Sie sind auf Seite 1von 4

A C C O U N T I N G

&

A L I D I T I N G

auditing

Maximizing the Value of a Risk-Based Audit Plan


Intemal Auditors Can Identify and Mitigate Risk

By Michael Bechara and


Gaurav Kapoor

f there is anything that the business


world has leamed from the economic
events of the last few years, it is that
effective risk management is critical.
Around the world, substantial investments
are being devoted to strengthening risk
management progriuns. Yet. failures continue to (Kcur, whether they apjiciir in the
form of regulatory missteps, lost profitability, or the hacking of sensidve information. Millions of cu.stomers are affected, and billions of dollars are lost.
In response, companies increasingly
depend on internal auditors to identify
and help mitigate these risks. Intemal auditors are uniquely positioned to h;indle tticse
responsibilities because of their understanding of business processes and risks,
as well as their ongoing interacdon with
both business units and management.
What, then, is tlie role that they must play
in building risk resilience?

A Systemic, Risk-Based Audit


Approach
The focus of an intemal audit has always
been on risks. But what is changing is how
intemal auditors go about assessing these
risLs. Tradidonal audit plans based on suspicions or direction from management are
bound to skew decision making. Rotadonal
audit plans result in misallocation of
resources because they do not take into
account variadons in risk. Similarly, lists of
risks by industiy may be well researched,
but they do not consider each organizadon's
unique risk profile and history.
An effective risk-based audit plan overcomes all the above limitations by viewing risks through the prism of strategic
objectives, which enables a more targeted
and efficient audit. It also links ri.sks with
business objectives, thus facilitating

28

smarter, faster, and sharper risk mitigation programs.

Implementing a Risk-Based Audit Plan


Contrary to popular opinion, risk-based
audits do not begin with the risks themselves. If one builds a risk universe that
catalogues hundreds of risks in isolation,
one would find that it is neither pracdcal
nor useful in decision making. It simply
results in a waste of precious time and
resources on those risks that ;uc inelcvant
to the organization.
An effecdve risk-based audit plan begins
with the organizadon's objecdves and goals

because risks are only releviint in the context of these objectives. For example, if
an individual's objective is to .stay at home
and watch TV, he wouldn't worry about
the risk of a flat tire: however, he might
worry about being intermpted by his children, attending to a phone call, or cooking dinner, because tliese risks impact the
objecdve of watching TV.

Discovering Risk Data


Enterprise resource planning (ERP) data
and generic lists of risks by industry are
based on historical data; they assume that
the future will look like the past when, in

MARCH 2012 / THE CPA JOURNAL

fact, things rarely happen the same way


twice. Instead, auditors should tum to the
organizafion's people. They represent one
of the most dynamic, current, and important sources of risk infonnation becau.se
they face risks in the organization every
day, and are capable of conveying their
thoughts about emerging or potential risks.
Intemal auditors should start with senior
management in order to understand
strategic goals and identify the risks associated with these goals. Then, they should
expand the discussion to a larger cross section of people across the enterpri.se, such
as personnel in the operations, purchasing, compliance, and legal departments,
as well as any other employees who are
tasked with attaining the organization's
objectivesthe more respondents interviewed, the more comprehensive and indepth the insights will be.

idenfify risk pattems, and


classify the risk pattems according to
organizational objecfives.
Mapping risks to objectives. The common tendency among auditors is to focus
on the risk that receives the greatest number of responses or the most egregious ratings. For example, if 95% of survey
respondents selected Risk A as being the
most threatening to the organization,
auditors might feel compelled to devote all
their resourees to designing an audit that
would mifigate that one risk. But risks do
not act in isolation; they interact with
each other, and with strategic objectives,
in a complex pattem. Therefore, it is important to understand these interactions and
correlafions.

If an auditor's objective is accurate


financial reptirting, surveys might reveal
that it is strongly threatened by a lack of
When conducting these interviews, audi- accounting experience and moderately
tors shouldrefrainfiumasking quesdoas such threatened by poor corporate govemance.
as, "What keeps you up at night?" Such An auditor might also uncover risks that
clichd questions only limit the kinds of pose threats to a seemingly unrelated objecresponses intemal auditors will receive. tive. For example, aggressive sales or marInstead, they .should describe objectives and keting programs could be found to have a
risks, and ask people to identify how well the strong impact on financial reporting. If
company is achieving its objectives. They pressure is applied across the organizafion
should also ask them to identify any other to meet certain sales targets, financial
ri.sks that have not been di.scussed but that reporting could be compromised by recognizing revenue prematurely or inapprostill threaten the company's objectives.
Another method that auditors can priately. A common example of this risk
employ is using surveys to collect re.spons- manifesfing itself would be "channel sttaffes. Introducing a .scale of 1 to 5 for each ing," where excess products are shipped to
question will help quantify the responses distributors at the end of a period, only to
later. Exhibit 1 provides an example of one be taken back or returned at the beginning of the next.
such survey.

