RISK BASED INTERNAL AUDITING
KAYA KWINANA, CIA
Published by Kaya Kwinana at Shakespir
Copyright 2016 Kaya Kwinana
Shakespir Edition, License Notes
This e-book is licensed for your personal enjoyment only. This e-book may not be re-sold or given away to other people. If you would like to share this book with another person, please refer that person to to get their own copy. Thank you for respecting the hard work of authors who share their views and experiences with you.
TABLE OF CONTENTS
The risk basis is a form of engagement planning which has come to be in internal audit practice over the years contrary to the IIA Standards.
Over the last two years, changes have been made in the International Professional Practices Framework, seeking to entrench it in the IIA Standards.
The attempt has however been crude in that although the wording has been included, the IIA Standards relating to engagement planning have not changed and the references to the risk basis have been haphazardly inconsistent and “forced”.
This book seeks to reluctantly adopt the notion of risk based internal auditing but from an internal audit perspective which is consistent with the IIA Standards by noting that from this perspective, risk has always been addressed, though not with the external audit understanding which is sought to be introduced by those advocating this explicit acknowledgement.
Risk based internal auditing (RBIA) has been around since it was introduced by the Institute of Internal Auditors (UK & Ireland) in 2003.
Over the years, it has become risk based auditing (RBA). The mere fact that this is endorsed at the highest level at the IIA shows how much confusion it has introduced. The fundamental dual mandate of internal auditing, assurance and consulting, is threatened at the very time when practical experience (as shown by the recent corporate scandals e.g. VSW and Wells Fargo) show that the risk maturity of organisations is very low.
Proponents of the RBIA/RBA admit that it is only appropriate where an organisation’s risk maturity is either risk managed or risk enabled. What they do not say is how to get organisations to be at those levels.
Internal auditing, without the need for a risk basis, has always been designed to help organisations to be at those levels but undermined by the risk basis propagated by those who assert that the only relevant internal audit mandate is that of assurance, to such an extent that internal auditors are now called auditors, internal audit plans are called audit plans, internal audit engagements are called audits, leaving no space for consulting.
The Institute of Internal Auditors (UK & Ireland) knew full well when introducing RBIA what was supposed to be done but not how it was supposed to be done. They started out focusing on the adequacy of the risk management and control processes, correctly suggesting consulting where they were not adequate but got stuck as to what to do where they were adequate. Instead of suggesting that there should then be an assessment of the effectiveness of those processes, they fell into the risk basis trap, and suggested that individual risks then be the basis of the effectiveness assessment.
The unseemly and underhand haste with which the risk basis is being introduced has already led to inconsistent mandatory guidance.
Fortunately, for now, if one bases one’s conduct of internal auditing on the whole of the mandatory IPPF elements and especially the 2200 group of standards, clients can be assured of the best internal audit services.
But those internal auditors who rely on sound bites, are about to consign their clients to services which are to the detriment of those clients.
In this book, I show that the normal conduct of engagements in accordance with the IIA Standards, without being explicitly risk based, do address risks – to borrow from proponents of the risk basis – “risks that matter”.
The Institute of Internal Auditors (IIA) standards are consistently clear as to the scope of internal auditing being governance, risk management and control processes.
Governance process are included with the risk management and control processes because of the COSO models (both internal control and enterprise risk management frameworks) that the IIA has relied on.
The same situation would prevail if ISO 31000 were used.
It is now clear to me that the scope of internal auditing consists only of risk management and control processes. Governance is but one of many dimensions which are considered as part of any of the above-mentioned frameworks, automatically considered if engagements are conducted in accordance with the IIA standards.
Notwithstanding this insight, we refer in our discussion to governance, risk management and control processes as the focus of internal auditing for consistency with the current IIA Standards.
An organisation may, after adopting an internal control/risk management framework, adapt it to its needs.
I suggest the following adaptation of the COSO Enterprise Risk Management -Integrated Framework (COSO ERM-IF):
Risk Management Process
1 Objective Setting
2 Risk Identification
3 Risk Assessment
4 Risk Response
5 Control Activities
6 Ongoing Monitoring
7 Periodic Monitoring
8 Independent assessment
This is what internal auditing is supposed to evaluate and provide advice on, whichever is appropriate for particular circumstances, as shown by the following excepts:
1220.A1 – “Internal auditors must exercise due professional care by considering the … adequacy and effectiveness of .”
2000 Interpretation – “… The internal audit activity adds value to the organization and its stakeholders when it considers strategies, objectives, and risks; strives to offer ways to enhance ; and objectively provides relevant assurance.”
