I’ve been thinking about technical audit methodology this week. So a little bit of a dry post, but one I hope will be of interest.
So I’ve got to thinking about risk, control and assurance. How do these concepts overlap and how should they play out in an audit methodology? For those that know me I am a CAE obsessed with audit methodology. Why?; because it is the foundation upon which the audit discourse, the audit work, the audit team, is bound together. For if you start out with something that makes no sense, how can you use that to persuade others, in particular management, or governors of the organisation?
So risk. A simple concept. The UK HM Treasury’s Orange Book is still the best exposition of it I’ve seen. Gross risk, risk mitigation, leading to net risk. Simple. I have always thought of risk mitigation action to be control. Yet my thinking is evolving in this matter. More of this in a moment.
Let’s consider assurance. In a risk-based assurance model, the one I use, I take assurance to be the converse of risk. I appreciate this is not ideal, but the wider industry concept within which my audit service operates requires equation of risk in a converse way with assurance. So, for example, high risk equals high uncertainty; this leads to less assurance. i.e. I, as an auditor, can provide you with less assurance over something I consider to be uncertain (risky). Conversely, I can provide high assurance over something certain.
Yet we know that this definition emphasises the level of certainty (and to some extent, proximity) of risk above the impact. So if risk is a factor of both, the level of uncertainty (including proximity) and level of impact of not achieving objectives, then assurance can well be described as the converse but not necessarily so. i.e. high risk could be high impact but low uncertainty, yet under this model it would be equated with low assurance. We know also that assurance is about the ability of the auditor to form a view as well. So I could, for example, fully assure you that the risks are high. Here assurance is detached from the risk measurement itself and linked to the level of work being done.
So my risk based audit methodology as I currently use it, links risk and assurance and treats them and converse factors, even though this is not perfect (in an ideal world I would simply ascribe risk).
So where does control feature? In my risk-based model as I currently have it, control is equated with risk mitigation. So good control is adequate risk mitigation. In my model I recognise risk appetite. So I form a view of net risk and apply no pejorative judgement to it at all. Risk is risk, be it high or low. Whether it is ‘good’ or ‘acceptable’ or not, is entirely a matter of risk appetite. So in a high risk appetite area of the business (with risk appetite defined by my client’s governance body and then applied by the management team) controls as designed and applied are deemed adequate when net risk is below the defined risk appetite.
This works fine until you come to something that is poorly controlled (perhaps with few or weak controls) but it is low net risk (and most probably low gross risk). You are then presented with a choice of nomenclature. Do you go with the intellectually pure, risk based, interpretation. If it is low risk and risk appetite is, say medium, even though something is badly controlled it presents little risk? So something coded ‘yellow’ or ‘green’ is deemed acceptable even where the control system is a mess? Hmm difficult. You want to message the lack of control in your report, but your risk based reporting is oriented around risk. So something low risk must be coded as such.
This is made much worse by most audit services’ methodological maps of risk. For those that colour reports in a risk based way (i.e. referenced to risk, rather than a pejorative judgement about control – the red is bad, green is good, methodology as I call it) if you use a single scale for the whole organisation you quickly get into a mess. So most things in most organisations do not matter. Organisations are too big and complex and rarely is any risk an organisationally significant one. The natural portfolio hedge sees to that. So your non compliant process x will not kill off the organisation. We get around that in my service by having four risk layers. This allows smaller, tactical and operational processes to have ‘reds’ of their own.
Even a multilayered risk map process does not save you from the quandary of some poorly controlled things simply not being significant in risk terms. Indeed in a purely risk based organisational world, you would not seek to mitigate low gross or net risk items further, so you could argue a weak control system is appropriate. Yet the audit committee and the management team do want to know what items are simply non compliance and poor management control, rather than a complex and ultimately debatable net risk exposure point.
So cue a controls judgement. Where something is not high net risk, it could be poorly controlled. So is a control view, independent from a risk view? I have held in my audit methodology that this is not the case, as I have equated risk mitigation with control. So control is a relative concept and is grounded in risk. So control adequacy is mitigation of risk within a defined risk appetite.
Yet I do feel I need to have a way of dealing with poor controls in a risk based audit methodology. I currently cope with this through ascribing a low risk appetite to enable me to say something low net risk is inadequately controlled. The classic example is financial control. Most organisations have a low risk appetite here, so a weak, say payroll system, even if low net risk, would get a ‘yellow’ with a negative view of controls as designed and operated.
The other way of dealing with this is control awareness. This would flag how well control was delivered in an area of an organisation, irrespective of risk, to be within a defined risk appetite. So poor control, even if it led to low risk, would receive a negative view. This detaches control from risk though.
I am still working through my thinking on this and would appreciate any thoughts and suggestions – what do you think?