eBook - ePub
Risk-Based Auditing
Phil Griffiths
This is a test
Share book
- 236 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Risk-Based Auditing
Phil Griffiths
Book details
Book preview
Table of contents
Citations
About This Book
The role of internal audit is changing. The Sarbanes-Oxley legislation in the US and the Combined Code for Corporate Governance in the UK focused on the need to demonstrate the active management of risks and report on this subject to shareholders. Boards of Directors are therefore increasingly requiring their Internal Audit functions to provide a much higher level of assurance in this regard. Phil Griffiths' Risk-Based Auditing explains the concepts and practice behind a risk-based approach to auditing. He explores the changing environment in both the private and public sectors and the associated legislation and guidance. The book then provides a blueprint for refocusing the internal audit role to embrace risk and to help plan, market, undertake and report a risk-based audit. The text includes a detailed risk-based audit toolkit with 14 sections of tools, techniques and information to enable a risk-based approach to be adopted. This is an essential guide for internal and external auditors seeking to manage the realities of the audit function in the turbulent and fast-changing business environment that has emerged since the end of the last century.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoās features. The only differences are the price and subscription period: With the annual plan youāll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Risk-Based Auditing an online PDF/ePUB?
Yes, you can access Risk-Based Auditing by Phil Griffiths in PDF and/or ePUB format, as well as other popular books in Business & Managerial Accounting. We have over one million books available in our catalogue for you to explore.
CHAPTER 1 What is Risk-based Audit?
The Internal Audit identity crisis
Letās face it, if you are reading this book, you are probably either already an auditor, preparing to become one or responsible for managing or overseeing the function. The other possibility is that you are considering a role in Internal Audit ā if this is the case I hope to be able to whet your appetite and show you what a wonderful opportunity it brings.
Whichever category of reader you are the first major bridge to be crossed is the identity of the function.
I was to learn that we tend to meet any new situations by reorganising ā a wonderful method for creating the illusion of progress
This quote by the Roman Caius Petronius in AD 66 illustrates the dilemma for Internal Audit.
Internal Audit has seemingly attempted a number of changes in approach over the years, but have any made a real difference?
Is Internal Audit seen as the āWhite Knightā charging in full armour, past cheering throngs of well-wishers to rescue the damsel in distress or the āLady with the Lampā, splendid and serene, tending to the ranks of wounded in the Crimean War without a thought for her personal well-being.
Probably not.
It is more likely that an auditor may be seen, to use the old joke, as the team that comes in after the battle and bayonets the wounded.
The role still has somewhat of an identity crisis. Risk-based audit offers some, if not all, of the solutions.
In the following chart I would like to pose a question to you to illustrate the point.
Please pick the one creature which you believe best describes the role of Internal Audit in the eyes of the Chief Executive or Directors of your organisation. Try and put yourself in their shoes. If you asked them the same question, what do you believe their answer would be?
Letās analyse the most likely responses:
ā¢ Dinosaur
If this is the perception, you have a major task ahead. You need to move quickly; otherwise you may become extinct.
ā¢ Snake
The snake in the grass, waiting to trap the unwary, is a very common metaphor for the function in managementās eyes.
Figure 1.1 What creature best describes how your function is seen?
ā¢ Praying Mantis
This insect looks reverent and calm (the stance looking as though it is at prayer) but if a tasty morsel passes it, it is ready to strike and become a āpreyingā mantis. Does Internal Audit give out these vibes? Outwardly innocent but a menace in disguise.
ā¢ Bee
Buzzing from flower to flower not staying long in one place and a sting in the tail if things get really tough. Better than the dinosaur, praying mantis or snake but still probably not quite how Internal Auditors would like to be seen.
ā¢ Koala
Letās be realistic, you are never going to be regarded with as much affection as the cuddly koala bear.
ā¢ Donkey
Dependable, not afraid of hard work and has to carry many burdens ā maybe not such a bad comparison.
