Documente Academic
Documente Profesional
Documente Cultură
FEBRUARY 2014
CONTENTS
A TYPICAL INTERNAL AUDIT SCENARIO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
REVIEW STANDARD INTERNAL AUDIT PROCEDURES. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
LISTEN TO MANAGEMENT: THE REAL OPPORTUNITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
LAY THE FOUNDATIONS: THE IMPORTANCE OF A ROBUST METHODOLOGY . . . . . . . . . . 6
KNOW YOUR COMPANYS RISK APPETITE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
GET INTO THE DETAILS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
PLAN FOR SUCCESS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
UNDERSTAND THE BUSINESS AND ITS CULTURE. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
FEBRUARY 2014
As the COSO Internal Control Integrated Framework (2013) states, risk assessment involves a
dynamic and iterative process for identifying and assessing risks to the achievement of objectives.
Yet many in-house internal audit functions look at the annual internal audit risk assessment process
as a check-the-box activity, required mainly to be in compliance with the IIA professional practices
framework.
Typically, a three or five-year review cycle for the entire organization is already in place, and the
annual internal audit risk assessment barely scratches the surface: It is merely used to justify minor
modifications in the risk-based internal audit plan. Yet the internal audit risk assessment presents
an often missed opportunity for internal auditors to understand their organizations evolving
objectives and implement a more dynamic risk-based approach to the internal audit process. Lets
take a look at a typical scenario played out every day and see if we, as uninvolved by-standers, can
audit the process and see it if falls short in any way.
A TYPICAL INTERNAL AUDIT RISK ASSESSMENT SCENARIO
In advance of this years risk assessment, the internal audit department reviewed and revised their
risk assessment process and the various preparation materials for management participants. The
preparation materials included a list of key management participants with their preferred contact
method, a list of internal audit risk assessment questions, an announcement letter explaining the
importance of the annual risk assessment process, and a presentation that provided examples of
beneficial insight received from the previous years risk assessment.
During the risk assessment, the internal audit staff rigorously captures each management remarks in
an effort to record each detail, be it quantitative or qualitative. As the scribe, the internal audit staff
is responsible for note taking, while the internal audit director asks management a series of
questions from the annual list of internal audit risk assessment queries. The internal audit director
conducts the interview in a way that illustrates both their tremendous understanding of the business
and their ability to not get bogged down in the details. The individual representing management, on
the other hand, usually provides general responses highlighting a few generic risks inherent in their
business, but not enough for one to actually audit. One of those general responses was around an
increase in the organizations credit risk exposure.
REVIEW STANDARD INTERNAL AUDIT PROCEDURES
Does the above description raise any red flags? If not, consider if you agree with the below points and
then review the scenario as auditor.
Internal Audit Risk Assessment Red Flags:
It is not clear who benefits from this risk assessment process: Internal audit, management, etc.
The annual list of internal audit risk assessment questions sounds great, however upon further
review, they are probably too narrowly focused on what internal auditors want to hear.
Rather than a prepared list of detailed questions for a meeting with management, have bullets
based on enterprise risk management themes.
The internal audit director may be immensely knowledgeable about the company, the industry,
and other key demographics, but the director didnt do enough to plan for this meeting.
The internal audit director should have a thorough understanding of the organizations culture.
Part of that organizations culture is demonstrated in their willingness to identify ERM risks.
The director should have also understood a bit more about the organization and the individual
from management.
FEBRUARY 2014
H
ow willing are members of management in providing open and honest communication?
What are the best modes to request and receive that type of communication?
W
hat changes have occurred directly or indirectly around this individual within the past 90
days, year, or year?
W
hen did they join the organization? How long have they been in this role? Who are their
direct reports? Who do they report to within the organization?
Are they directly or indirectly associated with any of the internal controls over financial
reporting?
The risk assessment is the time when the focus should be on the details, especially if the
individual representing management is either new to the risk assessment process or is providing
responses that are too general.
The internal audit risk assessment is a rare opportunity to demonstrate how the proverbial (internal
audit) special sauce is made. A successful risk assessment procedure will involve the following
actions:
FIVE WAYS TO TURN RISK ASSESSMENT PRINCIPLES INTO POSITIVE ACTIONS
1
Analyze the results of the above and assess whether enough information has been
captured to determine appropriate next steps
If necessary, seek additional information immediately or over time to determine
whether refinements need to be made to the internal audit plan of activities
Reference, cross-reference, and reconcile whether the above perspectives were included in the current or future internal audit plan of activities or no plan of further activity.
For no plan of further activity items document why and what is preventing further follow-up. This
list should be reviewed throughout the year in conjunction with audit findings and various root cause
analysis.
LISTEN TO MANAGEMENT: THE REAL OPPORTUNITY
A precondition to risk assessment is the establishment of objectives, linked at different levels of the
entity. One of the keys to planning and executing a successful internal audit risk assessment process
is to use the activity as a way to listen to management on what is most important for them in the
upcoming year. The internal audit risk assessment is one of the most valuable exercises available to
provide multiple layers of management with the opportunity to share their perspectives of the
organization, of the strategic plans, and the various objectives that they outlined with executive
management and even the board. Another way to look at this risk assessment process is that it
provides internal audit with an opportunity to see how the organizational culture and governance
operate.
FEBRUARY 2014
The definition of organizational culture has evolved over the years to take on a broader definition
that involves the soft touches: values, beliefs, behaviors, actions, and decisions at all levels of
the organization. It is both the management style and leadership of the most junior manager to
executive management and the board. The impact of organizational culture is immense when it
comes to the organizations governance and control environment.
