Professional Documents
Culture Documents
& A
auditing
C C O U N T I N G
U D I T I N G
28
because risks are only relevant in the context of these objectives. For example, if
an individuals objective is to stay at home
and watch TV, he wouldnt worry about
the risk of a flat tire; however, he might
worry about being interrupted by his children, attending to a phone call, or cooking dinner, because these risks impact the
objective of watching TV.
I
I
EXHIBIT 1
Survey Example
Objective
Excellent
Good
Fair
Below Average
Poor
Pervasive
Frequent
Average
Infrequent
Rare
29
Technology as an Enabler
A large part of risk-based audits involves
talking to various stakeholders, identifying
risks across teams and departments, and
assessing the effectiveness of various controls to mitigate those risks. Its an expansive and time-consuming activity that is typically carried out by multiple auditors,
using multiple independent applications, processes, workpapers, and tools. Without adequate communication and coordination
between them, it is likely that internal audit
activities would be duplicated at various
points across the organization, thus lowering
efficiency and raising costs.
But what if there was one single system
to unite all audit processes, entities, systems,
tools, and workflows? Communication
across the enterprise would be enhanced, visibility into risks and audits would improve,
and duplicate and redundant audit activities
could be eliminated.
Technology enables a centralized audit
infrastructure that can provide a single
point of reference to identify and assess risks
across the enterprise, gather and share risk
information, and manage the entire audit life
cycle. It also enables the creation of centralized libraries where the entire risk
inventoryalong with controls, assessments,
audit data, and reportscan be efficiently
organized, stored, managed, and shared.
With these centralized repositories of
information, internal auditors and managers
are better equipped to understand risks and
their relationship to the organizations
objectives. They can also more accurately
map risks to processes, controls, entities,
and regulations. This, in turn, simplifies the
creation of the audit universe and helps formulate a systematic and resource-efficient
plan for audit management.
Because surveys are a major part of the
risk-based audit plan, technology can help
by streamlining the entire process of survey design, distribution, implementation,
and response collection across departments,
business units, and geographic locations.
In addition, it can automate the process of
monitoring risk controls and creating
reports, as well as ensure that findings
and problem areas identified through audits
are appropriately investigated and resolved.
In this way, internal auditors can save valuable time and resources and eliminate the
need for cumbersome spreadsheets. Some
technological tools such as dashboards, risk
heat maps, and charts can facilitate transparency in audits by providing valuable
risk insights and intelligence that can be
presented to stakeholders.
Creating Value
Today, internal auditors have the
power to not only protect value, but to create value. The key is to develop a continuous focus on risk, and weave the audit
plan around the identified risks and risk
patterns. This opens up opportunities for
internal auditors to play a more strategic
role in the organization, as well as to provide crucial risk-based advice that shapes
K
the overall business strategy.
Michael Bechara is the corporate risk
expert and managing director of Granite
Consulting Group, Inc., Brewster, N.Y.
Gaurav Kapoor, MBA, is the chief risk
officer of MetricStream Inc., Palo Alto,
Calif.
EXHIBIT 2
Risk Patterns by Objective
100%
90%
80%
70%
60%
Risk F
Risk E
50%
Risk D
ELEMENTS OF A
GOOD RISK-BASED
AUDIT PLAN:
Risk C
40%
Risk B
Risk A
30%
20%
10%
0%
Accurate Financial
Reporting
30
Increase Market
Share
Launch Product A
Reduce Supplier
Costs
Employee Safety
Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.