2100 – “The internal audit activity must evaluate and contribute to the improvement of the organization’s using a systematic, disciplined, and risk-based approach. …”
2110 – “The internal audit activity must assess and make appropriate recommendations to improve the organization’s …”
2120 – “The internal audit activity must evaluate the effectiveness and contribute to the improvement of .”
2120 Interpretation – “Determining whether are effective is a judgment resulting from the internal auditor’s assessment … The results of these engagements, when viewed together, provide an understanding of the organization’s and their effectiveness. are monitored through ongoing management activities, separate evaluations, or both.”
2120.C2 – “Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization’s .”
2130.C1 – “Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization’s .”
2201 – “In planning the engagement, internal auditors must consider … the adequacy and effectiveness of the activity’s compared to a relevant framework or model, the opportunities for making significant improvements to the activity’s .”
2210.C1 – Consulting engagement objectives must address to the extent agreed upon with the client.”
Add value – “The internal audit activity adds value to the organization (and its stakeholders) when it provides objective and relevant assurance, and contributes to the effectiveness and efficiency of .”
Assurance services – “An objective examination of evidence for the purpose of providing an independent assessment on for the organization.”
Consulting services – “Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s without the internal auditor assuming management responsibility.”
Internal audit activity – “… The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of .”
Overall opinion – “The rating, conclusion, and/or other description of results provided by the chief audit executive addressing, at a broad level, of the organization….”
As we shall see, the conventional risk based internal auditing incorrectly focuses on risks and controls.
In chapter 2, the use of the risk basis is discussed from an external audit point of view. It is used as part of engagement planning.
In chapter 3, how the risk basis is applied in internal auditing is discussed, and this is contrasted with the required internal audit engagement planning methodology.
The proponents of the risk bass have found a way of incorporating it in the IIA Standards. The unsuspecting will therefore claim this as validation of how they currently implement the risk basis in their conduct of internal auditing.
There is no way of escaping use of this concept now in internal auditing.
Unfortunately, this introduces further confusion because now, a different meaning must be attached to the risk basis to ensure that it does not devalue internal auditing, thereby working to the detriment of internal audit clients.
Internal auditors would be going against their Code of Ethics if they were to provide services to their clients which they know are to the detriment of those clients.
For those interested, please refer to the excellent work of Jeffrina Prinsloo, “The Development and Evaluation of Risk-Based Audit Approaches”, 2008, a Master of Accounting dissertation at the University of Free State.
External auditors are required by their Standards to use a risk basis as part of their engagement planning.
I refer whoever is concerned to ISA 315 – Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, 2014, which says:
“1 This International Standard on Auditing (ISA) deals with the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements, through understanding the entity and its environment, including the entity’s internal control.
3 The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.”
The following definitions are then provided:
“4 For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Assertions – Representations by management, explicit or otherwise, that are embodied in the financial statements, as used by the auditor to consider the different types of potential misstatements that may occur.
(b) Business risk – A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.
© Internal control – The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control.
(d) Risk assessment procedures – The audit procedures performed to obtain an understanding of the entity and its environment, including the entity’s internal control, to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels.
(e) Significant risk – An identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special audit consideration.”
The above is problematic from an internal audit perspective.
The purpose of the external audit risk assessment is completely different from what internal auditing seeks to achieve.
The risk assessment if to identify risks to the external auditor’s objective whereas internal auditing is evaluating how the client, amongst other things identifies and addresses risks
As such, for example, significant risks in internal auditing are those identified as such by the client and not by the internal auditor and the internal auditor’s interest is how the client does so.
As countlessly mentioned in chapter 1:
“The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management and control processes.” Glossary definition of internal audit activity
At engagement level, this systematic, disciplined approach consists of:
1 Engagement planning (2200 groups of standards)
2. Performing the engagement (2300 groups of standards)
3 Communicating results (2400 groups of standards)
The engagement planning processes are quite simple.
They consist of:
1 Opening meeting/Planning considerations (2201)
2 Engagement objectives (2210)
3 Engagement scope (2220)
4 Engagement work program (2240)
5 Engagement resource allocation (2230)
Information is obtained during the opening meeting, which is evaluated during the engagement objective stage to decide on the engagement objective.
Because each engagement type has a specific engagement objective, a decision on the engagement objective is the same as a decision on the engagement type.
This stage is an assessment of the adequacy of the risk management and control processes, by reference to the criteria used in periodic monitoring and the evaluations in 2210.A1 and 2210.A2, which culminate on the following:
“If adequate, internal auditors must use such criteria in their evaluation.
