It’s hard to find a head of audit or an audit manager who doesn’t acknowledge the need for ‘risk-based auditing.’ Thanks to the efforts of the IIA amongst others, it has well and truly hit the mainstream. And of course there’s an expectation that a risk-based audit plan will be aligned with the organisation’s risk management framework. In fact, that’s where many organisations start to relax. In a world where silos and corporate fiefdoms are all too common, they’re actually rather proud of the fact there’s genuine alignment between the risk and internal audit functions.
And since internal audit started focusing the audit plan on the strategic risks where the board is a bit twitchy with the level of residual risk…well, life is rosy!
But in those circumstances, is audit’s approach truly risk-based? Who has tested whether the risk register has actually captured the most serious risks? How does internal audit figure out what to test in order to provide assurance that those risks are being managed?
Most medium or large organisations are generating mountains of data—whether it’s financial transactions, production stats or environmental monitoring data. The most enlightened, progressive audit teams (let’s call them “tomorrow’s auditors”) are interrogating those datasets to both guide their audit plan and exhaustively test controls in the audits themselves.
So, what’s holding everyone else back? Why aren’t heads of audit of the world over taking their lead from “tomorrow’s auditors” and getting knee deep in data when compiling their audit plan?
A lack of in-house analytics skills is certainly a factor, and complacency also plays a part. “We know the business pretty well so we feel we’ve got a good sense of where the risks are” is an excuse I’ve heard on several occasions. And all too often, internal audit leaders still dismiss analytics as a tool for the second line of defence.
Comments I’ve heard recently include:
“It’s the likes of compliance and finance who should be monitoring every last record or transaction…”
“We see internal audit’s role as to provide assurance that the key risks have been identified and are being managed—we’re not there to do the second line’s jobs for them!”
Unfortunately, once you probe a little deeper, those sorts of arguments are flawed.
Firstly, I’d return to my earlier point: how can you be sure the right risks are being managed if you’re not looking at all the available evidence? It’s like a meteorologist trying to forecast the weather without satellite data. They could just look up at the sky—but, in practice, they use analytics to consider all the evidence and give themselves the best chance of an accurate forecast. So, will analytics guarantee you spot every last vulnerability? Absolutely not (you need to design the right tests in the first place…). But it gives you a fighting chance. You have a tool that’s capable of executing tests to automatically (and objectively) highlight vulnerable areas that warrant an audit.
Secondly, how do you get an objective sense of whether the severity of a risk is increasing (and hence should be a strong contender for the audit plan) without using analytics? Where’s the hard evidence? If you run the same test/s periodically—say once a month or once a quarter, the KPIs or KRIs can give you a clear indicator of whether the situation is improving or worsening.
Thirdly, let’s assume (optimistically!) that your luck’s in and you did manage to identify the correct strategic risks: how do you then decide where to focus in each audit? Do you really want to rely on weak anecdotal evidence of where the vulnerabilities lie? Why not run some more granular analytic tests to pinpoint the areas of weakness and then use your time on the ground to probe them in detail. That is true risk-based auditing.
On that theme, I’ve often wondered if the heads of audit who choose to reject analytics can appreciate the irony of their stance. They’re baking risk into their own process whilst simultaneously providing assurance that the risk management framework for the whole organisation is fit for purpose!
With thanks to Tom Hazeldine, Product manager EMEA, ACL – Original Source
ACL Training for Internal Auditors