Sunteți pe pagina 1din 10

RISK RATING THE AUDIT UNIVERSE

A CRITICAL LOOK AT TRADITIONAL


AUDIT UNIVERSE RISK-RATING FACTORS
BRUCE MCCUAIG – CA, CIA, CCSA
VICE PRESIDENT, RISK AND COMPLIANCE
PAISLEY GRC SOLUTIONS

WHITEPAPER
CONTENTS

CONTENTS
INTRODUCTION 1
INTERNAL VERSUS EXTERNAL AUDITOR PERFORMANCE 1
HOW SHOULD INTERNAL AUDITORS PRIORITIZE AUDITS? 2
DOLLAR MATERIALITY AS A RISK FACTOR 3
ASSET LIQUIDITY AS A RISK FACTOR 3
QUALITY OF INTERNAL CONTROLS AS A RISK FACTOR 3
CHANGE OR STABILITY RISK FACTORS 4
BUSINESS COMPLEXITY AS A RISK FACTOR 5
MANAGEMENT COMPETENCE AS A RISK FACTOR 6
GUIDANCE FOR IMPROVEMENT 7
ABOUT THOMSON REUTERS – PAISLEY GRC SOLUTIONS 8
ABOUT THE AUTHOR 8

II
RISK RATING THE AUDIT UNIVERSE: A CRITICAL LOOK AT TRADITIONAL AUDIT UNIVERSE RISK RATING FACTORS

INTRODUCTION
One outcome of the Sarbanes-Oxley Act, and the related Public Company Accounting Oversight
Board AS2, and more recently AS5, is more information in the public domain about the
performance (or failure) of internal controls over financial reporting. The information comes from
the hundreds of internal control deficiencies reported by accelerated filers.

Analyzing this data to determine what kinds of companies reported deficiencies, how deficiencies
were detected, what business processes the deficiencies related to, and what accounts and
assertions they impacted provides great insight into how controls work in modern public
companies. This information also provides insight into the role and performance of internal
auditors. Knowledge gained from these deficiency disclosures may challenge internal auditors’
assumptions about where risk lies and how to better prioritize an audit universe. Specifically, can
we learn more about how to risk rate an audit universe to better focus resources on where the
deficiencies lie?

Big risks can lurk under small rocks, and the indicators of big risks are often ignored in audit
planning. Internal audit has played an important role in finding and reporting SOX deficiencies,
however, external audit has played a far bigger role. This paper will identify some areas for
improvement.

INTERNAL VERSUS EXTERNAL AUDITOR PERFORMANCE


Internal audit professionals are guided to establish a risk-based audit universe by the Institute of
Internal Auditors International Standards for the Professional Practice of Internal Auditing and Internal auditors
related practice advisories. Currently under revision, the proposed International Professional
Practices Framework (IPPF) Performance Standard 2010, Planning, states, either used risk
“The chief audit executive must establish risk-based plans to determine the prioritization models
priorities of the internal audit activity, consistent with the organization’s goals.”
that routinely scoped
The proposed standard is more explicit than its predecessor, making it mandatory for the chief out high-risk areas
auditor to develop a risk-based plan.
for internal control
There is room for improvement in the execution of a risk-based audit approach. A recent study
published by the Financial Executives Research Foundation, Control Deficiency Reporting: Review deficiencies or did
and Analysis of Filings During 2004, analyzes the control deficiency disclosures made by 329
companies in various SEC filings from November 1, 2003, to October 31, 2004. It analyzes over not detect or report
950 disclosures to identify trends to help users of financial statements better understand the
nature of control deficiency reporting made by SEC registrants.
deficiencies that
were found.
Management and internal auditors appear to have performed poorly in detecting and reporting
deficiencies. Evidence suggests that only about 28 percent of companies were proactively
bringing reportable deficiencies to the attention of their audit committees or external auditors.
This strongly suggests that internal auditors either used risk prioritization models that routinely
scoped out high-risk areas for internal control deficiencies or did not detect or report deficiencies
that were found.

More recent statistics confirm this trend. A February 2007 trend alert from Glass Lewis & Co, a
leading investor analyst firm, reported: 2,931 U.S. companies, about 23 percent, filed at least one
restatement during the last four years; 683 companies restated two or more times.

