Audit planning. It’s that time of the year when I think about my own department’s audit plan. It’s the area that seems to garner the most questions from new auditors and it seems to be the area of our profession where least agreement exists. In particular, what is risk based audit planning?
We all know what we think it is. I would argue there’s very little agreement. If we consider the ask from the standards and the Institute for a moment. It’s a performance standard – so it is about how we do things, not about us per se. So the top level standard 2010:
The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals.
Well this sounds fine until you unpick it a little in particular what is risk-based? So this means prioritisation of work – so we as auditors should look at some things based upon risk. But does this mean gross or net? So the areas the organisation feels it’s most exposed to (high net risk)? Or perhaps the areas where the organisation is least exposed, but works hardest to control the risk (high gross risk)? What sort of risk – financial? Organisational? Repuational? etc. For the risk profile will be very different across these. What about proximity? So the risks that are most likely to crystallise into issues?
Let’s go back to the standards:
The chief audit executive is responsible for developing a risk-based plan. The chief audit executive takes into account the organisation’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organisation.
So as CAE, the interpretation says I have a responsibility to deliver a risk based plan. This should take into account the organisation’s risk management framework and risk appetite. So take into account? Ignore, register, use, follow, agree, interpret? What? Organisation’s risk appetite. Do we mean individually or in aggregate? So if an organisation has a very high risk appetite, say like Enron, do I have to agree or work within it or provide an override? Hmmm more confusing by the minute.
Let’s go back to the standards:
If a framework does not exist, the chief audit executive uses his/her own judgment of risks after consideration of input from senior management and the board. The chief audit executive must review and adjust the plan, as necessary, in response to changes in the organisation’s business, risks, operations, programmes, systems, and controls.
So I can only use my own judgement where the framework does not exist? Or do I impose my own judgement on it? I must adjust in relation to the client organisation. Well that much seems simple, my plans must in someway work with the client. The direction, type or manner of the adjustment feels quite vague though. If a client does not want me to work in an area, should I do it anyway or work with the client?
Back to the standards:
2010.A1
The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.
Finally – so clear direction. I must have a documented risk assessment. I must take the input of senior management and the board. Great – that’s clear. Let’s go further:
2010.A2
The chief audit executive must identify and consider the expectations of senior management, the board and other stakeholders for internal audit opinions and other conclusions.
I need to take into account management, board and other stakeholders’ expectations. In the real world these often clash and are contradictory. Whose expectations matter more or less? What if my independent judgement is to ignore all of these expectations, say to do the right thing or open all of their minds to something new?
Finally the standards say:
2010.C1
The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value and improve the organisation’s operations. Accepted engagements must be included in the plan.
Consulting arrangements must be included in the plan. This seems strange since most consulting arrangements are ad hoc and arise as needed. All of this seems a little periodic and annual, not rolling or reflecting the speed at which risk and organisations seem to move.
So the standards themselves set some very high level principles and provide very few rules and little guidance. I think that is good, as the CAE should have space to do the right thing in context. It does, however, provide a problem in the real world. What should a CAE do? What is ‘right’ or ‘best’? In particular I think the most confusing and omni-meaning phrase is ‘risk based’.
So what do I call risk based audit planning?
Well on risk appetite I work with the organisation’s risk appetite both in aggregate and at business unit level. That is I report my opinions based on net risk, but decide whether this risk is good or bad depending on the management’s clearly established risk appetite. So an organisation can, in business units, or in aggregate, take high risk. As long as this is legal and is sanctioned by senior management in full consultation of the board, then I work with it. It is not my job to decide whether organisational risk is good or bad, merely to test the reality of control (where control means the adequate management of risk within a risk appetite) and report where this control is inadequate to mitigate risks within established management appetite. I caveat this with two audit overrides: in that something unethical or illegal is not deemed to be within appetite; and that excessive risk in aggregate to the organisation, such that the organisation could fail, are inappropriate. It is my job to report them. Even if the board sanctioned them – so the reporting route would be to the police or regulatory authorities.
On risk based planning I don’t believe in full risk based planning. Partly because this is a path to justifying to the most extreme level, a lack of audit resource. I’ve heard ‘oh we audit strategic risk only’ (despite the fact this statement includes strategic risk which is a meaningless concept) to justify coverage of an organisation over 20, 40 and record-breakingly 150 year audit cycles. No, no, no. Internal audit needs better coverage if it is to be meaningful. Why? Because there is no such thing as strategic risk. For a start most organisations have no strategy. For those that do, the point at which the strategy becomes both meaningful and auditable is at the ‘set of coherent actions’ level. For most sizeable and complex organisations are such that for a risk to be strategic i.e. organisationally significant and impactful, they are too esoteric. In reality top level risks like a ‘fall in sales’ or ‘loss of competitive position’ are most likely a whole portfolio of actions and activities that need to occur for the risk to be managed or crystallise. So strategic risks have webs of risks and roots that extend into the organisation. So a strategic risk based plan must map out the detail of audit work on those roots to be truly strategic. The issue for me is one of coherence not strategic audit interventions. I do acknowledge some organisations may have the odd strategic risk, but these are few and far between, and most likely not controllable by the organisation. This means audit plans need to ignore strategic risks and map out the roots of the organisation’s web of risks into a coherent whole.
Some of the plan must be non risk based. There are various things a good audit service should do that are required that have nothing to do with risk. Coverage of finance, coverage of IT, coverage of other specialist risks. Also meeting various regulators’ requirements. These need to be accommodated. We also need to provide a periodic assurance opinion, so annual sufficiency is important. Ultimately we need to do less ‘strategic’ stuff too, otherwise the diet of assurance is too rich, for both management and the governance structures.
Should we take account of the management risk assessment? Well yes – but with caveats. First of all most risk management systems implemented by management teams are poor, or at least suboptimal. Risk mature organisations are rare indeed. If they do exist, they will always be grounded in the paradigm of management thinking. Surely a good audit service should challenge and sit outside of that. So I would think it likely that a good audit service should be challenging in its thinking and perform an independent assessment.
I want to see fewer audit services using an audit universe (I don’t like these see: Running Towards Risk or Risk Based Audit? ) I want to less thin justifications of a lack of coverage dressed up as being risk based. I want to risk based auditing actually mean understanding and looking at risks, not ordering the organisational parts by gross risk and then prioritising them. All of these two dimensional approaches to risk based planning are unhelpful.
I want to see more audit services really know and understand their clients, the real risk and the real risk exposure, and be resourced to provide a meaningful level of coverage to deliver a sensible audit response. Sure I can justify any number of plans and there is probably no right plan, but there are wrong plans. These are ones with 20 year cycles of organisational coverage, with a gross risk proxy only, or those that stick to the management risk script only (even assuming its written well). Most of all I want to see the profession do better than it does currently – so how do you plan?