Maximizing the Value of a Risk-Based Audit Plan.
-
Upload
arco-priyo-dirgantoro -
Category
Documents
-
view
238 -
download
0
Transcript of Maximizing the Value of a Risk-Based Audit Plan.
-
8/10/2019 Maximizing the Value of a Risk-Based Audit Plan.
1/4
A C C O U N T I N G A L I D I T I N G
a u d i t i n g
M a x im i z in g
th e
V a lu e o f a R i s k B a s e d A u d i t P l a n
In temal Audi tors Can Iden t i fy and Mit iga te Risk
By Michael echara a n d
Gaurav Kapoor
I
f there is anyth ing that the business
world has leamed from the economic
events of the last few years, it is that
e f f ec t ive r isk managem en t i s c r i t i ca l .
A round th e world, substantial investme nts
are being devoted to s tr engthening r isk
management progriuns. Yet. failures con-
tinue to (Kcur, whether they apjiciir in the
form of regulatory missteps, lost
prof
itability, or the hacking of sensidve infor-
mation. Millions of cu.stomers are affect-
ed, and billions of dollars are lost.
In response, companies increasingly
depend on in ternal audi tors to identify
and he lp mitigate th ese risks. Intemal audi-
tors are uniquely positioned to h;indle tticse
responsibi l i t ies because of the ir under-
standing of business processes and risks,
as well as their ongoing interacdon with
bo th bus iness un i t s and managemen t .
What, then, is tlie role that they must play
in building risk resilience?
A Sy s te m ic R is k -Ba s e d Audi t
Approa c h
The focus of an intemal audit has always
been on risks. But what is changing is how
intemal auditors go about assessing these
risL s. T radidonal audit plans based on sus-
picions or direction from management are
bound to skew decision making. Rotadonal
aud i t p lans r e su l t in misa l loca t ion o f
resources because they do not take in to
account variadons in risk. Similarly, lists of
risks by industiy may be well researched,
but th ey do not consider each organizadon's
unique risk profile and history.
An effective risk-based audit plan over-
comes all the above limitations by view-
ing risks through the prism of strategic
objectives, which enables a more targeted
and e fficient audit. It also links ri.sks with
b u s i n e s s o b j e c t i v e s , t h u s f ac i l it a t i n g
smarter, faster , and sharper risk mitiga-
tion programs.
Im ple m e nt ing a R is k -Ba s e d A udi t P la n
C ontrary to popular opinion, risk-based
audits do not begin with the risks them-
selves. If one builds a risk universe that
catalogues hundreds of risks in isolation,
one would find that it is neither pracdcal
nor useful in decision making. It simply
results in a waste of precious time and
resources on th ose risks that ;uc inelcvant
to the organization.
An effecdve risk-based audit plan begins
with the organizadon's objecdves and goals
because risks are only releviint in the co
text of these object ives . For example ,
an individual's objective is to .stay at hom
and watch T V, he wouldn't worry abo
the risk of a flat tire: however, he mig
worry about being intermpted by his ch
dren, attending to a phone call, or
c o o
ing dinner, because tliese risks impact
objecdve of watching TV.
Discover ing Risk Data
Enterprise resource planning (ERP) da
and generic lists of risks by industry a
based on historical data; they assume th
the future will look like the past when,
-
8/10/2019 Maximizing the Value of a Risk-Based Audit Plan.
2/4
fact, things rarely happen
the
same way
twice. Instead, auditors should tum to the
organizafion's people. They represent one
of
the
most dynamic, current, and impor-
tant sources of risk infonnation becau.se
they face risks in the organization every
day, and are capable of conveying their
thoughts about emerging or potential risks.
Intemal auditors should start with senior
ma n a g e m e n t in o r d e r to u n d e r s t a n d
strategic goals and identify the risks asso-
ciated with these goals. Then, they should
expand the discussion to a larger cross sec-
tion of people across the enterpri.se, such
as personnel in the operations, purchas-
ing, compliance, and legal departments,
as well as any other employees who are
tasked with attaining the organization's
objectivesthe more respondents inter-
viewed, the more comprehensive and in-
depth the insights will be.
