Yawn! We all know what this is, enough already!
Well, I have been thinking about this a little further and I am not sure that the debate is over. I think all CAEs would agree that major business programme and project assurance is important. Also that the internal audit function should have some level of engagement with this to ensure proper assurance is provided to the business.
Now is this a risk-based audit requirement? If we narrowly interpret risk based auditing as merely grounding a plan in some consideration of risk, then yes, of course. If we alternatively, but equally narrowly, interpret risk based auditing as focusing on the most risky areas of the business, then perhaps, no. How so? Well, most internal audit functions are relatively under-resourced (compared to non-executive board demands and the business), so risk based internal audit functions really only have resource to assure strategic level (significant) risks. Even this is likely to be over a number of assurance periods (normally years) not 100% coverage every year. So any focus on programme or project risks, unless strategic in their own right, is likely to be a focus on tactical level risks, a level that most internal audit functions are not resourced to tackle.
So is this another non risk based demand on internal audit to be added to all of the others (annual or audit period sufficiency, demand for financial assurance from stakeholders disproportionately, compliance assurance requirements, management assurance demands, specialist strands of audit risk e.g. IT, sufficiency of work within each component of periodic assurance opinion given e.g. value for money or governance)?
Well I think it depends. I have in my head a model of assurance based on risk levels. Risk for me is not really ‘managed’ i.e. actively addressed, at a strategic level. It is too esoteric and organisationally meaningless to be so. It may be summarised at this level (and for all sorts of reasons, for most organisations to do so is a little pointless, creating esoteric and disconnected-from-reality risks), but it is rarely actively managed there. That is because organisational structures are simply not oriented around strategic risks. Strategic risk cross cut professional, geographic and other operational silos. These risks, therefore, are managed at tactical, programme, project and operational (departmental) levels of the organisation. One can audit strategic risks by following the cross-cutting elements of these other levels to gain assurance over the overall organisational response to a strategic risk (the top down assurance approach), but one can also breakdown the strategic risks themselves into the tactical components.
Auditing at a tactical or ‘thematic’ level is what I call horizontal auditing. Looking at a cross-cutting risk (often a component of a strategic risk) as it crosses the organisation’s structural silos and boundaries. This also applies to programmes and major projects. After all why do businesses establish such things? Normally because there is a business need (or significant risk) outside of business as usual, that requires additional management discipline, focus and resource management to ensure a business-critical outcome, that a formal project methodology brings. This analogy of auditing at levels similarly applies to departments. Why are silos and departments set up in organisations? Well, simply because a strand of specialist or geographic risks needs to be managed coherently. Delivery of the business objectives (and accompanying mitigation of risks) in a locale or professional silo if you like.
So back to where I started. Is programme or project risk assurance part of a risk based plan or not? The answer is yes, if you have an assurance plan that recognises that risk based auditing is at levels (strategic, tactical, programme, project and operational) and should prompt an audit response that is top down, sideways in and bottom up. This then prompts the question, how do you report different risk levels? (I feel another post coming on in due course); and also the perennial question of whether a risk based auditor focuses on high gross or high net risk (see previous posts on this debate).
For me the fundamental point is that just doing programme and project assurance because we CAEs think it feels like the right thing to do and to try to squeeze our current limited resources to do so, without having a paradigmatic and intellectual grounding and justification, is wrong. We should have a clear view where this fits within an overall clear view of what a risk-based approach to audit really is. Do you?