1
RISK RATING THE AUDIT UNIVERSE: A CRITICAL LOOK AT TRADITIONAL AUDIT UNIVERSE RISK RATING FACTORS

There is little to suggest that either internal or external auditors are improving their track record
of looking in the right places or finding problems if they exist. The February 27, 2007, Yellow Card
Trend Alert produced by Glass Lewis & Co titled, The Errors of Their Ways, concluded:

“Companies take note: If you restated, you must have had material weaknesses. We
Material weaknesses still have a hard time figuring out how so many companies that restated also could
have reasonably concluded that their internal controls are effective and that they
and significant have no material weaknesses – or that no material weaknesses even existed at the
deficiencies are time of the errors.”

simply not being The trend in reported deficiencies is alarming. While individual companies and their internal
auditors may fail to detect or report some internal control deficiencies in audits they conduct, the
found and reported. trend in the total number of restatements and the number of companies reporting deficiencies,
and their late and sudden disclosure suggest a systemic problem. Material weaknesses and
significant deficiencies are simply not being found and reported by management. Restatements
continue at a high level.

Unless internal auditors are applying completely different risk-based standards to planning
audits of internal control over financial reporting, it is reasonable to suggest that the method of
prioritizing internal audit activity may be a problem. Is the error rate experienced in audits of ICFR
the same as the error rate in audits of other areas?

HOW SHOULD INTERNAL AUDITORS PRIORITIZE AUDITS?


The IIA provides practice advisories to assist in the interpretation and implementation of the
Professional Standards. Practice Advisory 2010-2, Linking the Audit Plan to Risk and Exposures,
suggests that the following risk factors, among others, should be considered:

• Dollar materiality
• Asset liquidity
• Quality of internal controls
• Degree of change or stability
• Complexity
• Management competence

2
RISK RATING THE AUDIT UNIVERSE: A CRITICAL LOOK AT TRADITIONAL AUDIT UNIVERSE RISK RATING FACTORS

Individual internal audit departments are free to establish their own prioritization frameworks,
however, based on the last several years of publicly disclosed information; company management
and their internal auditors may have missed the boat on finding and reporting internal control
deficiencies. The alarming increase in reported deficiencies begs an evaluation of how the risk
factors suggested by the IIA correlate to reported disclosures.

DOLLAR MATERIALITY AS A RISK FACTOR

Internal audit departments frequently take into account the dollar materiality of auditable
entities or processes in determining audit risk. If dollar materiality was a significant factor in
internal control deficiencies, one should expect to see larger companies with more deficiencies or
at least more material weaknesses.

According to the FERF study, the average large cap company (>$1B) in the sample reported 3.71
deficiencies and the average small cap (<$250M) reported 2.51 deficiencies; the reporting rate is
far less than the size ratio would suggest. The relationship between dollar materiality and risk is
disproportionate to size. As a risk factor, dollar materiality seems to have an inverse relationship.
Entities or processes with low dollar materiality bear a disproportionate amount of disclosure risk.
Billion-dollar companies do not report four times as many deficiencies as are reported by
companies one quarter as large. Clearly dollar materiality should be a factor, but its weight
should be determined by other factors.
The relationship
ASSET LIQUIDITY AS A RISK FACTOR
between dollar
Many internal audit departments are charged with ensuring the safeguarding of assets and materiality and risk is
preventing fraud and theft. Liquid assets are perceived to be particularly vulnerable to fraud and
theft. If liquid assets were truly at risk, one would expect to see a large number of deficiencies disproportionate to
related to cash and equivalents and certain inventories and one would expect the existence
assertion to be related to many reported deficiencies. Neither has proven to be true. size. As a risk factor,

According to the FERF study, the following accounts were most frequently involved in internal dollar materiality
control weaknesses: accounts receivable, sales, inventory, cost of goods sold, accrued seems to have an
expenses/reserves, and selling, general and administrative. Furthermore, according to an
analysis of related assertions, the existence assertion was the one least likely to be attributed to a inverse relationship
reported deficiency in the sample. There is no doubt that liquid assets can be lost or stolen. But
on the whole they have not proven difficult to control and their existence has not proven to be a to risk.
significant risk factor for internal control deficiencies. Internal audit departments may in fact be
misdirecting resources by focusing too much attention on liquid assets.

QUALITY OF INTERNAL CONTROLS AS A RISK FACTOR

Internal auditors tend to consider the quality of internal controls as a significant risk factor. In
doing so, internal auditors often use the COSO internal control framework component of control
activities as their benchmark in assessing the existence and quality of internal controls.

