Is risk-based internal auditing a myth?
Are internal auditors fooling themselves when they say they are using a risk-based approach?
My good friend and esteemed[1] risk management practitioner and thought leader, Alexei Sidorenko, challenged me to disagree and comment on one of his latest posts: Creating a risk-based audit plan, is it a myth?
Have a look at what he wrote and then come back to my comments.
You might be interested in a debate Alex and I had on ERM, integrating risk assessment into decision-making and success management.
Alex is correct with several of his observations, including several criticisms of the IIA’s May 2020 practice guide (PG), Developing a Risk-Based Internal Audit Plan.
He quotes the second part (italicized for convenience) of this section of guidance (recommended, not mandatory guidance):
Organizations that have implemented ERM may have created a comprehensive risk register (also known as a risk inventory or risk universe). Internal auditors may use management’s information as one input into internal audit’s organizationwide risk assessment. However, in alignment with the Code of Ethics principle of objectivity and Standard 1100 – Independence and Objectivity, internal auditors should do their own work to validate that all key risks have been documented and that the relative significance of risks is reflected accurately.
The notion that internal audit should “validate that all key risks have been documented” is wrong- explained in a bit.
Returning to earlier in the PG, it says:
This practice guide describes a systematic approach to creating and maintaining a risk-based internal audit plan. The CAE and assigned internal auditors work together to:
-
- Understand the organization.
- Identify, assess, and prioritize risks.
- Coordinate with other providers.
- Estimate resources.
- Propose plan and solicit feedback.
- Finalize and communicate plan.
- Assess risks continuously.
- Update plan and communicate updates.
This ignores the fact that MANAGEMENT IS RESPONSIBLE FOR RISK ASSESSMENT AND MANAGEMENT of the organization.
Internal audit should assess whether MANAGEMENT is doing this sufficiently well to make informed and intelligent strategic and tactical decisions. That is not the same as doing “their own work to validate that all key risks have been documented and that the relative significance of risks is reflected accurately”. Audit the effectiveness of the ongoing processes, not a single point-in-time assessment, as Alex points out towards the end of his piece.
If it reliable, internal audit should base their own audit plan on management’s risk assessments.
Some additional work will be needed to define audit activities at an appropriate level of granularity.
If management is not doing this well:
- Make sure senior management and the board realize the risk (pun intended) they are taking by not having an acceptable understanding of what lies ahead.
- Perform sufficient work (and no more) to understand the more significant risks where an audit project can add value, and base the audit plan on that.
Before continuing with Alex’s points, three more of my own.
The PG states:
Risk-based internal audit plans should be dynamic and nimble. To achieve those qualities, some CAEs update their internal audit plan quarterly (or a similar periodic schedule), and others consider their plans to be “rolling,” subject to minor changes at any time.
A quarterly update, or a more continuous one that is limited to “minor changes”, is probably insufficient. As Richard Chambers and I have been saying for many years, the audit plan should be updated at the speed of risk and the business, i.e., continuously if needed. That may mean major changes!
It also says:
Which types of internal audit engagements will provide senior management and the board with adequate assurance and advice that significant risks have been mitigated effectively?
When will everybody understand that risks have to be taken and not necessarily mitigated if you are to succeed? Sometimes, the best business decision is to take more!
Then there’s this:
Once the major strategies and objectives have been identified, the CAE may want to create or review the audit universe, which is a list or catalog of all potentially auditable units within an organization. Auditable units may be any “topic, subject, project, department, process, entity, function, or other area that, due to the presence of risk, may justify an audit engagement.”
An audit universe simplifies the identification and assessment of risks throughout the organization. It is a step toward discovering which auditable units have levels of risk that warrant further review in dedicated internal audit engagements.
The PG doubles down on this error with:
This organizationwide risk assessment enables the CAE to focus on those risks that rate among the most significant and to identify manageable, timely, and value-adding engagements that reflect the organization’s priorities. This typically results in a plan that addresses around 15 auditable units on average.
We are not in the business of auditing “auditable units”.
We are not in the business of auditing risks to those “auditable units”.
We are in the business of providing assurance, advice, and insight related to risks to the enterprise as a whole!
The concept of an audit universe should be discarded. It is not only obsolete but it is leading internal audit organizations astray, auditing risks that may be important to a unit but not to the enterprise.
Instead, we should have an (enterprise) risk universe.
Those are what we may audit. The risks in that universe may exist and depend on activities at one or more entities within the organization, but our objective is (should be) to provide assurance, advice, and insight on those enterprise risks.