When conducting these interviews, audi-
tors should
refrainium
asking quesdoas such
a s Wh at keeps you up at night? Such
clichd questions only limit the kinds of
responses intemal auditors will receive.
Instead, they .should describe objectives and
risks, and ask p eople to identify ho w w ell the
company is achieving its objectives. They
should also ask them to identify any other
ri.sks that have not been di.scussed but that
still threaten the company's objectives.
Anothe r me thod tha t aud i to r s can
employ is using surveys to collect re.spons-
e s . Introdu cing a .scale of 1 to 5 for each
question will help quantify the responses
later.
Exhibit
provides an example of one
such survey.
Once auditors have gathered risk data,
they are ready to
ma p risks to objecfives.
idenfify risk pattem s, and
classify the risk pattem s according to
organizational objecfives.
Mapping risks to objectives The com-
mon tendency among auditors is to focus
on the risk that receives the greatest num-
ber of responses or the most egregious rat-
ings . For example , i f 95% of survey
respondents selected Risk A as being the
most th rea ten ing to the organiza t ion ,
auditors might feel compelled to devote all
their resourees to designing an audit that
would mifigate that one risk. But risks do
not act in isolation; they interact with
each other, and with strategic objectives,
in a complex pattem. Therefore, it is impor-
tant to understand these interactions and
correlafions.
If an auditor 's objective is accurate
financial reptirting, surveys might reveal
that it is strongly threatened by a lack of
accounting exper ience and moderate ly
threatened by poor corporate govemance.
An auditor might also uncover risks that
pose threats to a seemingly unrelated objec-
tive. For example, aggressive sales or mar-
keting programs could be found to have a
strong impact on financial reporting. If
pressure is applied across the organizafion
to meet certain sales targets, financial
reporting could be compromised by rec-
ognizing revenue prematurely or inappro-
priately. A common example of this risk
manifesfing itself would be channel
sttaff
ing, where excess products are shipped to
distributors at the end of a period, only to
be taken back or returned at the begin-
ning of the next.
entifying
risk pattems Risk pattems are
a combinafion of individual risks that affect
a particular objective. It is important to
look at these pattems becau.se they provide
a sen.se of the larger picture. They indicate
a combinafion of risks that is greater than
the sum of any of its individual parts.
For example, if an individual was driv-
ing a car while talking on a mobile phone
and being distracted by music, all at the
E s s e n t i a l l y r s k p a t t e m s h e l p
i n t e m a l a u d i t o r s i d e n t i f y t h o s e
r i s k s t h a t t o g e t h e r i n t e r a c t
t o
f o r m a d a n g e r o u s s i t u a t i o n .
same tim e, the chances of a collision with
another vehicle would be very high. Each
of the above risks occurring in isolation
poses a far les.ser threat than when they
manifest themselves together as a pattem.
Essentially, risk pattems help internal
auditors identify those risks that, together,
interact to form a dangerous situafion
F o r
example, auditors might find from their
surveys that accurate financial reporting is
affected by the following risk pattern:
lack of accounfing experience (20%), poor
corporate govemance (40%), aggressive
sales or marketing programs (30%), and
EXHIBIT
Sun ey Example
Objective
Accurate Financial Reporting
Risks
Excessive Overtime
Lack of Accounting Experience
Poor Communication
5
Excellent
Pervasive
4
Good
Frequent
3
Fair
Average
2
Below Average
Infrequent
Poor
Rare
-
8/10/2019 Maximizing the Value of a Risk-Based Audit Plan.
3/4
inadequate training (10%). By
itself
the
risk of inadequate training seems minor.
But if auditors were to ignore this risk
and not make any effort to audit or miti-
gate it, the risk would continue to pose a
significant threat to financial reporting.
Classifying risk patterns by objectives.
Once auditors have arranged their risk pat-
terns by objectives, the risk-based audit
plan becomes more targeted. At this
p(.)int, it is important to keep in mind that
audits should not be directed at the most
critical risk, but at all of the risks that
threaten the most critical objective. This
will enable auditors to take concrete action,
seamlessly align risk management with
business strategy, and facilitate account-
ability and transparency.
