I’ve been thinking through risk based audit methodologies and how to do audit reports under that methodology. I currently report based on net risk. My audit reports are rated on a net risk scale, a scale of risk exposure if you will. For me, therefore, a risk based audit is an independent (from management) assessment of the risks within the scope of the review. The key question is then how does assurance relate to that? Is the assurance the independent assessment of net risk i.e I can fully assure you that your risk exposure is a X or Y level? Or is the assurance more ‘higher risk must give you lower assurance’. But this second approach is not clear about whose assurance? The argument is that our independent assessment of management’s controls suggests that the assurance available to them from their controls is lower.
The issue with an analogue net risk level is that some auditors then describe the net risk levels with assurance statements. So have ‘moderate’ or ‘substantial’ assurance when in fact the judgement is really considering net risk. This therefore implies a value judgement. But whose judgement is this against whose standards? So, if we take a four scale approach to describing our independent assessment of the net risk arising from an area of management activity within the scope of a review, and if we then assign the top (red) rating as ‘limited’ assurance, are we then saying this is unacceptable?
I guess we need to think about the question being posed here. We (IA) think you (management) have limited assurance based on finding high net risk and thus you need to decide (assuming you broadly agree with our judgement) whether that is acceptable? This judgement would be for the governing body (normally board) to decide what to do about it through their agents, the audit committee. Management would take a view and then the board through the audit committee would agree or disagree, telling management to do further work if not correct. In other words the board owns the risk appetite to enable it to direct and control (govern) the organisation.
This approach does assume however a single risk reality and audit’s role is merely to describe this external reality for management, audit committee and internal audit to debate. I think the world is more complex than that. There is an external reality, but it can be assessed, particularly in risk terms, in many different ways through the human lens and experience. Thus there are two variables at play here. First genuine disagreement over the facts of the case (the external reality) and how it is described (whatever scale is used will be debated). For the reality of all risk management is that it is in reality too complex to model. People are just too complex in large organisations to really predict through any model (aargh say all of those scientists out there – tough I’m a social scientist!).
So when it comes to it the management team can disagree with what the ‘facts’ are saying and also how internal audit is interpreting them into a risk scale. I like, therefore, to describe in my reports my (IA’s) view of whether I think high net risk is adequate or not. I have an opinion, not conflate in some, supposedly objective, description of net risk and the management assurance therefore arising from that. I form a yes / no answer to whether the control environment is adequate and designed and operated. In other words, do the arrows on a risk graph look long enough (design) and exist (operate). I am thus very clear that I would either not assure something, or I would. No equivocal or opaque or descriptive view implied from ‘facts’ (there are no, or few, such things). Just my own view, very clearly stated. This view is based on my own assessment of appropriate organisational risk appetite, that both the audit committee and management team can disagree with through normal audit committee processes. This approach is hinted at in the IIA’s professional standards in terms of dispute resolution taking the audit view to the board for resolution.
I am being paid for my opinion and my professional view of appropriate risk appetite. Of course all of this preceding conversation is predicated on a risk managed style of management and governance that many organisations simply don’t have, but that is for another blog post on another day…