud, or reputation damage.
The risk-based approach is suggested by IIA Standards, as described in Risk Assessment in Audit Planning from IIA Belgium that Marinus de Pooter was kind enough to share with me. It quotes relevant IIA Standards:
- IIA Standard 2010 … requires “The chief audit executive must establish risk-based plans to determine the priorities of the internal audit.”
- IIA Standard 2010.A1 … requires that “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process”.
It says:
- These standards require the Head of Internal Audit (HIA)2 to develop a risk-based plan. The HIA should take into account the organisation’s risk management framework, including risk appetite levels set by management for the different activities or parts of the organisation. If a risk management framework does not exist, the HIA uses his/her own judgment of risks after consideration of input from senior management and the board. The HIA must review and adjust the plan, as necessary, in response to changes in the organisation’s business, risks, operations, programs, systems, and controls.
- The main challenge faced by majority of internal auditors is how to allocate limited internal audit resources in the most effective way – how to choose the audit subjects to examine. This requires an assessment of risk across all the auditable areas that an auditor might examine.
I do not recommend the IIA Belgium guide for several reasons, including the fact that in the detail it talks about identifying and assessing the risks to the objectives of auditable entities (the audit universe, a concept that should be retired) instead of the risks to the objectives of the enterprise (captured in a risk universe).
When I became CAE, that was the prevalent thinking, to risk-prioritize auditable entities. I started talking, instead, about enterprise-risk-based auditing.
XX
But there are times where we should be focusing more on where we can add value rather than where the greatest sources of enterprise risk lie. While they are more often than not the same, that is not always the case.
XX
First, there are situations where the level of risk is and should be considered “low”, but there is great value that could be mined and delivered by internal audit.
The first of these that I experienced as CAE was highlighted by the chair member of the audit committee, Clarence Frame. Tosco at that time was a $2b revenue oil refining and marketing company. However, its roots were in its name.
In a previous era, the name of the company was The Oil Shale Company, abbreviated to TOSCO and later changed to Tosco when it found that there was no money to be made mining oil shale. It acquired a number of oil refineries[1] and concentrated on that space.
However, it continued to own land with oil shale deposits and the water rights crucial to any future mining activity.
Clarence was concerned that the company complied with the rules that mandated certain continuing activities if it were to maintain those water rights.
There was no associated revenue, only costs, and management had no desire to spend any time on the past dreams of its founders.
The risk was that we would lose the rights, and we all knew that would have no effect on the company’s operations or results in the foreseeable future.
But Clarence and the audit committee, with some support from the CEO, saw value in knowing that appropriate actions were being taken to preserve the potential long-term revenue from oil shale. If the price of crude oil rose significantly (seen then as highly unlikely), the oil shale and water rights would be of high value.
We know now that Clarence was right and the rights needed to be preserved. By the time the oil shale became viable, Tosco had been sold to Phillips Petroleum (now part of Conoco) and I had moved on.
We completed the audit and found that certain actions were required to preserve the rights. Management reluctantly agreed and the shareholders of the successor companies have benefited.
We should always pay attention and consider audit projects that are of high value to the audit committee or CEO. They are not, in my opinion, automatically included but should be given strong consideration.
XX
Then there are situations where the risk is high, but the value of an audit is low.
For example, when I started as CAE at Solectron, the company was still engaged in acquiring smaller businesses and their assembly plants around the world. It was a contract manufacturer for electronics companies like IBM and Intel and our >120 plants served their needs around the globe. But 120 was too many and the average utilization rate (which measured how much of our capacity we were using) was well below 50%. Costs were rising at the same time as our competitors were pushing sales prices down. They were able to use their factories more efficiently and it showed in their competitive bids.
There was a serious possibility that the market would continue to put pressure on sales price, maybe even more pressure, and if we didn’t do something to seriously rationalize our footprint we would go out of business.
I had this as a high-risk issue.
But when I started looking further into the problem, I found that management had already established a high-power task force to assess the situation and make recommendations.
It was clear to me that the right work was being done by the right people, with access to and support from top management.
There was little to no value to any audit project, whether assurance or consulting. I considered an audit to evaluate whether management had sufficient reliable information to enable an informed decision, but the task force leaders assured me that they did.
I continued to monitor the project through periodic meetings with the task force leaders.
XX
The risk-based approach tends to focus on the possibility for harm. But, auditors should also consider whether management has controls and procedures to ensure they are seizing opportunities.