E.xhihit 2 shows five typical organiza-
tional objectives. Eaeh bar above the objec-
tives shows the risk pattem that threatens
that objective. Each color repre.sents one
hypothetical r isk, and more than one
color in a bar indicates a risk pattem of
two or more risks for that objective. For
exam ple, the objective accurate financial
reportin g is threatened by four risks. The
yellow risk is the most prevalent in the pat-
tem becau.se it makes up almost 40% of
the entire risk pattem.
Technology as an Enahler
A large part of risk-based audits involves
talking to various stakeholders, identifying
risks across teams and departments, and
assessing the effectiveness of various con-
trols to mitigate those risLs. It's ;in expan-
sive andime-consumingactivity that is typ-
ically carried out by multiple auditors,
asing multiple independent applications, pR>
cesses, workpapers, ;uid tcxils. Without ade-
quate communication and coordination
between them, it is likely that intemal audit
activities would be duplicated at various
points across the organization, thus lowering
efficiency and raising co.sts.
But what if tiiere was one single system
to unite all audit processes, entities, systems,
tools, and workflows? Communication
across the enterpiise would be enhanced, vis-
ibility into risks and audits would improve,
and duplicate and redundant audit activities
could be eliminated.
Technology enables a centralized audit
infrastructure that can provide a single
point ofreferenceo identify and assess ri.sks
across the enterprise, gather and share risk
information, and manage the entire audit life
cycle. It also enables tiie creation of cen-
tralized libraries where the entire risk
inventoryalong with controls, assessments,
audit data, and reportscan be efficiently
organized, stored, managed, and shared.
With these centralized repositories of
information, intemal auditors and managers
are better equipped to understand risks and
their re la tionship to the organization's
objectives. They can al.so more accurately
map risks to processes, controls, entities,
and regulations. This, in tum , simplifies the
EXHIBIT 2
Risk Patterns by Objective
100
90
5
4
3
2
1
Risk F
I Risk E
RiskD
I Risk C
RiskB
I Risk A
Accurate Financial
Reporting
Reduce Supplier
Costs
Employee Safety
creation of the audit universe and helps f
mulate a systema tic and resource-effici
plan for audit management.
Because surveys are a major part of
risk-ba.sed audit plan, technology can h
by streamlining the entire prcx;ess of s
vey design, distribution, implementati
and
respon.se
collection across depiutmen
business units, and geographic liK-atio
In addition, it can automate the pnx'ess
monitor ing r isk controls and creati
reports, as well as ensure that findin
and problem areas identified tiirough aud
are appropriately investigated and resi)lv
In this way, intemal auditoi-s can .save va
able time and re.sources and eliminate U
need for cumbersome spreadsheets. So
technological tcx)ls such as dashboanls. r
heat maps, and chiirts ciui facilitate tra
parency in audits by providing valuab
risk insights and intelligence that can
presented to stakeholders.
Creating Value
Toda y , i n t e r na l a ud i to r s ha ve t
power to not only protect value, but to c
ate value. The key is to develop a cont
uous focus on risk, and weave the au
plan around the identified risks and r
patterns. This opens up opportunities
internal auditoi's to play a more strate
role in the organization, as well as to p
vide crucial risk-based advice that sha
the overall business strategy.
Michael Bechara is the corporate r
expert and managing director of Gran
Consulting Group. Inc.. Brewster N
Gaurav Kapoo r MBA is the chief r
officer of MetricStreani Inc.. Palo Al
alif
ELEMENTS OF
A
GOOD RISK BASED
AUDIT PLAN:
Base d on risks and
objectives
Relies on people for
Uses technolog y to
process
business
input
support the
-
8/10/2019 Maximizing the Value of a Risk-Based Audit Plan.
4/4
Copyright of CPA Journal is the property of New York State Society of CPAs and its content may not be copied
or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission.
However, users may print, download, or email articles for individual use.