If inadequate, internal auditors must identify appropriate evaluation criteria through discussion with management and/or the board.” 2210.A3
Once a decision on the engagement objective is made, an engagement scope sufficient to achieve the engagement objective is developed.
We prefer to develop the engagement work program after the development of the engagement scope, to protect the integrity og the engagement by making achievement of the engagement objective within the engagement scope the only concerns and worrying about engagement resourcing later, at which stage no changes are allowed in approvals already provided for engagement objective, engagement scope and engagement work program.
The performance of an engagement is simply execution of the engagement work program.
As can be seen from the above, there is absolutely no need or requirement for the systems descriptions and risk assessments as detailed in the previous chapter, which characterise the risk basis inherent in the external audit perspective of engagement planning, and which many internal auditors want to and do adopt for internal auditing.
As mentioned before, internal auditing is concerned about how the client is implementing the processes which the risk basis wants internal auditors do implement.
If internal auditors followed that brand of risk basis, they would be assessing themselves and would have done nothing to help the client to implement those processes properly, because the focus is too individualistic on particular risks.
In the next chapters, we show that there is a risk basis inherent in how internal auditors do their work in accordance with the IIA Standards.
In short, we argue that the “risks that matter” are those addressed without any fanfare by internal auditing conducted in accordance with the IIA Standards.
Objective setting addresses the following risks:
1 That the objectives being pursued by the process owner are not organisational objectives
2 That important concerns of the organisation are not considered in pursuing organisational objectives
3 That organisational objectives are not articulated well enough for the relevant risks to be identified
It is very important that whatever any employee does is what he/she has been authorised to do by the organisation through its representative.
One cannot have everyone pursuing unauthorised objectives, deciding on his/her own what to do as that may not be in the interests of the organisation.
Objective setting is for this reason the preserve of the boss of whoever must achieve organisational objectives.
This is a big unappreciated risk in organisations.
How objectives are pursued, is important, as shown by the VW and Wells Fargo examples recently.
As such these concerns must be explicitly articulated when objectives are being set.
A few of these concerns, which organisations may expand on, are the mentioned briefly below (I call them dimensions of the objectives and they are split into aspects as shown below):
Governance (Ethics, Accountability, Structure, HR Practices, Competence, Business Continuity)
Compliance (Constitution, Legislation, Standards, Contracts, Policies, Benchmarks)
Timing (Strategic, Operational, Tactical)
Performance (Economy, Efficiency, Effectiveness)
ICT (IT Governance, Security Management, User Access Management, IT Service Continuity)
Fraud (Corruption, Asset Misappropriation, Fraudulent Statements)
Reporting – Financial and non-financial (Presentation, Reliability, Usefulness)
All the above need to be considered and if not applicable, explicitly indicated to be so as evidence that they were conducted.
This is another big risk which gives rise to the problems organisations find themselves in.
As can be seen, these classifications are still too broad.
Regarding a specific objective, more detail as to how they apply to that objective need to be specified together with the required performance target.
Doing the above enables relevant risks to be identified, which are focused on the objective at hand through the actual performance target the process owner has to achieve. I am sure those who have been involved in risk workshops will vouch that these amount most of the time to thumb sucking exercises.
Chapter 5 Risk Identification
The risk identification process addresses the following risks:
1 That the risks are not identified by the appropriate person – the person who must achieve them
2 That risks are not articulated properly
3 That opportunities will not be considered
The best person to identify risks is the person who has to achieve an objective – the process owner.
A big risk in organisations is that that person never has a voice in risk identification, especially given that the risk basis normally emphasises risks at a strategic level.
Objectives are set at every level of an organisation and therefore risks must be identified at those levels.
All objectives are managed in the same way and risks to them are identified in the same way. The organisational hierarchy automatically sees to what extent objectives are applicable to how much of the organisation.
From the normal perspective, risk identification could be viewed as inviting the process owner to provide excuses for not achieving objectives up front, so that these can be addressed early enough because objectives are set to be achieved, not so that explanations can be provided later as to why they could not be achieved.
Risk also have to be articulated in a consistent way within an organisation, for example, the event, the impact and the performance target impacted must be specified in articulating a risk.
This ensures that the focus of the risk identifier is clear to everyone concerned.
Risks are normally understood as mentioned above, threats, but they actually include opportunities.
Organisations miss many opportunities as a result of their understanding of risks and by not inviting the people most in touch with whatever objective their views on how those objectives could be achieved better.
Risk types therefore have to be indicated, firstly to ensure that opportunities are also identified in risk identification and secondly to ensure that risk assessments consider what risk type is being assessed.