For example, I have seen:
- Situations where controls could have been improved to ensure management is aware of and putting the best resources towards not only winning a sales contract but optimizing it.
- Opportunities that were not recognized by management to deploy new technology and realize great benefits. Sometimes, it was technology that had been acquired but was under-utilized. Sometimes, it was because management didn’t have any discipline about understanding how new technologies could be used in its business.
XX
Finally, there are situations where there really isn’t a risk as such. I am talking about where the concern is not about something that might happen at some point in the future, but with the current situation.
For example, at Maxtor the cost of our manufactured product (hard disk drives) was greater than that of our competitors. The reason was two-fold: we had some manufacturing operations in high-cost California, while our major competitor had similar manufacturing in China; and, we had outsourced some manufacturing of essential parts to a Taiwanese company where we were a minor customer, while our competitor had it all in-house in China. As a result, we were unable to develop a next-generation hard drive at a cost that would enable us to make money.
I spent a fair amount of time on a consulting project, looking to see whether there were opportunities to realize cost savings and then sitting in with management as we planned a new site in Thailand or Vietnam to replace that high-cost California operation.
XX
Putting this together, I believe in a tweak of the risk-based audit approach. It should be enterprise risk and value auditing.
What do you believe in?
[1] and a fertilizer mining company on the whim of its president, soon to be sold.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
Norman, entirely agree with you except for the change of name to ‘enterprise risk and value auditing’. Although I use the term ‘risk-based’ internal auditing extensively in my books (www.internalaudit.biz), I don’t like it. I would much prefer the term, ‘objective –based’. The problem arises because ‘risk-based’ is badly defined. I would much prefer that a risk-based audit is one which provides an opinion on whether the organisation is likely to achieve its objectives, based on the management of opportunities and risks. This then encompasses your suggestion for a name change.
The standards don’t help because they don’t require that the CAE
– Checks that management have properly carried out the process of determining the organisation’s objectives, the opportunities benefitting their achievement and the risks threatening their achievement.
– Uses the management’s assessment of risk (and opportunities) as a basis for the audit plan.
– Or reports to the board that management’s assessment is not suitable as a basis, and what are they going to do about it?
– Provides an opinion on whether the organisation is likely to achieve its objectives.
I trust that the upcoming review of the IPPF will rectify the situation
.
I am concerned about the comment, ‘The main challenge faced by majority of internal auditors is how to allocate limited internal audit resources in the most effective way’. If a reliable opinion cannot be provided to the board because of lack of resources, the board (and audit committee) should be informed.
If a risk based audit should provide an opinion on the likelihood of the organisation achieving its objectives, it will focus on where value can be added (or preserved). Looking at your first example (TOSCO) my definition would include this audit, since an objective of the organisation is to preserve value. In your second example, I think you carried out an audit (‘But when I started looking further into the problem’). In your third example, my definition would identify this as a risk.
So, ‘Is risk-based audit the best approach?’ No, not as currently (ill-defined) by the IIA but yes if it is properly defined around the achievement of objectives.
David, I have seen you and Tim propose that concept. I have not gone that far for these reasons:
1. We cannot opine on management’s judgment in decision-making, We can only assess their related processes and controls.
2. We are not the right people to assess the level of risk to objectives nor the consequent likelihood of achieving objectives. That is a management responsibility. We can only assess whether they have reasonable processes to do so.
3. We are in practice still assessing the controls, but this time with a greater emphasis on their design. We are not auditing the objective or even the level of risk – just management’s way of doing that.
Norman, I’m not suggesting that IA opine on management’s judgement or the level of risk and therefore agree with the points in your comment 3. However, I am trying to make IA’s conclusions more relevant to management than, ‘the controls are satisfactory’. By assessing the controls relevant to the most significant opportunities and risks, IA does come to a conclusion about their effectiveness and therefore the likelihood of the organisation achieving its objectives, for the activities audited. I appreciate that IA may be ‘sticking its neck out’ by coming to such a conclusion and really should add, ‘unless the board screw things up by ignoring all the controls over decision-making’ but it has to produce conclusions which are seen as directly relevant to the board.
LOL
IIA Australia published a value based internal audit factsheet in 2020. It may be helpful Norman.
Thank you. It can be found at https://iia.org.au/sf_docs/default-source/technical-resources/2018-fact-sheets/fact-sheet-value-based-internal-audit.pdf?sfvrsn=2