Alex also criticizes the notion of ‘inherent risk’. While I share his concern, I can see situations where we need to know more than the current level of risk, which assumes that controls are adequately designed and functioning effectively.
The level of risk may be acceptable if quality controls are in place. But we need to audit those areas where the risk level would be unacceptable if the controls were deficient.
That’s my first area of disagreement, although it is mild.
Then he picks on another issue: the use of heat maps. He quotes the PG:
Risk assessment results with levels of risk for each auditable unit may be depicted graphically in a heat map or similar chart to help show the ranking of priorities. Heat maps are especially useful when certain criteria are weighted more heavily than others and in visual presentations to the board and senior management.
I have to smile when I read his response:
Ok, this is all you really need to know about IIA level of competency when it comes to risk management. Heatmaps have been scientifically proven to misprioritise risks and be “worse than useless” Let me make this very clear, IIA is recommending astrology and horoscopes in its official guidelines. Surely, that is a direct breach of a Code of Ethics principles. Last time I checked, promoting pseudoscience and astrology under the banner of independence is not a good idea.
I also hate heat maps, and I have explained that multiple times in this blog and in my books.
But let me make one point.
Since it is a MANAGEMENT responsibility to assess risks to the enterprise, I did not share my risk assessment in any level of detail with management or the audit committee.
My responsibility was to share my audit plan and be prepared to explain why each project was included and others were not.
I did not want to lead management to rely on my risk assessment in running the business.
I did not follow the advice in the PG when it says:
CAEs should meet with senior management to review internal audit’s assessment, ensure thoroughness and mutual understanding, and discuss the reasons for any significant differences in risk perceptions or ratings.
I met with management:
- To obtain THEIR assessment of enterprise risks, and later
- To review and discuss the audit plan.
Alex asserts:
The biggest lie IIA ever sold business is that auditors understand risk management.
This is only partially true.
Many auditors understand risk management. (How many risk practitioners do, Alex?)
They understand it to the level needed to build and maintain an audit plan that will provide valuable assurance, advice, and insight on the more significant sources of risk to the enterprise.
The fact that the PG is seriously deficient is not proof that the whole profession is incapable of risk-based internal auditing.
In fact, the Chartered Institute of Internal Auditors (the IIA’s UK affiliate) shared an excellent position paper on Risk-Based Auditing in 2003. Why it hasn’t been updated and used by IIA Global escapes me!
There is, admittedly, a long way to go for many internal auditors, which I why I have written and urge them to read Auditing that Matters and the follow-up, Auditing at the Speed of Risk with an Agile, Continuous Audit Plan.
By the way, I 100% disagree with Alex’s checklist at the end of his post. He has forgotten to stress that risks should be assessed based on how they might affect the achievement of enterprise objectives.
I welcome your thoughts.
By the way: I have over time received criticisms for the way I have come down on guidance from others, whether it be guidance from the IIA, Grant Thornton, or someone else. I hear that. But when people are spreading misguidance, I feel an obligation to make it clear why it should not be followed.
[1] Alex has received extensive recognition from the risk management community, including, FERMA 2021 Risk Manager of the Year; 2021 RIMS ERM Award of Distinction – International Honoree; RUSRISK 2014 Best ERM Implementation; and RUSRISK 2014 Best Risk Management Training. He runs the Risk Awareness Week series of presentations, which I recommend.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
Shared with my team. TY Norman
Norman: Quite a robust discussion; some cynical, most comments thoughtful
I generally agree with you Norman. I was involved with the IIA UK chapter in developing some its approach to ‘Risk-based’ auditing and think this approach should have been adopted by the global IIA.
Internal auditing has always been ‘risk-based’ since internal auditing is all about internal controls, which exist to manage risks, which threaten objectives. The difference between now and say, 50 years ago, is that some internal auditors recognise that you therefore base the audit work around risks, not audit checklists. The big leap, as you have highlighted, is to recognise that risks are identified by management and the audit plan should be based around these. This was one of my comments to the IIA about the update of the Standards.
I understand your comments about ‘auditable units’. An audit should primarily be aimed at providing an opinion about whether an objective will be achieved, based on the effectiveness of the controls boosting benefits and minimising threats. So an ‘auditable unit’ is best based around objectives.
You comment, ‘We are in the business of providing assurance, advice, and insight related to risks to the enterprise as a whole!’. I think this is rather broad and could apply to some other functions within an organisation (especially risk management). IA differs because it provides an independent and objective opinion on the management of risks throughout the enterprise. Such an opinion may not provide any ‘assurance’! No other department does this.