One would then expect that a significant number of control deficiencies could be classified as to
control activities. In other words, broken or missing control activities, if they are truly important,
should be behind a significant number of reported control deficiencies in the FERF study sample.
This has not proven to be true. Where sufficient information made it possible, the authors of the
FERF study classified each control deficiency into its related COSO framework component. Many
deficiencies were so poorly reported as to defy classification, but of those that were classified,
control activities were a relatively minor category.

As can be seen in Exhibit 2, across the range of companies in the sample, between 6 percent and
9 percent of reported deficiencies were attributable to control activities. If the quality of internal
control is an important risk factor, one should expect missing or broken control activities to be
3
RISK RATING THE AUDIT UNIVERSE: A CRITICAL LOOK AT TRADITIONAL AUDIT UNIVERSE RISK RATING FACTORS

associated with a significant number of control deficiencies. If the lack of evidence of significant
absences of or breakdowns in control activities suggests they are, in fact, present and working
well in most companies, where are all the deficiencies coming from? Just how important are
control activities as a risk factor? If internal auditors are using the existence or absence of control
activities as evidence of the quality of internal control in risk rating their audit universe, they may
be placing more confidence on these controls than evidence warrants.

… where are all the


deficiencies coming
Other COSO framework components seem to be much better predictors of risk. It seems logical
from? Just how to attribute extra risk to a turbulent, rapidly changing business environment, but the rate of
business change or stability is not among the deciding factors in determining whether a control
important are deficiency exists or is reportable. Risk assessment is the COSO framework component one would
control activities as a expect to see cited as a weakness if the degree of business change was a factor. Change
management is part of the risk assessment component in COSO. Interestingly, risk assessment is
risk factor? the least cited attribute when attributing deficiencies to COSO framework components.

CHANGE OR STABILITY RISK FACTORS

It is not clear if change or stability are reasonable factors. What is clear is that risk assessment is
not being performed adequately. A better factor than stability or degree of change to consider is
whether the auditable entity has a risk assessment process and, if so, what are its results.
Supporting this argument is a table (Exhibit 3) from the Glass, Lewis & Co. study that breaks
down material weaknesses by type.

4
RISK RATING THE AUDIT UNIVERSE: A CRITICAL LOOK AT TRADITIONAL AUDIT UNIVERSE RISK RATING FACTORS

According to the study, almost 60 percent of material weaknesses are attributable to financial
systems and procedures and personnel. Both categories are likely to be impacted by rapid
change in a business and both suggest a lack of change management practices. Moreover, risk Whatever the
assessment, with one percent of reported deficiencies, seems to contradict the notion that
instability is a problem. complexity of the
industry, the vast
BUSINESS COMPLEXITY AS A RISK FACTOR
majority of control
Internal auditors often assess the complexity of their auditable locations. There is no standard
definition of complexity. Some industries have complex business models, some have complex deficiencies are
technology, and others have complex, nonstandard transactions. Size alone often infers
complexity, particularly if it leads to complex corporate structures or multiple locations. But size concentrated in only
has been assessed as a risk factor and found to be a significant but not determining factor. In fact, a few business
one could argue that disclosure risk decreases with size. Smaller companies tend to have
relatively more internal control deficiencies. processes.
However, another picture emerges when one looks at the breakdown of control deficiencies
reported by business process in the FERF study, as partially excerpted in Exhibit 4. Whatever the
complexity of the industry, the vast majority of control deficiencies are concentrated in only a few
business processes. Period-end reporting and revenue cycles account for 58 percent of the
deficiencies in the FERF sample. Are these two processes significantly impacted by technological
or operating complexity? Paradoxically, information systems often assigned high complexity
scores, accounted for only 5 percent of deficiencies. There is little convincing evidence in either
study that suggests a subjective assessment of business complexity, in itself, is a reliable risk
factor in prioritizing an audit universe.

5
RISK RATING THE AUDIT UNIVERSE: A CRITICAL LOOK AT TRADITIONAL AUDIT UNIVERSE RISK RATING FACTORS

MANAGEMENT COMPETENCE AS A RISK FACTOR

The control environment component of the COSO framework is the one closest related to directly
dealing with management competence. This COSO control environment component includes
integrity, ethical values, competence and a range of other factors likely to affect the organization
as a whole. As the table in Exhibit 3 indicates, about 50 percent of all reported control
deficiencies can be attributed to problems with the control environment, making it potentially the
single most significant risk factor in prioritizing the audit universe.
… an assessment of
Clearly, of all the factors considered, an assessment of the control environment of a company or
the control any of its auditable entities should play a major role in prioritizing an audit universe. Internal
control deficiencies are directly and strongly correlated to control environment scores. Soft
environment of a controls do count. Specifically, gaps in the following elements of the control environment must
be considered as specific risk factors:
company or any of
• Integrity and ethical values
its auditable entities • A commitment to competence
• The board of directors or the audit committee
should play a major
• Management philosophy and operating style
role in prioritizing an • The organizational structure
• Assignment of authority and responsibility
audit universe.