Once auditors have gathered risk data,


they are ready to
map risks to objecfives.

look at these pattems becau.se they provide


a sen.se of the larger picture. They indicate
a combinafion of risks that is greater than
the sum of any of its individual parts.
For example, if an individual was driving a car while talking on a mobile phone
and being distracted by music, all at the

Essentially,riskpattems help
intemal auditors identify those
risks that together, interact to
form a dangerous situation.

same time, the chances of a collision with


another vehicle would be very high. Each
of the above risks occurring in isolation
poses a far les.ser threat than when they
manifest themselves together as a pattem.
Essentially, risk pattems help internal
auditors identify those risks that, together,
interact to form a dangerous situafion. For

example, auditors might find from their


surveys that accurate financial reporting is
affected by the following risk pattern:
Identifying risk pattems. Risk pattems are lack of accounfing experience (20%), poor
a combinafion of individual risks that affect corporate govemance (40%), aggressive
a particular objective. It is important to sales or marketing programs (30%), and

EXHIBIT 1
Sun/ey Example

Objective

Excellent

Good

Fair

Below Average

Excessive Overtime

Poor

Accurate Financial Reporting


Risks

Pervasive

Frequent

Average

Infrequent

Rare

Lack of Accounting Experience


Poor Communication

MARCH 2012 / THE CPA JOURNAL

29

inadequate training (10%). By itself, the


risk of inadequate training seems minor.
But if auditors were to ignore this risk
and not make any effort to audit or mitigate it, the risk would continue to pose a
significant threat to financial reporting.
Classifying risk patterns by objectives.
Once auditors have arranged their risk patterns by objectives, the risk-based audit
plan becomes more targeted. At this
p(.)int, it is important to keep in mind that
audits should not be directed at the most
critical risk, but at all of the risks that
threaten the most critical objective. This
will enable auditors to take concrete action,
seamlessly align risk management with
business strategy, and facilitate accountability and transparency.
E.xhihit 2 shows five typical organizational objectives. Eaeh bar above the objectives shows the risk pattem that threatens
that objective. Each color repre.sents one
hypothetical risk, and more than one
color in a bar indicates a risk pattem of
two or more risks for that objective. For
example, the objective "accurate financial
reporting" is threatened by four risks. The
yellow risk is the most prevalent in the pattem becau.se it makes up almost 40% of
the entire risk pattem.
Technology as an Enahler

A large part of risk-based audits involves


talking to various stakeholders, identifying
risks across teams and departments, and

assessing the effectiveness of various controls to mitigate those risLs. It's ;in expansive andtime-consumingactivity that is typically carried out by multiple auditors,
asing multiple independent applications, pR>
cesses, workpapers, ;uid tcxils. Without adequate communication and coordination
between them, it is likely that intemal audit
activities would be duplicated at various
points across the organization, thus lowering
efficiency and raising co.sts.
But what if tiiere was one single system
to unite all audit processes, entities, systems,
tools, and workflows? Communication
across the enterpiise would be enhanced, visibility into risks and audits would improve,
and duplicate and redundant audit activities
could be eliminated.
Technology enables a centralized audit
infrastructure that can provide a single
point ofreferenceto identify and assess ri.sks
across the enterprise, gather and share risk
information, and manage the entire audit life
cycle. It also enables tiie creation of centralized libraries where the entire risk
inventoryalong with controls, assessments,
audit data, and reportscan be efficiently
organized, stored, managed, and shared.
With these centralized repositories of
information, intemal auditors and managers
are better equipped to understand risks and
their relationship to the organization's
objectives. They can al.so more accurately
map risks to processes, controls, entities,
and regulations. This, in tum, simplifies the

creation of the audit universe and helps formulate a systematic and resource-efficient
plan for audit management.
Because surveys are a major part of tiie
risk-ba.sed audit plan, technology can help
by streamlining the entire prcx;ess of survey design, distribution, implementation,
andrespon.secollection across depiutments,
business units, and geographic liK-ations.
In addition, it can automate the pnx'ess of
monitoring risk controls and creating
reports, as well as ensure that findings
and problem areas identified tiirough audits
are appropriately investigated and resi)lved.
In this way, intemal auditoi-s can .save valuable time and re.sources and eliminate Uie
need for cumbersome spreadsheets. Some
technological tcx)ls such as dashboanls. risk
heat maps, and chiirts ciui facilitate transparency in audits by providing valuable
risk insights and intelligence that can be
presented to stakeholders.
Creating Value

Today, internal auditors have the


power to not only protect value, but to create value. The key is to develop a continuous focus on risk, and weave the audit
plan around the identified risks and risk
patterns. This opens up opportunities for
internal auditoi's to play a more strategic
role in the organization, as well as to provide crucial risk-based advice that shapes
the overall business strategy.

Michael Bechara is the corporate risk


expert and managing director of Granite
Consulting Group. Inc.. Brewster, N.Y.
Gaurav Kapoor, MBA, is the chief risk
officer of MetricStreani Inc.. Palo Alto.
Calif.

EXHIBIT 2
Risk Patterns by Objective

100%
90%

Risk F
I Risk E

50%

RiskD

ELEMENTS OF A
GOOD RISK-BASED
AUDIT PLAN:

I Risk C

40%

RiskB
I Risk A

30%

Based on risks and business


objectives

Relies on people for input

Uses technology to support the


process

20%
10%
0%
Accurate Financial
Reporting

30

Reduce Supplier
Costs

Employee Safety

MARCH 2012 / THE CPA JOURNAL

Copyright of CPA Journal is the property of New York State Society of CPAs and its content may not be copied
or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission.
However, users may print, download, or email articles for individual use.

Das könnte Ihnen auch gefallen