Moving towards risk-based approach to internal audit

(Conclusion)

How Do We Move Towards A Risk-Based Approach?

This approach requires performing periodic risk assessments (at least annual) of the auditable units and crafting an audit strategy that will prioritize and schedule audit engagements in accordance with the risk profiles. This means that the higher the risk, the more frequent the audit and conversely speaking, the lower the risk, the less frequent the audit, or none at all (in extreme case given scarce audit resources)! Please take note that the risk profiles of companies are inherently dynamic and change with time and that new emerging risks may require the auditor to revisit and revise its audit strategy.

The audit risk assessment requires open, honest and ongoing consultation with senior management and dialogue between the auditor and auditees. This interaction will hopefully build the trust and confidence of the auditees and encourage them to be more open and transparent with the auditor regarding their strategies, plans, programs, projects and concerns. This collaboration will also help the auditor arrive at an elevated level of appreciation of the significant challenges, risks and exposures of the company or the particular business unit, division, area, department or project to be audited, in other words, to obtain the right context.

This approach allows the auditor to come out with a risk-based audit plan that is aligned with the business strategies and responsive to the management’s requirements and expectations. The auditor can now focus its limited resources on major risk areas of the company. That is, “doing more with less” and “delivering assurances with fewer resources” as IIA president and CEO Richard Chambers has underscored in his recent Internal Auditor article entitled “Responding to Change.”

More importantly, rather than “feast” or pound on the mistakes of the individuals, the RBA approach is process-based and intended to evaluate control design (or Test of Design) and identify gaps or control weaknesses using various control frameworks (e.g., COSO, CoCo, and/or COBIT) or “best practices in internal control.” Afterwards, in consultation with the auditees, with the end view of obtaining their “buy-in,” the auditor considers alternative solutions to address significant risks noted and, if necessary, issues value-adding suggestions to further improve the process.

It is important to note that the compliance-based approach is not totally eliminated or forgotten when we apply RBA. When appropriate and sound control policies and procedures have been put in place by management, performing a test of compliance (or Test of Operating Effectiveness) is integral to RBA. It is prudent though to always reassess the risks and revisit the “appropriateness” and “soundness” of the policies and procedures every audit, especially if the intervening period is at least a year and there have been recent changes in technology, organization and system.

What hinders the auditor from implementing the RBA approach?

In my opinion, the two major hurdles to implementing RBA are: (1) inadequate or lack of understanding of the RBA concepts and (2) the auditors’ “inertia” or slowness to shift to a new paradigm or mindset of RBA planning and execution. It would seem that old habits are hard to break and sticking to traditional, police-type auditing is no exception. I hear people in the industry say that they employ RBA, but when you probe deeper, you find that many are still in transition, if not totally lost in the process. The antidote is a combination of educating all stakeholders on RBA and creating a new culture and perspective, whereby an open and humble attitude to change and a firm resolve to understand and implement RBA concepts that are not only mandated and monitored by the Audit Committee but also nurtured and encouraged.

In my professional experience, auditors who have successfully implemented a RBA received positive responses from their senior management. I’ve seen not a few “quantum” improvements in relationship because their auditees see real value in the auditors’ services and outputs. Nevertheless, I still encounter some traditional auditors being “bad mouthed” by their auditees simply because a non-RBA mindset still persists. How do we address this? The answer is to establish a quality assurance and improvement program within the internal audit department, which include both internal and external assessment of the internal audit activity. The external assessment shall be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization (ISPPIA: 1300 - Quality Assurance and Improvement Program), which brings us to the next article “Who audits the internal auditors?.”

(Reginald C. Nery, CPA, CISA, CISSP, CIA, CCSA, CFSA, CISM. He is the Head & Partner of Performance and Technology Advisory Services of Manabat Sanagustin & Co., CPAs, a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity.

This article is of general information only and is not intended to be, nor is it a substitute for, informed professional advice. While due care was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances. For comments or inquiries, please email [email protected] or [email protected])