6
RISK RATING THE AUDIT UNIVERSE: A CRITICAL LOOK AT TRADITIONAL AUDIT UNIVERSE RISK RATING FACTORS

GUIDANCE FOR IMPROVEMENT


The importance of accurately prioritizing the audit universe is obvious. Until now, little empirical
evidence has been available to test prioritization methodologies. That is no longer true. Tested
against the evidence of publicly reported internal control deficiencies, many traditional risk … many traditional
factors look extremely questionable at best. At worst they are causing valuable internal audit
resources to be potentially misdirected. risk factors look
What is clear is that internal audit plays an integral part in an organization’s governance, risk, and extremely
compliance initiatives and a critical role in providing assurance to the integrality of the
organizations governance framework. In an effort to improve the effectiveness of internal audit questionable at best.
processes, history would suggest that changes need to be made. Recommended changes include:

• A standards-based approach to internal audits will drive greater consistency and integrity of
audit data. Business process improvement is achievable through a feedback loop of audit
results. Financial process performance should be monitored as a key factor in developing a risk
based plan. Below target performance suggests unidentified risks or ineffective controls.

• Root cause analysis of internally reported deficiencies and insight into how control deficiencies
are detected and how they impact the entity are essential if internal auditors want to refine
their audit planning and prioritization models. Root cause analysis is simply not required today
under AS5.

• Greater investment in internal audit processes and systems is a pre-requisite to any effective
governance, risk and compliance initiative.

7
ABOUT THOMSON REUTERS – PAISLEY GRC SOLUTIONS
Thomson Reuters is the world’s leading source of intelligent information for businesses and
professionals. The company combines industry expertise with innovative technology to deliver
critical information for leading decision-makers in the financial, legal, tax and accounting,
scientific and healthcare markets.

Paisley, acquired by Thomson Reuters in 2008, is the governance, risk and compliance platform
business unit of Thomson Reuters. Combining Paisley’s market leading software with the
comprehensive Thomson Reuter’s intelligent information solutions delivers the most
comprehensive GRC solution for audit, risk and compliance professionals. Over 1,400
organizations, spanning 60 countries and serving more than 140,000 users in a wide range of
industries, utilize Paisley GRC solutions to streamline processes, reduce costs of compliance,
manage and mitigate risks, and provide visibility, oversight and assurance.

The Paisley GRC solutions include functionality for audit management, financial controls
management, enterprise risk management, operational risk management, IT governance, and
compliance. Paisley offers several software delivery options including on-premises, hosted
application deployment, or software as a service (SaaS) delivery.

Learn More
Call: 763.450.4700
Email: paisleyinfo@thomsonreuters.com
Visit: paisley.thomsonreuters.com

ABOUT THE AUTHOR


Bruce McCuaig, CA, CIA, CCSA
Vice President, Risk and Compliance – Paisley GRC Solutions

With more than 20 years experience in the field of risk and control management, Bruce McCuaig
is responsible for directing an operational risk management program at Paisley as part of a
company-wide effort to implement a top-down, risk-based approach to its own operations
Bruce's role at Paisley also includes sharing Paisley's ORM experiences and innovations with
clients seeking to implement risk-based approaches for their GRC initiatives and to drive
improvements in their existing risk management processes. Prior to joining Paisley, Bruce held
senior executive positions with the Gulf Canada Resources in Calgary and Toronto, and Gulf Oil
Corporation in Houston, Texas. Bruce is an experienced speaker, presenter and award-winning
author, participating regularly in international conferences on the subject of risk and control self-
assessment and publishing in professional audit and financial journals. Bruce earned a bachelor's
degree in business administration from the University of Windsor, in Windsor, Ontario.

© Thomson Reuters. All rights reserved.


Republication or redistribution of Thomson Reuters content, including by framing or similar means, is prohibited without the prior written
consent of Thomson Reuters. 'Thomson Reuters' and the Thomson Reuters logo are registered trademarks and trademarks of Thomson
Reuters and its affiliated companies.

S-ar putea să vă placă și