Tags

, , ,

risk-based_security_approach

I’ve been training some of my team this week and inducing new auditors into my department. This is always a cathartic experience as it makes me confirm and challenge my thinking about what good internal audit and risk based internal audit is.

The bit that I find most interesting is when I work through what a risk based audit is. A risk based audit to me is much more than using risk to select the area for review. For being risk based means risk should pervade the whole approach. So in my audit construct I use risk not only to decide and select where to go (and not some two dimensional risk universe, but a more socially scientific, complex understanding of risk – see my previous post on audit universes for my views of these) but also to report.

I report based on net risk. Why? Primarily because I aim my work at senior management and governance bodies of my client. So clearly they should be focused on risk exposure. Yes we report low net risk and high gross risk areas for the governance and senior management groups should be aware where they rely heavily on the control framework. I also use four layers of risk, for otherwise a single scale (we use a four point scale) is not subtle enough to deal with most organisations. For operational stuff that is important is not big enough ever to affect the strategic (i.e. a project is too small to affect the whole organisation, so risks at an organisational level will all be in the green – because the project is down in the organisational weeds). This approach however allows me to look at stuff that matters, to look at the micro and extrapolate to the macro by doing so. It also means I can assist and work with the management team and my client organisation to inculcate and develop risk awareness and consideration at all levels of the organisation.

I can hear the challenge now – why is internal audit working at less than the strategic level? Well a number of reasons. First, strategic risks do not exist (they are aggregations or portfolios of tactical and operational risks) so to meaningfully audit them you need to break them down into smaller, organisationally meaningful, chunks. Second strategic risks are simply too complex, too intermingled, too esoteric, to evaluate in a single audit. So big questions and risks need to be broken down into smaller questions and then linked to the organisational structures that mitigate them. Occasionally the odd strategic risk may be sensibly audited as a whole; I’m thinking of major change initiatives or major organisational wide projects. In the main you need to break the questions and the and control frameworks into auditable chunks and work packages in my experience though.

So if you report on a net risk basis you get into the colour or report rating problems.You have then a number of choices. Let us assume you have a four point risk rating. Say red through to green. You could fix the ratings by pejorative judgement, that is red is high risk, thus it’s bad and green is low risk and is good. Then you say anything red is bad because it is out of control, anything green is good because it is controlled. But then where is risk appetite in this? Do you flex that scale by a moveable risk appetite or not? If you flex it, then you can have green reports that mean ‘good’ but actually refer to high risk, where an organisation’s risk appetite is high, and the converse give a red report where risk is in fact green and low level. If you do this your risk ratings are no more than judgements about good and bad, not actually a statement of risk at all, for red could refer to high and low risk depending on risk appetite.

To get around this you could say we will not flex the ratings for risk appetite, i.e. high risk is orange or red, and low risk is green and yellow. It is not really encouraging a good and sensible client risk management system if risk is fixed around a fixed risk appetite. For no client either intends, or in reality, has a fixed risk appetite. So this is meaningless  and makes no sense from an audit perspective. It also has a false view that risk is meant to be reduced to green – why would any organisation want to do this in all cases? What a waste of money. It may also not be possible.

It also struggles with the idea of risk layers. So it can only work at one layer – presumably strategic. So not only is it a problem to manage to audit risk meaningfully, but it is a problem that it forces the client to manage all strategic risk to green. Successful organisations take and have risk profiles that are different.

So my solution is to fix the risk scale i.e. risk is risk, red is red, green is green. High risk is always reported as red irrespective of risk appetite. There is no pejorative audit judgement on this, for red could be either good or bad, depending on risk appetite.  Then I provide an opinion over whether the controls as designed and operated are either adequate or inadequate i.e. whether they bring net risk below or above the risk appetite. This requires additional work to establish the appetite with the management team, but it is possible to establish through conversation and dialogue. This process is then replicated at each risk level. This opinion is split into design and operation (i.e. does risk mitigation actually appear reasonable, and then does it actually occur?). All of this enables the opinion to be quite nuanced, linked to risk appetite and operate at various levels of the client organisation with sensitivity.

The second order problem is that many auditors conflate assurance and risk – so they are not clear if they are talking assurance or risk. So we have words like ‘full’ ‘partial’ ‘limited’ etc. So the wording of ‘risk ratings’ seems to refer to how much assurance is there. Now this works if you take the risk rating as absolute as above. i.e. risk ratings are an anodyne description of risk or if you fix risk appetite i the middle of the scale. I also think this only works if you take ‘assurance’ in this context to mean assurance available from management systems under review. So something high net risk would be low management assurance and vice versa. If you don’t report risk as absolute and flex according to risk appetite this link breaks down. i.e. if you have red to mean bad (and flex bad according to risk appetite) then the link to management assurance from systems being the converse of net risk, breaks down.

Another take on assurance would be assurance provided by the auditor; that is assurance can be fully provided by the auditor of high or low risk. I think the approach of assuring management systems makes more sense as the purpose of audit is to inform clients and assure clients over their systems, even if the assurance statements feel a little clumsy.

So why report on net risk and risk base reporting? I think this is because, for me, the purpose of internal audit is to bring to senior management and the board’s attention, the risk exposure of the organisation and the assurance available from management systems. That is then a truly risk based system.

How do you risk base your audit?