David
http://www.internalaudit.biz
Norman, As normal, I agree with most of what you mention. One point needs further discussion. You state: “The concept of an audit universe should be discarded. It is not only obsolete but it is leading internal audit organizations astray, auditing risks that may be important to a unit but not to the enterprise.”
I like the concept of audit universe as it brings in the practicalities of an efficient and effective audit. Risk assessment is to be done at a higher level (with cascading down into more detail as required – which usually is), but assessing whether management is properly managing those risks is best done in discrete “parts” in many circumstances (e.g., FX risks, tax compliance, acquisition integration, procurement). It is more efficient to audit in a planned, efficient manner thinking about “audit units” than having a bunch of auditors running around doing little bits of work in various parts of the world and in different businesses in a frantic manner.
Audit units are not the focus, but are a way to organize and plan the nuts and bolts of doing an assessment of a risk being managed in many different parts of an organization.
Doug, may I suggest that you identify which enterprise risk needs to be addressed and only then identify where the related controls exist? Then you audit those controls, which is where the “units” come in.
This leads you to auditing the controls over the risks to the enterprise, and when you perform an audit at a “unit” you only audit the controls over the risks that matter to the enterprise.
You are also able to see how controls at the various “units” work together (or don’t) to address enterprise risk.
You don’t need a list of auditable entities for that. Its muda.
Except when the “controls” you are considering take you to the same work group or location multiple times in a given time period. It is more efficient to go their once and cover all important aspects at one time. I couldn’t see going to Singapore once to warehousing/puchasing, then go for FX trading, then go for global invoice processing, etc. It was more efficient and better run audit to cover each of these in a single visit looking at multiple areas. We went there not because it was Singapore, but becasue it was in Singapore aspects of the important risks were being managed.
Doug, you have choices. Whichever is better for you and the client.
With upfront planning, you can go to Singapore and audit the controls that matter to multiple enterprise risks, whatever they may be. Just as long as you limit the audit to them. I think that is what you are describing.
Or, you can have multiple audits and visits. Maybe that’s better for the client, splitting up the burden on them. Maybe some of the audits are virtual
Either approach may be more efficient.
Agreed
My feeling is that the meaning of ‘risk-based auditing’ should be revisited. I would prefer the starting point to be the business objectives and their relative negotiability i.e. a differential focus on those outcomes where a high level of confidence regarding delivery is required. Audit projects should then be planned an initiated taking cognisance of the fact that (to quote you Norman)
“MANAGEMENT IS RESPONSIBLE FOR RISK ASSESSMENT AND MANAGEMENT of the organization.
Internal audit should assess whether MANAGEMENT is doing this sufficiently well to make informed and intelligent strategic and tactical decisions.”
Have risks been sufficiently recognised and understood in defining the pathway to delivery of objectives? Are risks to execution of the pathway properly identified and managed? How is this being monitored and performance managed? How is management responding to the information produced? Are management confident enough regarding delivery and do they actually have an informed basis for this opinion?
The tendency to make the starting point the risks themselves is too far down the line in my opinion.
I understand your point, Ian. Mine is that in order to understand the risks you need to know the objectives.
We are not providing an opinion, though (IMHO), on the achievement of objectives but on the adequacy of related risks – and in so doing indicating their potential effect on the achievement of objectives.
As I understand enterprise risks, these are risks that could impact the entire organization. Such risks are often external to that organization, such as social unrest, supply chain issues, pandemics, regulatory changes, etc. These are not areas where internal audits are effective. External threats are rarely managed by internal practices. To be sure, we can audit the decision making processes used to address those risks, but that’s essentially a single audit as the decision makers are the same senior executives of the organization. It sounds good to say we are auditing enterprise risks, but our value can be more broadly provided by assessing both enterprise AND business unit risks. It also helps focus the audit team to assess a more defined scope in an audit. Ignoring the “audit universe” is one way to lose audit focus and reduce audit’s value to the organization.
Richard, enterprise risks are all the things that might happen and affect the achievement of enterprise objectives. The distinction is that they relate to enterprise rather than unit objectives.
Most are internal and we can audit them.
But we can also audit how management understands and addresses risks that come from external actions, whether it be customer or supplier actions, government regulations, etc.
Thank you Norman, read in detail now and agree with your points and agree that most risk managers also don’t understand risk management. Your point re checklist is noted, I just take “affect the achievement of enterprise objectives” as a given and not mention it explicitly.