It will soon be time for most Chief Audit Executives to prepare another version of the Risk Based Audit Plan.
As a CAE, I encouraged the use of a risk based approach to allocate resources to the annual work plan. Looking back with the benefit of many years of hindsight, I realize now that the factors I considered were completely wrong.
Most risk models use risk factors such as impact, likelihood, materiality, asset liquidity, management competence, quality of and adherence to internal controls, degree of change or stability, timing and results of last audit engagement, complexity, and employee and government relations.
I’ll come back to those variables in a moment. But the first thing a CAE must determine is what constitutes the audit universe. Usually that begins with a copy of the organization chart and a copy of the financial statements or chart of accounts. That is a mistake.
I often use an anecdote to illustrate how wrong I got it as a CAE. As Chief Auditor of an upstream oil and gas company, my audit plan consisted of the usual audits of capital expenditures, computer systems and business activities. Never in my years as CAE did I direct my staff to audit the company’s oil and gas reserves.
I made the mistake of looking at the financial assets of the business and the organization structure when considering my audit plan. I should have been building my audit universe based on the economic value of the business and the activities that created that value. That would have led me straight to the oil and gas reserve booking process and a review of the complex engineering, geological and economic factors involved. It would have led me to the land acquisition process and an evaluation of geological and seismic activity. I looked at none of those things. I’m sure other people did, but I was the one reporting to the board audit committee on the state of internal control. And I was examining internal control over some relatively trivial activities.
As for the risk models that give weight to such things as liquidity, complexity, degree of change or stability etc. they are probably equally wrong as well. I have found that the risk factors whose presence or absence is most predictive of success or failure are these;
1. Control Environment as defined by COSO: Look for Capability, Integrity and Accountability.
2. Monitoring business performance. COSO Monitoring focuses on control monitoring. Business performance is a good indicator of effective control.
3. Risk assessment. Look for the quality of the risk assessment processes management has in place.
In my view an audit universe that focuses on the economic value and value adding processes and uses these three criteria to allocate resources is the key to risk based planning. The economic value may not lie on the balance sheet. It could lie in intellectual propert, contracts, or other things that are not represented on the balance sheet. And the value adding processes may not be the financial processes defined in SOX.
I spoke recently with an IT audit executive who wanted to build an audit universe and 5 year audit plan based on his company’s 4,000 servers. A few years ago I may have considered such an approach. Today I believe it is fundamentally wrong.
Most companies seem to have their own version of a risk based approach and have developed or use their own risk rating criteria. I’d love to hear what you consider to be best practices in this area.
Dear Bruce,
I fully agree that the economic value of the business and the activities that create this value should be the base of the audit universe. In addition to the three elements you have correctly sited, may I add to that the key strategic elements of the strategic plan of the firm that should be included in the audit universs as well. Do’nt you agree.
I certainly agree. Thanks for the comment.
Hi Bruce,
This is a very interesting and challenging topic. I have worked with a few CAEs back in my consulting days and as I look back I realise this is an area where most of them struggled. Fortunately, or unfortunately, I am now in a position where I am tasked with this responsibility (in a bank by the way). I have drafted my rating system based on the below factors:
1 The economic value or exposure.
2 Risk assessment
3 The control environment
Each of the factors has related criteria depending on the areas being covered, for example assets under management, economic profit, expenditure, e.t.c.
Can you please critic the aproach and suggest ways of improving it,
Cheers