A

& A
auditing

C C O U N T I N G

U D I T I N G

Maximizing the Value of a Risk-Based Audit Plan

Internal Auditors Can Identify and Mitigate Risk

By Michael Bechara and

Gaurav Kapoor

f there is anything that the business

world has learned from the economic
events of the last few years, it is that
effective risk management is critical.
Around the world, substantial investments
are being devoted to strengthening risk
management programs. Yet, failures continue to occur, whether they appear in the
form of regulatory missteps, lost profitability, or the hacking of sensitive information. Millions of customers are affected, and billions of dollars are lost.
In response, companies increasingly
depend on internal auditors to identify
and help mitigate these risks. Internal auditors are uniquely positioned to handle these
responsibilities because of their understanding of business processes and risks,
as well as their ongoing interaction with
both business units and management.
What, then, is the role that they must play
in building risk resilience?

A Systemic, Risk-Based Audit

Approach
The focus of an internal audit has always
been on risks. But what is changing is how
internal auditors go about assessing these
risks. Traditional audit plans based on suspicions or direction from management are
bound to skew decision making. Rotational
audit plans result in misallocation of
resources because they do not take into
account variations in risk. Similarly, lists of
risks by industry may be well researched,
but they do not consider each organizations
unique risk profile and history.
An effective risk-based audit plan overcomes all the above limitations by viewing risks through the prism of strategic
objectives, which enables a more targeted
and efficient audit. It also links risks with
business objectives, thus facilitating

28

smarter, faster, and sharper risk mitigation programs.

Implementing a Risk-Based Audit Plan

Contrary to popular opinion, risk-based
audits do not begin with the risks themselves. If one builds a risk universe that
catalogues hundreds of risks in isolation,
one would find that it is neither practical
nor useful in decision making. It simply
results in a waste of precious time and
resources on those risks that are irrelevant
to the organization.
An effective risk-based audit plan begins
with the organizations objectives and goals

because risks are only relevant in the context of these objectives. For example, if
an individuals objective is to stay at home
and watch TV, he wouldnt worry about
the risk of a flat tire; however, he might
worry about being interrupted by his children, attending to a phone call, or cooking dinner, because these risks impact the
objective of watching TV.

Discovering Risk Data

Enterprise resource planning (ERP) data
and generic lists of risks by industry are
based on historical data; they assume that
the future will look like the past when, in
MARCH 2012 / THE CPA JOURNAL

fact, things rarely happen the same way

twice. Instead, auditors should turn to the
organizations people. They represent one
of the most dynamic, current, and important sources of risk information because
they face risks in the organization every
day, and are capable of conveying their
thoughts about emerging or potential risks.
Internal auditors should start with senior
management in order to understand
strategic goals and identify the risks associated with these goals. Then, they should
expand the discussion to a larger cross section of people across the enterprise, such
as personnel in the operations, purchasing, compliance, and legal departments,
as well as any other employees who are
tasked with attaining the organization's
objectivesthe more respondents interviewed, the more comprehensive and indepth the insights will be.
When conducting these interviews, auditors should refrain from asking questions such
as, What keeps you up at night? Such
clichd questions only limit the kinds of
responses internal auditors will receive.
Instead, they should describe objectives and
risks, and ask people to identify how well the
company is achieving its objectives. They
should also ask them to identify any other
risks that have not been discussed but that
still threaten the companys objectives.
Another method that auditors can
employ is using surveys to collect responses. Introducing a scale of 1 to 5 for each
question will help quantify the responses
later. Exhibit 1 provides an example of one
such survey.
Once auditors have gathered risk data,
they are ready to
I map risks to objectives,

I
I

identify risk patterns, and

classify the risk patterns according to
organizational objectives.
Mapping risks to objectives. The common tendency among auditors is to focus
on the risk that receives the greatest number of responses or the most egregious ratings. For example, if 95% of survey
respondents selected Risk A as being the
most threatening to the organization,
auditors might feel compelled to devote all
their resources to designing an audit that
would mitigate that one risk. But risks do
not act in isolation; they interact with
each other, and with strategic objectives,
in a complex pattern. Therefore, it is important to understand these interactions and
correlations.
If an auditors objective is accurate
financial reporting, surveys might reveal
that it is strongly threatened by a lack of
accounting experience and moderately
threatened by poor corporate governance.
An auditor might also uncover risks that
pose threats to a seemingly unrelated objective. For example, aggressive sales or marketing programs could be found to have a
strong impact on financial reporting. If
pressure is applied across the organization
to meet certain sales targets, financial
reporting could be compromised by recognizing revenue prematurely or inappropriately. A common example of this risk
manifesting itself would be channel stuffing, where excess products are shipped to
distributors at the end of a period, only to
be taken back or returned at the beginning of the next.
Identifying risk patterns. Risk patterns are
a combination of individual risks that affect
a particular objective. It is important to

look at these patterns because they provide

a sense of the larger picture. They indicate
a combination of risks that is greater than
the sum of any of its individual parts.
For example, if an individual was driving a car while talking on a mobile phone
and being distracted by music, all at the

