In November I noted the release of ISO 31000 Risk management – Principles and guidelines. December saw the release of the Society of Actuaries extremely interesting and informative paper titled “A New Approach for Managing Operational Risk”. Both papers were relatively brief and insightful. I’d go so far as to say they offered real breakthroughs in risk management.
I would argue that neither of these standards have the reach and impact of the risk management practices used by the auditing profession. The first two risk management standards are progressive. The risk management standards use by auditors are anything but.
On December 17 the PCAOB Release No. 2009-007 “PROPOSED AUDITING STANDARDS RELATED TO THE AUDITOR’S ASSESSMENT OF AND RESPONSE TO RISK”. They are intended to update the previous 1980’s vintage thinking about audit risk and address 7 specific areas.
- Audit Risk
- Audit Planning and Supervision
- Consideration of Materiality in Planning and Performing an Audit
- Identifying and Assessing Risks of Material Misstatement
- The Auditor’s Responses to the Risks of Material Misstatement
- Evaluating Audit Results
- Audit Evidence
These proposed standards do little or nothing do address the root cause of financial or corporate failure. They are intended to prevent audit failure. That is a far different thing. The revised PCAOB risk management standards remain uninfluenced by any new thinking , tools, techniques or other progress in risk management outside of the closed audit community and I would argue, at 251 pages in length, they are not intended to be read, and certainly not followed orpracticed by anyone outside the audit community.
In fairness, perhaps the auditing profession and its standard setters could make the same claim of indifference against the risk management profession. There is a huge intellectual and professional chasm between the audit and risk management communities. The chasm serves no one.
Here are several questions where I believe the PCAOB standards miss some important information that should have some influence on audit risk.
- Why is the concept of loss event reporting and incident tracking not considered more formally as a source of relevant audit risk information?
- Why is business performance, including key performance indicators are not considered formally as a risk factor?
- Why is incentive compensation as a risk factor is considered, but only briefly and but little guidance provided?
- Why is root cause analysis of control failure not considered and required?
- Why is residual risk not considered, at least in any manner familiar to risk professionals?
- Although human behavior is considered by several names, most notably as “management override of controls” why is the knowledge, skills and motivation of staff not explored deeply in spite of the prevalence of human error behind corporate and audit failures.
- Why are company codes of conduct and the status or depth of their implementation not explored more deeply?.
- Why is the quality or ;lack of any self assessment of risk or controls by management not given more weight as a risk factor?.
- Why is the existence or quality of a clients enterprise risk management program not more formally considered?
- Why do the standards not require the self-reporting and root cause analysis of audit failure, just as SOX requires deficiency reporting?
- Why are auditors not required to use cultural surveys of their clients as part of their risk audit assessments?
- Why have the standard setters not adopted more formal quantitative techniques in making the proposed changes?
What we learned from PCAOB AS2 and later AS5 was that audit standards dramatically impactmanagement behavior. What do the proposed PCAOB standards contribute to the understanding and management of business risk? Will they drive down or at least warn us of impending catastrophic corporate failure? Do they build on the knowledge and experience of the risk management profession generally?
These standards may prevent audit failure, although they require no one to keep track. They will not make business more resilient or improve governance performance.
.
