-
Gross vs. Residual Risk
Internal Auditing (IA) has long been a risk based exercise. The approach is commonly referred to as "risk based internal auditing" or (RBIA). Audit Net is a repository or resources on the profession of internal auditing, and on RBIA specifically. If this concept is new, then I recommend reading up on the wonderful resource entitled "Introduction to RBIA" by downloading it here.
It's my assertion that the goals of Internal Audit should be those of the business. How else can IA help the business achieve its goals? Alignment is the key. Since risk is what prevents the business from achieving its goals, we as auditors must assess risk. There are two common approaches: gross and residual risk.
Gross Risk - (10,000 ft view)
Risk is inherent in any process. This high level view of risk is abstract. It's referred to as 'gross risk' and is commonly measured across two criteria: Likelihood and Magnitude.
Likelihood - or the "probability" that the risk event will occur
Probability is in quotes, because this usually isn't a scientific or mathematical application of probability. It's professional judgment based on other factors: prior audit results, prior incidents of fraud, etc. (Not a comprehensive list)
Magnitude - or the impact of the risk event if it does occur
Magnitude can be measured in several ways depending on the risk. Perhaps it's the fees that government agencies impose for non-compliance. It could be the financial penalty for not executing contractual obligations. It could also be costs associated with running faulty processes. These are but a few examples.
Assessing risk in this manner is a conceptual approach. It’s sort of like using heuristics to get a quick determination. While I'm all for using heuristics when time is limited, the audit process has four distinct phases, and each phase (read Planning) should be leveraged to its fullest potential.
Residual Risk - (In the trenches)
Audit teams who intend to 'dig deeper' must have (or obtain) a solid understanding of the process and control environments. Publicly traded companies have been required to comply with Sarbanes Oxley (SOX) for a decade now. The cost to implement SOX programs was high, but one benefit to come from this regulation was that audit departments had to take inventory of the control environment. Section 404 of the act required an assessment of internal controls. You can't assess the controls, if you don't know what they are, right? So the act definitely moved IA in the right direction, as assessing the control environment is the first step to getting to a residual based risk assessment.
As you can see, Management's job is to reduce risk in order to avoid loss and to better achieve the collective goals of the business. Process improvements can take many forms: automation (from a manual environment), lean (efficiency), and six sigma (quality). Key initiatives can also take many forms: joint ventures, data or system migrations, and standardization efforts are but a few. While new risk can be introduced during the implemenation of these efforts, the intent is to reduce risk in the long term.
No Competition - My choice is option 2
As I mentioned earlier, assessing the control environment is the first step in getting to a more granular assessment of risk. So what's the next step? Learn the entire process. There is no way around it.
If we think about controls, and how they relate, we can see from this drawing that a control is merely a check point for a given process. If the line is the process, then the green dots are the controls.
This is obviously a very simple representation. Most of our industries and businesses are very sophisticated and therefore complex. You can obtain your baseline understanding of the existing process from a variety of sources: SOX narratives, other client documentation, or prior audit workpapers, etc. Meet with your clients to confirm this knowledge, and to inquire about any initiatives that are in the pipeline. You'll be better equipped to understand what risk the business currently faces, and the risk any proposed change may introduce.
Setting the stage
Most audit departments have no problem assessing residual risk (i.e. the control environment) during testing. Unfortunately this is too late, if your scope areas have already been established using a gross risk approach. The big take away here is that we need to assess residual risk earlier in the audit process. That is, 'from the beginning'.
Why? - There is an opportunity cost associated with every scoping decision. Time and resources are limited. When you look at one area, then you're making a decision not to look into another. Using gross risk to make these decisions is sub optimal.
Case in point. How many of you have scoped a process area, because it was "material" from a financial perspective, only to find that it was one of the most well controlled processes in your company? I have, and I wasn't happy about it. Sure we provided some assurance (minimal in my opinion) that the tested controls were operating effectively. However, we could have scoped a less mature (and perhaps less material) process instead and found issues. Zooming in on more granular risks during the planning phase of the audit will help you make better scoping decisions. You'll find that your team is in a better position to make the appropriate scoping decisions that will lead to providing real value to your clients.
The mirror
So which approach does your audit shop use? Gross risk, residual risk, or something else? A great way to find out is to answer the following question.
- Do you establish the scope of your audits before or after you assess …
- the control environment,
- document existing processes, and
- take note of current and upcoming projects?
- Do you establish the scope of your audits before or after you assess …