ā¢ Ant
A fantastic teamworker but small and easily trodden on.
ā¢ Dog
Reliable, faithful and if it is a guard-dog, looking out for the business ā a safety and comfort provider. Maybe quite a good metaphor ā unless you are seen as a terrier snapping at the heels.
ā¢ Lion
Strong, respected but can be very fierce and intimidating. Much better than the snake but probably not quite as you would wish to be seen.
ā¢ Dolphin
Super-intelligent, sleek, fast and loved by everyone. It would be very good to be thought of as a dolphin. This is a very good goal for Internal Audit, although I am not sure if you will ever be loved by everyone.
ā¢ Eagle
The very best metaphor for modern Internal Audit. The eagle flies majestically across its domain, able to watch over its environment and take everything in and when necessary can swoop down and deal with issues.
The risk-based audit approach is the tool you need to ensure that you are increasingly regarded as the eagle or the dolphin.
Definitions and outline
So what is risk-based audit? It is a process, an approach, a methodology and an attitude of mind rolled into one. The simplest way to think about risk-based audit conceptually is to audit the things that really matter to your organisation. Which are the issues that really matter? Probably those areas that pose the greatest risks. What else would you really want to review? If your organisation has already identified its key risks then you already have the basis for risk-based auditing. Clearly, if risks have not been formally identified and assessed then there is a real opportunity for you to work with management to help create this information.
The second way of looking at risk-based audit is as a process. Traditionally audits begin and end by looking at controls, often regarded as the main expertise that the function has. The problem with this approach is two-fold.
Firstly, management do not really understand controls, which can be an alien concept for them. If they do understand the nature of controls they tend to consider the need for more controls as an unnecessary additional burden.
Secondly, it is unlikely that your Internal Audit function is an expert in control. Can you really say that you understand the controls in all aspects and all activities within your business? It is therefore necessary, if you are going to demonstrate your eagle-like qualities, to be able to talk to management in a language they understand and appreciate. To fully engage management you need to talk to them about something that is important to them. If you start by discussing their objectives, what they need to achieve and how this is measured you will attract their attention.
Having created the common ground (and it is preferable if you have first given some thoughts to the objectives in the area under review before the meeting), you can now go on to discuss the threats to the achievement of those objectives, the barriers to success; these are, of course, the risks.
Again management should be able to elucidate many of the risks or threats, but theoretically, if you have tried to anticipate the types of threat beforehand this will act as a positive spur.
Having created an understanding of the objectives and risk you can then discuss the risk appetite, the boundaries set by senior management (by authorisation limits and so on) or, indeed locally, the limits beyond which the management of the function to be audited will not venture (or is advised not to go) in risk-taking.
The next stage is then to discuss the processes in place to mitigate the risks already identified and those that appear on the horizon and the areas of concern or opportunity in relation to those processes.
You are now, of course, talking about the controls, but rather than doing so in isolation you will be discussing them as part of the full management process and should receive a much more positive response as a result.
The essence of risk-based audit is therefore customer-focused, starting with the objectives of the activity being audited, then moving on to the threats (or risks) to achievement of those goals and then to the procedures and processes to mitigate the risks. Risk-based audit is therefore an evolution rather than a revolution, although the results obtained can be revolutionary in their magnitude.
The chapters that follow expand these principles into a full process, explain the attitudinal changes and the broader range of skills required together with the tools and techniques necessary to adopt the process and to become a world-class Internal Audit function.
The challenges for Internal Audit
Figure 1.2 Do you recognise yourselves? Are auditors fighting the good fight? What could the big āCā word signify in relation to the audit role?
ā¢ Control
Ask auditors their prime area of expertise and many will say āControlā. Can you honestly say that you are an expert in all aspects of your organisationās operations? I doubt it. Why then is Internal Audit obsessed with control?
ā¢ Compliance
This is an important aspect of the traditional audit role. It is still very important today, getting the basics wrong can spell disaster for organisations, but should compliance be the main focus of the Internal Audit role? Our continuing research with Chief Executives would clearly indicate that this is not the case.