The risk assessment process addresses the following risks:
1 That risks are not assessed by the appropriate person – the person who must achieve the objectives
2 That risks are not assessed on inherent basis
3 That risks are not assessed on likelihood and impact
4 That the organisationally approved risk rating table is not used
5 That the risk ratings are not explained for the benefit of others not involved in the inherent risk assessment
6 That risks are not assessed properly in accordance with their type (threats and opportunities)
The process owner, the person who must achieve an objective, needs to be given an opportunity to indicate how important to him/her a risk is.
The process owner is therefore the appropriate person to assess identified risks and this must be done on an inherent basis at this stage.
The inherent risk assessment indicates much better the magnitude of risk attached, devoid of whatever controls may be present. Normally process owners would not want to admit that the prevailing controls are not effective.
Similarly to the risk descriptions, risks have to be assessed in a uniform way through an organisation – on likelihood and impact using the approved risk rating table, with the risk score determined as a product of the two. (Current controls cannot be factored into this assessment as is sometimes done.)
One cannot have other using a 10×10 rating table, while in another area a 5×5 or 3×3 rating table is used.
Whichever rating table is used, the process owner still must indicate what each rating means to him/her regarding a risk under consideration.
This is to ensure that in the next stage, there is consistency in the meaning of the ratings awarded.
Lastly, even though the same rating table is used for threats and opportunities, they operate differently. For example, an organisation would like to reduce risk associated with threats but would be more prepared to increase risk associated with an opportunity.
Therefore, it was important to explicitly state the risk types during risk identification.
The risk response process addresses the following risks:
1 That the response to identified risks is not by the appropriate person – the person who set the objectives
2 That the risk appetite is not appropriately articulated
3 That risk significance is not properly articulated
4 That appropriate risk treatment strategies are not chosen
5 That risk treatment strategies are in accordance with the risk types
In most organisations where process owners identify risks, they proceed to decide which of those risks are significant.
We saw this with the external audit perspective, where the external auditors identified the risks, assessed them and decided on their significance.
In an organisation, this cannot be the case. Address a risk involves the use of organisational resources, even if these are limited to time and therefore must be authorised by a properly authorised organisational representative – the process owner’s boss, who would have been the person who set an objective in the first place.
Putting aside the misperception of those who think that the only important risks are those expressed at the top level of an organisation, the risk appetite expresses its true nature at its simplest form, as defined by the IIA:
“The level of risk that an organization is willing to accept”
The process owner’s boss has to decide this level and since the risk was assessed in terms of likelihood and impact, so also is the risk appetite appropriately expressed in those terms.
The risk appetite score (product of its likelihood and impact ratings) determines the significance of a risk when compared to the inherent risk score, whereas comparison of the risk appetite likelihood and impact ratings with those of the inherent risk determine the risk treatment strategies.
The risk appetite is addressed in more detail in my book, Risk Appetite, also available from . Many mistakes are made in the determination of risk significance and risk treatment strategies.
Proper risk treatment strategies consider whether the risk under consideration is a threat or an opportunity. In many organisations, not knowing which risk treatment strategies to apply to opportunities deprives those organisations from having opportunities properly addressed.
The control activities process addresses the following risks:
1 That controls are not developed by the appropriate person
2 That control levels are not aligned to the specified risk treatment strategies
3 That appropriate controls are developed
4 That developed controls are not approved by the process owner’s boss
Once the process owner’s boss has specified the risk treatment strategies to be applied to a risk, the process owner must develop the appropriate controls at the appropriate control levels to align with that risk treatment strategy.
In most organisations this is a problem not addressed by proponents of the risk basis, even though this is their focus. Organisations are left no wiser as to how to do this.
For example, where a risk treatment strategy requires that both likelihood and impact must be addressed, this implies that two level 1 controls must be developed to address the risk, two level 2 controls must also be developed to monitor both likelihood and impact and two level 3 controls must be developed in preparation for responding in case either of the level 1 controls do not work as intended.
Some significant risks may need only level 2 and level 3 controls.
Most pervasive has been the case where controls are developed to address insignificant risks – what a waste of organisational resources!
In most cases, process owners are only aware of this much later, meaning that controls were applied without having been approved by the process owner’s boss or the boss himself did not know how the control activities processes work.
The ongoing monitoring process addresses the following risks:
1 That ongoing monitoring is not performed by the appropriate person
2 That the residual risk assessment is not performed properly and timely
3 That action is not taken in response to what is observed
The process owner must be the one conduct ongoing monitoring as this is on a day by day basis.
