8/10/2019 Maximizing the Value of a Risk-Based Audit Plan.

1/4

A C C O U N T I N G A L I D I T I N G

a u d i t i n g

M a x im i z in g

th e

V a lu e o f a R i s k B a s e d A u d i t P l a n

In temal Audi tors Can Iden t i fy and Mit iga te Risk

By Michael echara a n d

Gaurav Kapoor

I

f there is anyth ing that the business

world has leamed from the economic

events of the last few years, it is that

e f f ec t ive r isk managem en t i s c r i t i ca l .

A round th e world, substantial investme nts

are being devoted to s tr engthening r isk

management progriuns. Yet. failures con-

tinue to (Kcur, whether they apjiciir in the

form of regulatory missteps, lost

prof

itability, or the hacking of sensidve infor-

mation. Millions of cu.stomers are affect-

ed, and billions of dollars are lost.

In response, companies increasingly

depend on in ternal audi tors to identify

and he lp mitigate th ese risks. Intemal audi-

tors are uniquely positioned to h;indle tticse

responsibi l i t ies because of the ir under-

standing of business processes and risks,

as well as their ongoing interacdon with

bo th bus iness un i t s and managemen t .

What, then, is tlie role that they must play

in building risk resilience?

A Sy s te m ic R is k -Ba s e d Audi t

Approa c h

The focus of an intemal audit has always

been on risks. But what is changing is how

intemal auditors go about assessing these

risL s. T radidonal audit plans based on sus-

picions or direction from management are

bound to skew decision making. Rotadonal

aud i t p lans r e su l t in misa l loca t ion o f

resources because they do not take in to

account variadons in risk. Similarly, lists of

risks by industiy may be well researched,

but th ey do not consider each organizadon's

unique risk profile and history.

An effective risk-based audit plan over-

comes all the above limitations by view-

ing risks through the prism of strategic

objectives, which enables a more targeted

and e fficient audit. It also links ri.sks with

b u s i n e s s o b j e c t i v e s , t h u s f ac i l it a t i n g

smarter, faster , and sharper risk mitiga-

tion programs.

Im ple m e nt ing a R is k -Ba s e d A udi t P la n

C ontrary to popular opinion, risk-based

audits do not begin with the risks them-

selves. If one builds a risk universe that

catalogues hundreds of risks in isolation,

one would find that it is neither pracdcal

nor useful in decision making. It simply

results in a waste of precious time and

resources on th ose risks that ;uc inelcvant

to the organization.

An effecdve risk-based audit plan begins

with the organizadon's objecdves and goals

because risks are only releviint in the co

text of these object ives . For example ,

an individual's objective is to .stay at hom

and watch T V, he wouldn't worry abo

the risk of a flat tire: however, he mig

worry about being intermpted by his ch

dren, attending to a phone call, or

c o o

ing dinner, because tliese risks impact

objecdve of watching TV.

Discover ing Risk Data

Enterprise resource planning (ERP) da

and generic lists of risks by industry a

based on historical data; they assume th

the future will look like the past when,

8/10/2019 Maximizing the Value of a Risk-Based Audit Plan.

2/4

fact, things rarely happen

the

same way

twice. Instead, auditors should tum to the

organizafion's people. They represent one

of

the

most dynamic, current, and impor-

tant sources of risk infonnation becau.se

they face risks in the organization every

day, and are capable of conveying their

thoughts about emerging or potential risks.

Intemal auditors should start with senior

ma n a g e m e n t in o r d e r to u n d e r s t a n d

strategic goals and identify the risks asso-

ciated with these goals. Then, they should

expand the discussion to a larger cross sec-

tion of people across the enterpri.se, such

as personnel in the operations, purchas-

ing, compliance, and legal departments,

as well as any other employees who are

tasked with attaining the organization's

objectivesthe more respondents inter-

viewed, the more comprehensive and in-

depth the insights will be.

When conducting these interviews, audi-

tors should

refrainium

asking quesdoas such

a s Wh at keeps you up at night? Such

clichd questions only limit the kinds of

responses intemal auditors will receive.

Instead, they .should describe objectives and

risks, and ask p eople to identify ho w w ell the

company is achieving its objectives. They

should also ask them to identify any other

ri.sks that have not been di.scussed but that

still threaten the company's objectives.

Anothe r me thod tha t aud i to r s can

employ is using surveys to collect re.spons-

e s . Introdu cing a .scale of 1 to 5 for each

question will help quantify the responses

later.

Exhibit

provides an example of one

such survey.

Once auditors have gathered risk data,

they are ready to

ma p risks to objecfives.

idenfify risk pattem s, and

classify the risk pattem s according to

organizational objecfives.

Mapping risks to objectives The com-

mon tendency among auditors is to focus

on the risk that receives the greatest num-

ber of responses or the most egregious rat-

ings . For example , i f 95% of survey

respondents selected Risk A as being the

most th rea ten ing to the organiza t ion ,

auditors might feel compelled to devote all

their resourees to designing an audit that

would mifigate that one risk. But risks do

not act in isolation; they interact with

each other, and with strategic objectives,

in a complex pattem. Therefore, it is impor-

tant to understand these interactions and

correlafions.

If an auditor 's objective is accurate

financial reptirting, surveys might reveal

that it is strongly threatened by a lack of

accounting exper ience and moderate ly

threatened by poor corporate govemance.

An auditor might also uncover risks that

pose threats to a seemingly unrelated objec-

tive. For example, aggressive sales or mar-

keting programs could be found to have a

strong impact on financial reporting. If

pressure is applied across the organizafion

to meet certain sales targets, financial

reporting could be compromised by rec-

ognizing revenue prematurely or inappro-

priately. A common example of this risk

manifesfing itself would be channel

sttaff

ing, where excess products are shipped to

distributors at the end of a period, only to

be taken back or returned at the begin-

ning of the next.

entifying

risk pattems Risk pattems are

a combinafion of individual risks that affect

a particular objective. It is important to

look at these pattems becau.se they provide

a sen.se of the larger picture. They indicate

a combinafion of risks that is greater than

the sum of any of its individual parts.

For example, if an individual was driv-

ing a car while talking on a mobile phone

and being distracted by music, all at the

E s s e n t i a l l y r s k p a t t e m s h e l p

i n t e m a l a u d i t o r s i d e n t i f y t h o s e

r i s k s t h a t t o g e t h e r i n t e r a c t

t o

f o r m a d a n g e r o u s s i t u a t i o n .

same tim e, the chances of a collision with

another vehicle would be very high. Each

of the above risks occurring in isolation

poses a far les.ser threat than when they

manifest themselves together as a pattem.

Essentially, risk pattems help internal

auditors identify those risks that, together,

interact to form a dangerous situafion

F o r

example, auditors might find from their

surveys that accurate financial reporting is

affected by the following risk pattern:

lack of accounfing experience (20%), poor

corporate govemance (40%), aggressive

sales or marketing programs (30%), and

EXHIBIT

Sun ey Example

Objective

Accurate Financial Reporting

Risks

Excessive Overtime

Lack of Accounting Experience

Poor Communication

5

Excellent

Pervasive

4

Good

Frequent

3

Fair

Average

2

Below Average

Infrequent

Poor

Rare

8/10/2019 Maximizing the Value of a Risk-Based Audit Plan.

3/4

inadequate training (10%). By

itself

the

risk of inadequate training seems minor.

But if auditors were to ignore this risk

and not make any effort to audit or miti-

gate it, the risk would continue to pose a

significant threat to financial reporting.

Classifying risk patterns by objectives.

Once auditors have arranged their risk pat-

terns by objectives, the risk-based audit

plan becomes more targeted. At this

p(.)int, it is important to keep in mind that

audits should not be directed at the most

critical risk, but at all of the risks that

threaten the most critical objective. This

will enable auditors to take concrete action,

seamlessly align risk management with

business strategy, and facilitate account-

ability and transparency.

E.xhihit 2 shows five typical organiza-

tional objectives. Eaeh bar above the objec-

tives shows the risk pattem that threatens

that objective. Each color repre.sents one

hypothetical r isk, and more than one

color in a bar indicates a risk pattem of

two or more risks for that objective. For

exam ple, the objective accurate financial

reportin g is threatened by four risks. The

yellow risk is the most prevalent in the pat-

tem becau.se it makes up almost 40% of

the entire risk pattem.

Technology as an Enahler

A large part of risk-based audits involves

talking to various stakeholders, identifying

risks across teams and departments, and

assessing the effectiveness of various con-

trols to mitigate those risLs. It's ;in expan-

sive andime-consumingactivity that is typ-

ically carried out by multiple auditors,

asing multiple independent applications, pR>

cesses, workpapers, ;uid tcxils. Without ade-

quate communication and coordination

between them, it is likely that intemal audit

activities would be duplicated at various

points across the organization, thus lowering

efficiency and raising co.sts.

But what if tiiere was one single system

to unite all audit processes, entities, systems,

tools, and workflows? Communication

across the enterpiise would be enhanced, vis-

ibility into risks and audits would improve,

and duplicate and redundant audit activities

could be eliminated.

Technology enables a centralized audit

infrastructure that can provide a single

point ofreferenceo identify and assess ri.sks

across the enterprise, gather and share risk

information, and manage the entire audit life

cycle. It also enables tiie creation of cen-

tralized libraries where the entire risk

inventoryalong with controls, assessments,

audit data, and reportscan be efficiently

organized, stored, managed, and shared.

With these centralized repositories of

information, intemal auditors and managers

are better equipped to understand risks and

their re la tionship to the organization's

objectives. They can al.so more accurately

map risks to processes, controls, entities,

and regulations. This, in tum , simplifies the

EXHIBIT 2

Risk Patterns by Objective

100

90

5

4

3

2

1

Risk F

I Risk E

RiskD

I Risk C

RiskB

I Risk A

Accurate Financial

Reporting

Reduce Supplier

Costs

Employee Safety

creation of the audit universe and helps f

mulate a systema tic and resource-effici

plan for audit management.

Because surveys are a major part of

risk-ba.sed audit plan, technology can h

by streamlining the entire prcx;ess of s

vey design, distribution, implementati

and

respon.se

collection across depiutmen

business units, and geographic liK-atio

In addition, it can automate the pnx'ess

monitor ing r isk controls and creati

reports, as well as ensure that findin

and problem areas identified tiirough aud

are appropriately investigated and resi)lv

In this way, intemal auditoi-s can .save va

able time and re.sources and eliminate U

need for cumbersome spreadsheets. So

technological tcx)ls such as dashboanls. r

heat maps, and chiirts ciui facilitate tra

parency in audits by providing valuab

risk insights and intelligence that can

presented to stakeholders.

Creating Value

Toda y , i n t e r na l a ud i to r s ha ve t

power to not only protect value, but to c

ate value. The key is to develop a cont

uous focus on risk, and weave the au

plan around the identified risks and r

patterns. This opens up opportunities

internal auditoi's to play a more strate

role in the organization, as well as to p

vide crucial risk-based advice that sha

the overall business strategy.

Michael Bechara is the corporate r

expert and managing director of Gran

Consulting Group. Inc.. Brewster N

Gaurav Kapoo r MBA is the chief r

officer of MetricStreani Inc.. Palo Al

alif

ELEMENTS OF

A

GOOD RISK BASED

AUDIT PLAN:

Base d on risks and

objectives

Relies on people for

Uses technolog y to

process

business

input

support the

8/10/2019 Maximizing the Value of a Risk-Based Audit Plan.

4/4

Copyright of CPA Journal is the property of New York State Society of CPAs and its content may not be copied

or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission.

However, users may print, download, or email articles for individual use.