In the scenario outlined here, the internal audit director does not recognize the real opportunity
to meet with an individual from management to discuss their agenda. While everyones time is
valuable, a one-on-one discussion with a manager allows internal audit to gain insight into how
this individual operates, understands, and responds to their superiors. It also provides the chance
for internal audit to see how the organizations strategic plan, annual objectives, and personnel
objectives align for a particular member of management. Finally, it provides internal audit with
clarity on the effectiveness of the organizational culture and governance processes.
Could organizational culture and governance be included in an internal audit risk assessment
survey or some type of group discussion? Yes, however this would require further planning,
interaction with the participants, and other additional activities.
LAY THE FOUNDATIONS: THE IMPORTANCE OF A ROBUST METHODOLOGY
A good deal of planning involves either an organizations assessment methodology or approach.
Too often the thought processes behind organizations assessments are inconsistent, thus creating
confusion for the participants, reviewers, and result recipients. The following outlines some of the
basics that should be part of a robust organizational assessment methodology:
h. Products / services
FEBRUARY 2014
Note: Some context, intent, and terms may be consistent across the various organizational
assessments. As a result, the value of 1 does not necessarily mean high or low. Instead, it is both
defined in an appropriate context. Context is important, as the value of 1 or high may not have the
same impact or likelihood. It depends on the nature and timing of the requestor, assessor, and
recipient of the results. Some example terms that should be defined for your organization are as
follows:
Impact
Principles
Likelihood
Inherent
Indicators
Control
Ratings
Residual
Measures
Systems
Weighting
Technology
Polices
Prevent
Procedures
Detect
Standards
Profile
FEBRUARY 2014
At the closing meeting, the individual from management has already reviewed the draft report and
identifies that the increase in the organizations credit risk exposure was not addressed. Internal
audit may have some significant findings, but they missed the elephant in the room'. The exposure
was not due to how the credit rating department operated, but rather about how the application
process was calculating potential credit risk. Instead of the normal application going through a
credit review process that involved credit analysis from three credit bureaus, the credit analysis was
only provided by two credit bureaus. Someone within the credit rating department had let one of the
credit bureaus contracts lapse and they had no intention to renew. The two-week audit activity did
not review the credit bureau contracts due to the following rationale documented in the workpapers:
The credit bureau contracts were reviewed in a prior year and the scope was not extended to include
third-party relationships held by the credit rating department. According to the individual from
management, the decision and the rationale for such a decision should have been reviewed by
internal audit. Why was a change in credit worthiness not part of the scope of an operational review
of the credit rating department? How did internal audit miss the change in credit worthiness of
applicants? Anyone that has ever reviewed the credit process knows that a lack of information from
a single third party could skew the approval of application. But this fact was completely overlooked
here.
PLAN FOR SUCCESS
Some will say that the authority approval matrix corresponds to the decision made by someone
within the credit rating department, however most contract lapses dont require approval. Others
may point to either the US Office of Comptroller of Currency (OCC) guidance on credit, which points
to the Bank for International Settlements and their December 2013 Basel Committee on Banking
Supervision Consultative Document entitled Revisions to the Securitization Framework. One of the
arguments for improvements to the framework is related to the mechanistic reliance on external
ratings. In the above example, the credit securitization was irrelevant as these were individual
applications. Others will defend that the internal auditors rapid response was justified as this was
deemed by management to be an exposure and in the post-financial crisis of 2008, the audit
activity was justified.
No matter what the defensive position of internal audit, the internal audit department missed a few
key opportunities to plan their risk-based activities accordingly. Firstly, the internal audit director
didnt ask enough open-ended / follow-up questions. During the internal audit risk assessment, the
following questions could have been used:
1.
FEBRUARY 2014
The end-to-end technology that is either used by the credit department or used by other departments of the business that rely on information obtained from the credit department,
The end-to-end compliance process used by the credit department or used by other departments
of the business that rely on information obtained from the credit department.
UNDERSTAND THE BUSINESS AND ITS CULTURE
None of the above angles turns the internal audit department into an investigation body or a group
of organizational detectives. Instead, the above angles demonstrate how internal audit strives to
understand how the overall business operates. The internal audit risk assessment is designed to
aid internal audit in developing a risk-based plan of activities, by first ensuring that the department
understands how the organization operates. There is a fine balance and level of depth that internal
audit needs to achieve in conducting this activity, however too often it is not deep enough.
Some advisory firms advocate the use of high-level data analytics to find such anomalies during
the risk assessment process. The preventative control was still operating; the credit analysis was
still received by two credit bureaus. The use of most high-level data analytics would not uncover
whether the credit analysis was received by one, two, or three credit bureaus. Unless of course, the
data analytics were so deeply engrained in the process that they compared the credit analysis
received by multiple credit bureaus. In the above situation, the credit analysis from two credit
bureaus was still being received, thus allowing a comparison to still be performed. Others will
argue
that a look-back analysis that reviewed historic trends could potentially identify that the current
applications were either too conservative or too liberal. Regardless of the depth of either data
analytic, the application process was indirectly altered by a decision of someone within the credit
rating department. Since nobody knows the decision makers rationale, it is merely one member
of managements perspective that there is an exposure.
In summary, internal audits risk assessment often falls short as it is treated as a slightly modified
tactical implementation without a review of the strategic framework. Internal audit has an
opportunity to solicit the input from management as part of the internal audit risk assessment either
on an annual basis or more frequently. For internal audit to be successful in their risk assessment,
assurance, and advisory activities, their interactions with management need to be about building
a rapport. That rapport begins with establishing a sufficient understanding of how management
and organizational culture operate. With no sign of the pace of changes affecting your organization
slowing down, internal audits risk assessment must be dynamic, not static, and needs to be
improved from year to year, using a top down approach, beginning with management interviews and
input.
FEBRUARY 2014