Home > Risk > ERM and the Internal Audit Plan

ERM and the Internal Audit Plan

Internal audit should have a plan for the work it will do, and by now we all know that audit plan should be continuously updated. It should be designed to address the more significant risks to the enterprise and its success.

XX

Management should have an enterprise risk management program that helps them identify and anticipate all the things that might happen (both risks and opportunities) that might affect the achievement of its objectives, its success. That information enables them to make the necessary informed and intelligent tactical and strategic decisions.

XX

There is synergy, but it is not 100%.

XX

Internal audit should try to take advantage of the work management and the CRO have done. But first it must audit their ERM program to ensure it is reliable.

Assuming it is reliable (meeting the needs of the organization, not just a compliance activity), it should provide the audit team with valuable information about management’s view of threats and opportunities.

XX

The audit team doesn’t simply take those same top risks and opportunities and slot related audits into the audit plan. It has to do at least these two things:

  1. Determine whether any assurance, advice, and insight from internal audit on those top risks and opportunities would be of value to top management and the board. Would there be a satisfactory ROI on the cost of the audit? I have discussed this in earlier blog posts. For example, if there is already a high-powered initiative to address the risk, an audit engagement might not add sufficient extra value.
  2. Identify the root causes or drivers of the risk or opportunity. This should help determine where and how an audit should be performed. An audit is usually focused at a more granular level than what is reflected in the ERM program. For example, at Solectron one of our greatest sources of risk was our ability to source critical components of the necessary quality, to be delivered on time, at a low cost. We had more than 100 factories and we needed to decide which locations and which (if any) corporate functions to include in the scope. I selected four factories on three continents and the corporate materials sourcing department. The team performed four consecutive audits, each with its own audit report, followed by a report with an overall assessment and insights.

XX

But there is one more very important point to be made.

XX

The ERM program assumes that the controls relied upon to manage risks and assure opportunities are functioning as needed.

That is not always reality.

In fact, one of the values of internal audit is to tell management when those controls are not working, almost always surprising leadership.

XX

I am not a big fan of the term ‘inherent risk’ because of the way it is often defined as the level of risk in the absence of controls. (There are other definitions, especially when talking about the risk of a material misstatement of the financials, but let’s stay with this one.)

The best argument against the term is that it is highly unlikely that all related controls will fail.

But there remains a possibility that one or more controls will not perform consistently as required to maintain risk at desired levels or better.

The possibilities of one or more controls failing and the range of effects of such control failures represent what I call ‘control risk[1]’.

XX

What this means is that even though management may assume that a risk is low because of its related controls and procedures, there is no certainty that the latter are:

  • Adequately designed to address the risk, and
  • Operating consistently and effectively as designed

XX

I wrote about the approach Andrew MacLeod used to develop the audit plan as CAE for Brisbane City Council in Auditing that Matters.

He starts with the level of (current) risk defined in the enterprise risk assessment. But then he considers the likelihood that the controls relied upon to manage risk at that level might fail.

Sources and indicators of control risk might include:

  • A history of control failures, especially those detected in prior audits
  • Inexperienced process and control owners
  • Changes to systems
  • Concerns about management and their supervision of the work performed
  • Changes to the business, especially if there is high volatility
  • …and so on

Andrew would also consider other factors in his assessment of the likelihood that controls might fail. An example would be the time since the last audit of related controls.

The table below illustrates my interpretation of the Brisbane City Council approach.

  Inherent Risk Residual Risk Effect of Controls Confidence in Controls Adjusted Effect of Controls Adjusted Residual Risk
a b c=a-b d e=c*d f=a-g
Customer Credit 300 50 250 90% 225 75
Inventory Valuation 200 50 150 80% 120 80
Investments 150 50 100 70% 70 80

The first column shows the level of inherent risk. Customer Credit rates highest of the three in the example, followed by Inventory Valuation and Investments.

The second column shows the level of residual risk, with the third column representing the effect of controls. For example, inherent risk for Customer Credit is assessed as 300, but if the controls over Customer Credit are working as they should the level of risk (i.e., residual risk) is reduced to 50.

Taking multiple factors (such as discussed above) into account, internal audit determines how confident they are that the controls are in fact operating effectively as desired. (This is not as quantitative as it looks. The 90% confidence level for Customer Credit is very much a matter of judgment and experience.)

Based on that, internal audit calculates an adjusted value for controls and, accordingly, for residual risk.

For Customer Credit, the 90% confidence level (or 10% lack of confidence) reduces the effect of controls from 250 to 225. Audit’s adjusted residual risk changes from 50 to 75.

Looking at all three areas of risk, this model has changed the risk priority. Customer Credit has moved from first to third.

XX

I develop a prioritized list of potential audit projects based on a combination of (a) where I can add value to what management and the board consider to the top risks and opportunities facing the organization (which tends to assume controls are present and functioning), and (b) an analysis like Andrew’s.

I don’t commit to any timeframe beyond three months for performing any of the projects on the list, because business conditions, risks, and opportunities are changing all the time.

In a fluid environment, my commitment is not to performing these audits at a specific future date. My commitment is to perform the right audits all the time.

XX

I welcome your thoughts.

PS – Join me to discuss the above on Wednesday on Auditopia.

[1] I realize there are other definitions, but this makes more sense to me.

  1. Sparkles ⭐️
    June 24, 2021 at 10:45 PM

    I liked your point on assessing the reliability of ERM. Sometimes at internal auditors we get granular, but lose focus on the bigger picture.

  2. Souzan Alowesie
    June 25, 2021 at 7:12 AM

    I dont understand tbe difference between Risk controls and Risk Response and when they should be used?
    Thanks
    Souzan

    • Norman Marks
      June 25, 2021 at 7:30 AM

      Souzan, I don’t see a huge difference. The organization should have controls in place to address known risks and opportunities. However, when the risk changes or a new one appears, they may need to change or add controls in response.

      Hope that helps.

  1. June 24, 2021 at 3:58 PM
  2. June 26, 2021 at 1:14 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: