I wonder if we’ve all moved on from this? Is it like risk management for managers, yet another fad that is theoretically possible to do, but hard to achieve in reality. As a consequence we all give up on it and move on. So for risk based internal audit, for those internal auditors that ever got there (and I doubt many did – as it requires an extreme level of risk maturity) perhaps we have all given up?
No no-one would admit that. Try going to an audit conference and saying I do a non-risk based audit. Career suicide! Yet is that what we’ve all settled for? Some cognisance or nod towards risk, yet lacking in the courage to really examine how risk based we really are, unable to acknowledge that all sorts of factors influence audit plans, not just risk.
First of all I don’t believe the myth that risk based internal audit needs a risk mature client. Why? Internal audit is meant to be independent, so why not have an independent assessment of risk? After all internal audit is in just as good a position as the senior management team to assess risk – why not use our assessment?
Second I believe that a fully risk based audit belies the human and organisational reality of most clients. If you fully risk base an audit you will, obviously, go for the big problems, the unresolved risks, most probably the big current issues. How sustainable is this as an audit and assurance plan? If you think about it as a diet of assurance for an audit committee, you effectively feed them big, heavy, issues. This is a rich and indigestible diet of non assurance that eventually tires and exhausts an audit committee and the accompanying management team. Now this approach makes sense intellectually, for if you tackle the big issues, then the big risks, you drive down risk systematically (assuming the audit committee are effective in forcing appropriate and timely management responses). In reality, however, it makes audit a challenging and tiring experience for all involved.
The Institute (CIIA) seems to have stopped talking about risk based audit as indeed so have we all. I think it thinks (as perhaps we all do) that we have this risk based audit thing sorted and organised. Presumably the Institute feels the same. I am not sure though. I have seen a number of internal auditors and internal audit approaches. They all claim to be risk based, but some still have what I would regard as either non, or intellectually weak, risk based justifications. Only this week I saw on the Institute’s home page a question about the potential use of an ‘audit universe’. Now there is nothing wrong with this, but this is a debate from well over eight years ago. Most audit universes are glib, two dimensional and meaningless. They are a nod to risk-basing an audit plan but not really understanding the complexity of risk.
The reality of a real risk based audit plan is that it is composed of the hard factors (cash, process, location, size, complexity etc) but the soft social factors (people, culture, politics, personalities etc). Risk in an organisation, particularly the veracity and quality of an organisation’s response to it, is a complex melting pot of a myriad of social factors. In this, any mechanised risk model, will necessarily seem two dimensional and glib. So for me, a risk based audit plan is one that is constantly working through a lens of risk. Using this as an analytical framework to inform and deliver audits and assurance. In effect the audit and assurance plan is the risk assessment. Each audit constantly adds more depth, colour and meaning to the internal audit risk assessment. It is for this reason that CAEs gain such a depth of knowledge of organisations because the audit and assurance plan is a constant researching of our client organisations. Always in my view trust a good CAE’s opinion, they will know how things really work. The best risk assessment work I do is sitting in department’s offices and getting a sense of how things really work – why? because you see the social interactions and meet the personalities in the department.
So to conclude I think the risk based audit approach issue is far from resolved at a profession level. Certainly at an audit service level. I am not one who thinks that one ‘risk based approach’ is wrong and another right, we don’t need a straightjacket of rules, but come on, we a profession are still a long way from even a set of principles. We need to keep talking about this.