Who Should Test The Risks?

Who Should Test the Risks?

I recall a discussion many years ago with an audit executive of one of the world’s largest banks, one that has not required any bail out money in the current financial crisis.

This particular bank, at that particular time, had a fairly robust and widely disseminated risk management program designed to maximize management involvement in the risk management process. During the discussion the executive made a curious comment to the effect that the audit department did not automatically accept management risk assessment information at face value and spent considerable time confirming the risks identified by management, adding additional risks and confirming the assessment of risks in terms of inherent and residual risk. The risks we were discussing were primarily operational risks and enterprise risks.

What brought the discussion to mind recently was the Institute of Internal Auditors new Practice Advisory 2010-2 “Using the Risk Management Process in Internal Auditing”. I refer specifically to paragraph 9 which describes factors the internal auditor considers when developing the internal audit plan. This paragraph is not the central focus of the Practice Advisory, practitioners should read and form theeir own conclusions on the entire advisory, but it comes as close to requiring that risks be “tested’ as anything I have seen in professional auditing literature. I lke it.

Using definitions of inherent and residual risk common to risk management professionals ( decide for yourselves if the IIA intends these to be used) an internal auditor taking this paragraph to heart would find themselves spending significant time confirming or revising (e.g. “testing”) the organizations libraries or registers of inherent and residual risks. My guess is that it would require a significant amount of time to perform this task and would significantly shift the role of internal auditors from a focus on control examination to a focus on traditional risk assessment, including forming an opinion on the reliability of managements risk assessment, if any.

What would internal auditors find if they “tested” risks? Recent studies, including the recent Report on the Current State of Enterprise Risk Oversight conducted by NC State University on behalf of the AICPA (http://www.aicpa.org/download/audcommctr/AICPA-Research-Study.pdf) suggests that they many, if not most internal auditors would find no formal or reliable risk assessment to support the internal audit plan.

Two, among many, of the reports notable findings, are cited below:

 “Despite these findings, 44% of respondents have no enterprise-wide risk management process in place and have no plans to implement one. An additional 18% without ERM processes in place indicate that they are currently investigating the concept, but have made no decisions about implementing ERM.

 Forty-three percent do not have their business functions establishing or updating assessments of risk exposures on any formal basis. Over 75% indicate that key risks are being communicated merely on an ad hoc basis at management meetings.

It is unlikely that these findings will come as a surprise to anyone in the internal audit profession. But in the absence of a formal, reliable risk assessment prepared and certified by management and confirmed by internal audit as part of the internal audit planning process, is it appropriate to “test” controls?

Ask yourself these questions. If your physician didn’t bother to assess your health risks by conducting a diagnosis and testing for health risks using standard medical procedures would you consent to surgery or accept medication? would your physician lose their license to practice? If your automobile mechanic began to work on your car without performing diagnostic procedures would you pay the bill? would you trust their work?

My point is a very simple one. I don’t believe the role of internal auditors is to test controls or for that matter even to conduct audits as we know them. I don’t believe the IPPF requires those things although there is a strong bias to do so. The role of internal auditors is to provide assurance. And if risks are not reliably identified and assessed, assurance on control effectiveness is unlikely if not impossible. The audit literature is full of guidance on documenting and testing controls. That represents a small fraction of where assurance is required. I think we need to “test” risks first.