The question was asked as to the prime focus of the function. The respondents had to pick the approach that was primarily followed.
Compliance, as can be seen, is increasingly unlikely to be the prime focus for Internal Audit, with only 1 per cent of organisations who responded adopting this as the primary approach.
As you can see, the prime focus is very definitely focusing on the key risks. This is not to say the other processes are not important, but they are unlikely to remain the dominant focus.
ā¢ Conflict
Hopefully Internal Audit does not get into too much conflict with management. Over emphasis on control and the failure to make recommendations that are 100 per cent practical can, however, lead to such a situation.
ā¢ Challenge
This is definitely a key role for the modern function. You need to question the āweāve always done it that wayā mentality and challenge the status quo. If you do not do so in the course of an audit, who will?
ā¢ Co-ordinate
Wouldnāt it be useful if Internal Audit co-ordinated its activities with the other assurance provider in the organisation, such as Risk Management, External Audit, Health & Safety, and so on. This would reduce duplication and create more focus. An approach on how to achieve such a co-ordinated approach is outlined in Chapter 8.
ā¢ Champion
Internal Audit should certainly be regarded as a champion. You have the opportunity to look right across the organisation and identify opportunities and good practice. Sharing such ideas is key to success and recognition.
ā¢ Catalyst
The very best Internal Audit functions are regarded as a catalyst for change, helping the organisation through the difficulties of changing environments, cultures, and so on. Another key catalyst role is bringing people together to discuss areas of concern and opportunity, a best-practice agent.
There are others that you can think of, such as co-operate, convince, conscience, and so on, but I hope that the above have generated an indication of the trends occurring.
The trends
Having suggested that risk-based auditing is an evolution let me attempt to trace this change process. Letās have a look at some of the trends in risk-based audit. One question to pose is āAre you fire fighting all the time or are you able to plan in advance?ā The more fire fighting you do the less likely it is that your organisation is focusing on its key risks. If you are able to link in directly to your organisationās evaluation of risk, thatās much more effective. The best way to illustrate the transition is to consider the different approaches to Internal Audit.
1 Compliance
This is where Internal Audit began. It is still a valid approach but is rather limited in its focus, as it tends to concentrate efforts on whether or not the procedures and policies are being adhered to. Is that enough in todayās challenging environment? I would certainly say that it fails to optimise the potential of the Internal Audit activity.
2 Systems-based audit (SBA)
This is the approach adopted by more modern Internal Audit functions. The approach is predicated on evaluating systems and processes rather than locations or branches. Essentially the SBA is a horizontal rather than vertical approach, reviewing an activity across the organisation and looking for the areas where there are inconsistencies or interfaces are incomplete. Systems-based audit is therefore much less transaction based than compliance, indeed the phrase ācradle to the graveā is often used to describe the process. The approach is to follow a small number of transactions through the system from start to finish to prove its effectiveness.
3 Risk-based audit
Risk-based audit builds on the SBA approach focusing on the areas of the highest risk to the business and uses a different starting point, business objectives rather than controls. The recommendations made are also risk-evaluated to ensure maximum benefit and buy-in by management.
4 Value for money
This is the review of a process to determine whether optimum value for money is being achieved and to make profit-enhancing recommendations. This audit approach was used extensively until a few years ago, but seems to have fallen out of favour. I believe that this is an excellent complementary approach to risk-based auditing and would suggest that it should now be a feature of most audits, to assess whether or not the activities achieve the best value for money in your organisation. Certain audits such as travel costs, mobile phones and other items of corporate expenditure lend themselves particularly well to the VFM approach.
5 Assurance-based audit (ABA)
This is the most recent and some would say the real winner for Internal Audit functions. ABA is using the risk-based approach to co-ordinate all the assurance activities in the organisation to ensure that duplication is minimised, nothing falls between two stools and a co-ordinated assurance position is given to the Board. T...