Norman Marks, one of the most highly regarded thought leaders in the global profession of internal auditing, explains how companies in the Middle East can add more value to their stakeholders by applying a modern risk-based approach to internal audit planning.
I remember talking to an internal audit leader for whom I have great regard. I was stunned to hear him say that you do two risk assessments: one when you develop the audit plan to identify the processes, locations, and business units to audit, and a second when you start each audit so you can identify the risks to assess in each area. That is the way I learned to build the audit plan more than 20 years ago!
I had a few discussions with some internal audit colleagues at an event last year and I learned that some companies in the Middle East develop their internal audit plans in the same way. I moved away from this process in the early 1990’s because I didn’t believe it was helping me address the areas of significance to the board, top management, and the company. If internal audit is to be “relevant” (a term increasingly being used to question whether internal audit is delivering what the organization needs most), it is important to ensure that the engagements it will perform focus on the risks that matter to the organization today.
What does “risk-based” mean?
The concept of risk-based planning comes from The International Standards for the Professional Practice of Internal Auditing (Standards) issued by the Institute of Internal Auditors (IIA). They require the chief audit executive to “establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals” (Standard 2010). This concept has also been included in governance-related thought leadership. Principle 7.2 of The King Report on Corporate Governance for South Africa1 states that “Internal audit should pursue a risk-based approach to planning as opposed to a compliance approach that is limited to evaluation of adherence to procedures”.
While IIA Standards and other guidance, from internal audit thought leaders and the consulting firms, advocate a “risk-based” approach to internal auditing, they generally don’t provide a great deal of guidance on what that means and how to accomplish it. However, there is one thing in common with all the guidance and approaches; they all need to begin with an assessment of risk.
Traditional Risk-Based Audit Planning
This approach was all about building a “risk”-ranked audit universe. The first step was to identify all the potential areas for audit, including business processes, locations, data centers, etc. A frequent question among auditors was “how large is your audit universe?” You then considered various factors such as:
- Revenue generated or accounted for at that location, by that process.
- Asset size.
- Time since last audit.
- The significance of any findings in the prior audit.
- The level of change in systems, process, and personnel.
- Management and board input on risk.
The audit plan included engagements at these locations or of these processes.
For example, one might rate the following as higher risk areas: The factories in Saudi Arabia and Qatar; the Corporate Shared Services Center in Dubai; and, the general controls over the IT Data Center in Oman. The scope of the Saudi Arabia audit would be based on a risk assessment of the factory’s processes, assets, etc. The audit might include the higher risk areas of inventory management, quality control, and code of conduct training. The scope of the Qatar factory audit would be different, as the risks in that location are not the same: payroll, procurement, and accounting for inventory. A similar local risk assessment would be performed for the other audits.
While this approach was “risk”-based, it was not talking about risks to the objectives of the organization as a whole. “Risk” was about the potential for any deficiencies in internal control to have an impact (in monetary terms) of some size to one location. The difference may be subtle, but it is important. I want to focus my audits on ensuring the organization has the ability to achieve or surpass its objectives.
[INSERT EXHIBITS HERE]
Modern Risk-Based Audit Planning
My approach today — my definition of modern risk-based auditing — is different. Instead of starting with an assessment of the audit universe, I start with understanding the risks to the enterprise as a whole. The more significant risks might include: our implementation of a new enterprise resource planning (ERP) system; the start up of a new factory in Jordan; the expansion of the business into Iraq; compliance with health & safety regulations; reliance on single source vendors for critical components; and the timeliness and accuracy of monthly management reporting to the executive committee.
My goal is to provide assurance on how well management’s processes are able to manage the more significant risks. My audit plan includes projects to identify and assess the controls that management is relying upon to manage the ERP implementation, to comply with health & safety rules, sourcing of critical components, and to ensure the integrity of monthly management reports.
The concept of “audit universe” is outdated.
So instead of using risk assessment to determine which “audit universe” elements I will include in the audit plan, I moved to an approach where I identified the top risks to the achievement of the company’s objectives (a “risk universe”), and then identified the engagements I could perform to provide assurance that the controls were adequate with respect to those risks and to provide advice where they are not.
This, for me, is modern risk-based audit planning.
When I first explained my modern risk-based internal audit plan to the audit committee of an oil company where I was the chief audit executive, they were very surprised. The CEO asked whether I had considered risks relating to the blending of gasoline, diesel, and jet fuel. As it happened, I had — but it was not considered high risk; it was more a compliance issue than anything else. The discussion continued around the top risks that I had identified and after the audit committee was satisfied with the quality of the proposed internal audit plan, they approved it. This internal audit plan was one that truly addressed the risks that matter to the organization, its audit committee and CEO.
Thinking has shifted increasingly to that of looking at the “risk universe” and using that as the basis for deciding where to focus audit areas.
The Challenges & How to Overcome Them
Now that I have explained the importance of a modern approach to audit planning, it is time to understand why some companies in the Middle East have still not applied this approach. In a discussion I had with an Abu Dhabi-based Chief Audit Executive, he mentioned several challenges (which I have not substantiated) that include: not having the ability or business acumen to identify the risks that matter; the traditional mindset of the chief audit executive and the audit committee; and a reliance on audit planning processes set by regulators or audit software providers which seem to be built around the traditional approach to audit planning.
When it comes to companies that have already implemented a robust risk management process, the best way to overcome these challenges is to use the risks identified by the risk management team and provide assurance on these risks. If this is not available, the chief audit executive needs to train himself and his team as well as the audit committee and top management. As for software, this is an enabler to the audit planning processes which should not hold back the progress of an internal audit department: either work with the provider to upgrade it or change it, or do your audit planning in Excel.
The audit plan has to be designed to address the major risks to the enterprise. The traditional audit planning process must die a quick death (assessing risk levels based on an audit universe, and then performing audits of the controls designed to address risks to the achievement of objectives for those areas, locations, business units, etc.) A modern risk-based approach will take its stead. Here the more significant risks to the enterprise are identified and targeted in audit engagements. Rather than focus on risks to objectives at a process, department, or location, audits will focus on risks to the objectives of the organization.
Building the audit plan based on an audit universe instead of the top risks to the organization is likely to result in auditing risks that are not significant. Chief Audit Executives need to have the confidence to build a risk-based audit plan that is agile and designed to address the risks that matter to the organization. When internal auditors provide assurance and insight on the risks that matter, their work matters to the board and top management. Instead of finding problems and being perceived as an overhead activity that adds to management’s task list, they are helping the board and management deliver value to stakeholders.
The King Report on Corporate Governance for South Africa (The Institute of Directors in Southern Africa) September 2009
As for software, it is an enabler to the audit planning process and should not hold back the progress of an internal audit department: you can either work with the provider to upgrade the software or do your audit planning using MS Excel.