This is done through a constantly reviewed residual risk assessment. This residual assessment is compared to the risk appetite and must consider what the result of implementation of every control developed for a risk.
The required action is that indicated by the level 3 controls.
The periodic monitoring process addresses the following risks:
1 That periodic monitoring is not performed by the appropriate person
2 That internal control is not evaluated
3 That the process owner is not held accountable
The process owner’s boss must periodically assess whether all the above processes are being implemented properly.
These processes constitute internal control, which is the system through which an organisation obtains reasonable assurance that organisational objectives will be achieved.
For this to happen, however, internal control must be adequate and effective.
That is what the process owner’s boss must monitor and hold the process owner accountable for the adequacy and effectiveness of internal control.
This raises an important point.
Since the process owner’s boss has a vital contribution to make in the implementation of internal control in the area of responsibility of the process owner, the boss must be competent in these processes.
What this implies is that engagements in an organisation must be conducted on a top down basis.
Risk based engagements normally are not and combined with the fact that they do not assess internal control but rather pockets of it, do not impact materially on the adequacy and effectiveness of internal control in organisations.
The tragedy is that whenever there are corporate failures, the urge to be seen to be doing something does not extend to asking the right question of the organisation and internal auditing, regarding whether at any stage the above was happening, assessed or advice provided on.
The continuous improvement process addresses the following risks:
1 That both principals are not involved in seeking better solutions
2 That advantage is not taken of the learning curve
Both process owner and the boss are responsible for improving the implementation of internal control. They are closest to the fire, so to speak, than anyone else in the organisation, regarding their area of responsibility.
The articulation of internal control outlined above deals with just the fundamentals.
More information needs to be obtained on how to improve the implementation of internal control and one of the best sources thereof is the learning curve, noting what is happening and having the questioning attitude to ask what can be done better.
Learnings have to be shared within the particular area of responsibility and with the organisation.
Many more risks, more important than those focused on by proponents of the risk basis, are addressed by conducting internal auditing in accordance with the IIA standards, without an explicitly risk based focus.
I have referred to the risk basis as a grain by grain methodology, comparing it with transferring sugar into a cup of tea or coffee grain by grain instead of using a teaspoon to do so.
This can also be seen from the distinct engagements prevalent when that methodology is used, where one sees separate engagements into the dimensions and aspects of objectives mentioned in the objective setting section.
An engagement conducted in accordance with the IIA Standards addresses all the issues discussed above in one engagement.
The methodology pursuant to the systematic, disciplined approach works!
The inclusion wherever possible of the risk basis to try to justify prevalent practice adds confusion.
Many will interpret it to be the risk basis which has been implement through the years but frown upon by the IIA Standards, taken as a whole as demonstrated in the first chapter.
What organisations are missing out on, is internal audit services which are to their benefit.
The lobby for the wrong practices is however strong and will in the future endeavour to target the engagement planning section of the systematic, disciplined approach (which they are remaining in certain places in the IIA Standards as “the systematic, disciplined and risk-based approach”.
It is up to organisations and internal auditors to question practices critically, otherwise this is the start of the death of the one profession which could be of most benefit to them.
Internal audit opinions (putting aside consulting engagements which are the true value adding internal audit services) are about what is happening now and in the immediate past and how to improve it. That immediate past is in my opinion never more than three months.
The periodic monitoring should also therefore never be more than three months in frequency.
The risk basis however envisages three year cycles, meaning it is possible for assurance of any king to be three years apart in an organisation.
And one wonders how the VW and Wells Fargo incidents were not detected earlier!
As we have seen, however, engagements conducted in accordance with the 2200 groups of standards, are in fact risk based.
The true nature of the risk-based internal auditing propagated can be seen from there now being no distinction made between risk-based internal auditing (RBIA) and risk-based auditing (RBA). It is still contrary to the IIA Standards mandated methodology as outlined in the 2200 groups of standards, which has always addressed risk. Every proponent of that brand of risk-based internal auditing admits that it is not appropriate where the risk maturity of an organisation is neither risk managed nor risk enabled. Yet they are intent on introducing it, without proposing how to get organisations to be at those levels. What is not understood is that internal auditing in accordance with the IIA Standards seeks to get the risk maturity of organisations to these levels. This book seeks to show that internal auditing as outlined in the 2200 groups of standards still does not need to be explicitly risk-based, because of the confusion this creates, even though as we show, it addresses the "risks that matter", to borrow from proponents of the risk basis, much better and more efficiently than the proposed but unspecified RBIA or RBA.