Essentially, risk patterns help

internal auditors identify those
risks that, together, interact to
form a dangerous situation.

same time, the chances of a collision with

another vehicle would be very high. Each
of the above risks occurring in isolation
poses a far lesser threat than when they
manifest themselves together as a pattern.
Essentially, risk patterns help internal
auditors identify those risks that, together,
interact to form a dangerous situation. For
example, auditors might find from their
surveys that accurate financial reporting is
affected by the following risk pattern:
lack of accounting experience (20%), poor
corporate governance (40%), aggressive
sales or marketing programs (30%), and

EXHIBIT 1
Survey Example

Objective

Excellent

Good

Fair

Below Average

Poor

Accurate Financial Reporting

Risks
Excessive Overtime
Lack of Accounting Experience
Poor Communication

MARCH 2012 / THE CPA JOURNAL

Pervasive

Frequent

Average

Infrequent

Rare





29

inadequate training (10%). By itself, the

risk of inadequate training seems minor.
But if auditors were to ignore this risk
and not make any effort to audit or mitigate it, the risk would continue to pose a
significant threat to financial reporting.
Classifying risk patterns by objectives.
Once auditors have arranged their risk patterns by objectives, the risk-based audit
plan becomes more targeted. At this
point, it is important to keep in mind that
audits should not be directed at the most
critical risk, but at all of the risks that
threaten the most critical objective. This
will enable auditors to take concrete action,
seamlessly align risk management with
business strategy, and facilitate accountability and transparency.
Exhibit 2 shows five typical organizational objectives. Each bar above the objectives shows the risk pattern that threatens
that objective. Each color represents one
hypothetical risk, and more than one
color in a bar indicates a risk pattern of
two or more risks for that objective. For
example, the objective accurate financial
reporting is threatened by four risks. The
yellow risk is the most prevalent in the pattern because it makes up almost 40% of
the entire risk pattern.

Technology as an Enabler
A large part of risk-based audits involves
talking to various stakeholders, identifying
risks across teams and departments, and

assessing the effectiveness of various controls to mitigate those risks. Its an expansive and time-consuming activity that is typically carried out by multiple auditors,
using multiple independent applications, processes, workpapers, and tools. Without adequate communication and coordination
between them, it is likely that internal audit
activities would be duplicated at various
points across the organization, thus lowering
efficiency and raising costs.
But what if there was one single system
to unite all audit processes, entities, systems,
tools, and workflows? Communication
across the enterprise would be enhanced, visibility into risks and audits would improve,
and duplicate and redundant audit activities
could be eliminated.
Technology enables a centralized audit
infrastructure that can provide a single
point of reference to identify and assess risks
across the enterprise, gather and share risk
information, and manage the entire audit life
cycle. It also enables the creation of centralized libraries where the entire risk
inventoryalong with controls, assessments,
audit data, and reportscan be efficiently
organized, stored, managed, and shared.
With these centralized repositories of
information, internal auditors and managers
are better equipped to understand risks and
their relationship to the organizations
objectives. They can also more accurately
map risks to processes, controls, entities,
and regulations. This, in turn, simplifies the

creation of the audit universe and helps formulate a systematic and resource-efficient
plan for audit management.
Because surveys are a major part of the
risk-based audit plan, technology can help
by streamlining the entire process of survey design, distribution, implementation,
and response collection across departments,
business units, and geographic locations.
In addition, it can automate the process of
monitoring risk controls and creating
reports, as well as ensure that findings
and problem areas identified through audits
are appropriately investigated and resolved.
In this way, internal auditors can save valuable time and resources and eliminate the
need for cumbersome spreadsheets. Some
technological tools such as dashboards, risk
heat maps, and charts can facilitate transparency in audits by providing valuable
risk insights and intelligence that can be
presented to stakeholders.

Creating Value
Today, internal auditors have the
power to not only protect value, but to create value. The key is to develop a continuous focus on risk, and weave the audit
plan around the identified risks and risk
patterns. This opens up opportunities for
internal auditors to play a more strategic
role in the organization, as well as to provide crucial risk-based advice that shapes
K
the overall business strategy.
Michael Bechara is the corporate risk
expert and managing director of Granite
Consulting Group, Inc., Brewster, N.Y.
Gaurav Kapoor, MBA, is the chief risk
officer of MetricStream Inc., Palo Alto,
Calif.

EXHIBIT 2
Risk Patterns by Objective

100%
90%
80%
70%
60%

Risk F
Risk E

50%

Risk D

ELEMENTS OF A
GOOD RISK-BASED
AUDIT PLAN:

Risk C

40%

Risk B
Risk A

30%

Based on risks and business

objectives

Relies on people for input

Uses technology to support the

process

20%
10%
0%
Accurate Financial
Reporting

30

Increase Market
Share

Launch Product A

Reduce Supplier
Costs

Employee Safety

MARCH 2012 / THE CPA JOURNAL

Reproduced with permission of the copyright owner. Further reproduction prohibited without permission.