GUEST BLOG
Editor’s Note: The views expressed by the author do not necessarily reflect the views of Internal Audit 360°, as we seek to bring varied and provocative ideas to our readers.
The idea that audit plans should be risk based is so old and widely accepted that we rarely give it a second thought. Yet, in my 16 years in risk management across four continents, I have seen hundreds of audit plans, and I can assure you none of them were actually risk based. They were opinion and feelings based, even if some had colors and qualitative words describing perceived risk exposure. Some were materiality based, but none were risk based, because they were all disconnected from the underlying organizational risk profile.
(If you are an internal auditor and you are sure that your audit plan is risk based, scroll to the bottom of the article, where I have added a quick checklist that I believe will change your mind.)
The problem? The biggest lie the Institute of Internal Auditors ever sold business is that auditors understand risk. The IIA even published a guideline on creating a risk-based audit plan, Developing the Risk-based Internal Audit Plan, 2020. I carefully reviewed the guidance when it came out and again today and can guarantee, anyone who is following this best practice has no risk-based audit plan, 87 percent of the time.
“In alignment with the Code of Ethics principle of objectivity and Standard 1100 – Independence and Objectivity, internal auditors should do their own work to validate that all key risks have been documented and that the relative significance of risks is reflected accurately.” –Developing the Risk-based Internal Audit Plan, 2020.
I think this is irony at its best, I will come back to the Code of Ethics principles a little later in the article.
“Risk assessments typically include both quantitative and qualitative methodologies. An abundant selection of software is available to help the internal audit activity perform risk assessments that result in both quantitative and qualitative data.” –Developing the Risk-based Internal Audit Plan, 2020
Well, I know of only one software package that turns qualitative risk registers into quantitative and utilize utility theory to properly quantify and compare financial and non-financial risks, Archer Insight.
“In their risk assessments, internal auditors should estimate both inherent risk—the risk that exists if no controls were in place—and residual risk.” –Developing the Risk-based Internal Audit Plan, 2020
Ok, this is too funny. I have a whole article (The better alternative to “inherent” and “residual” risk concepts) on why this is a typical example of nonsense when internal auditors artificially create a whole new concept to fit their agenda that serves no practical business purpose whatsoever. If you know that internal auditors are the only beneficiaries from the whole inherent/residual conversation, something is seriously wrong.
“The chief audit executive or assigned internal auditors should document the reasons for their determination of residual risk. This rationale lends support to internal audit’s view of risk priorities.” –Developing the Risk-based Internal Audit Plan, 2020
This is one of many reasons why risk priorities derived from such an approach have nothing to do with actual risk exposure the business is facing and what the internal auditors should’ve been focused on all this time.
“Risk assessment results with levels of risk for each auditable unit may be depicted graphically in a heat map or similar chart to help show the ranking of priorities. Heat maps are especially useful when certain criteria are weighted more heavily than others and in visual presentations to the board and senior management.” –Developing the Risk-based Internal Audit Plan, 2020
Ok, this is all you really need to know about IIA level of competency when it comes to risk management. Heatmaps have been scientifically proven to misprioritize risks and be “worse than useless.” Let me make this very clear, IIA is recommending astrology and horoscopes in its official guidelines. Surely, that is a direct breach of the Code of Ethics principles. Last time I checked, promoting pseudoscience and astrology under the banner of independence is not a good idea.
“CAEs should meet with senior management to review internal audit’s assessment, ensure thoroughness and mutual understanding, and discuss the reasons for any significant differences in risk perceptions or ratings.” –Developing the Risk-based Internal Audit Plan, 2020
Ok, that’s just wishful thinking. How do you get an accountant to compare notes with a surgeon? That is just an analogy, an illustration. The point I am making is internal auditors have no necessary risk management competencies to understand how risk exposure is calculated, how uncertainty affects decisions or objectives, how risks are correlated, why cVaR should be used for some risks instead of VaR, what role confidence interval plays in risk assessments, and lastly, how there is no such thing as an enterprise wide approach to risk assessment, each risk has its own risk model, and aggregating risks is anything but trivial.
So you tell me: why would management want to meet and take seriously auditors who come and talk about risks because apparently they need to be independent when planning audits. Would you listen to an auditor’s opinion on heart surgery or vaccination? The biggest lie IIA ever sold business is that auditors understand risk management. The methodology provided in Appendix D of the Developing the Risk-based Internal Audit Plan, 2020 is an absolute disgrace, Appendix E is nothing short of negligence.
The Solution: Don’t Replicate What Professionals Have Already Done
My simple answer is: use whatever risk information exists within the business. Large shareholders, risk owners, and 2nd line know exactly what the risks are.
However, despite IIA “best practice” auditors should start with the 2nd line. But what if the internal auditors don’t trust the 2nd line methodology. Then audit the second line until you trust the methodology. But don’t kid yourself; unless you have mathematicians on the audit team, you have zero chance of auditing risk management methodology that the risk team is using. Outsource the audit. What if the risk team is not doing quantitative risk analysis? Well, that’s an easy audit finding right there. Whatever the risk team is doing, it is not risk management, they should upgrade the methodology or be fired. Good risk managers can pretty quickly tell how does market risk cVaR compare to operational risk cVaR and whether cyber or climate are as huge as everyone makes them out to be. Legal, HSE, security, and IT all have a lot of information about significant risks in their areas of responsibility, but more importantly they know exactly where the weak control areas are.
The second step is to talk to risk owners. Just like IIA is suggesting. The trouble is that while risk owners know their risks better than anyone, they are also often motivated to hide them and keep them hush hush. IIA forgets to mention that interviewing risk owners is unlikely to produce any meaningful and honest representation of the actual risk exposure, because risk owners are smart and will not bet against their own bonuses. So instead, audit the performance management process and the methodology for calculating KPIs and bonuses before you seriously rely on risk owner input.
The third step is to talk to the shareholders. It is easier in private companies, where shareholders tell auditors exactly where to look. In public companies, shareholders are many. And yet, I don’t understand why companies are not using proxy voting at annual general meetings to ask shareholders about their focus areas for the audit team and the key risks shareholders see. Institutional investors should be involved as well, since they often have a solid view on the audit priorities. Didn’t audit want to become truly independent? Well, here is the chance.
Engaging external experts for horizon scanning is also a good source of risk information for the audit team. Wouldn’t it be awesome if risk and internal audit teams together organized a horizon scanning or value killers workshop or interviews with external experts.
The bottom line here is that auditors are not competent to perform risk assessments, so they have no choice but to rely on 2nd line risk assessments. Many 2nd line risk assessments are also bad, so auditors need to audit the 2nd line risk methodology and help the business fix it, if 2nd line is still using qualitative horoscopes. When something is broken, auditors should recommend to fix it, not recreate a worse replica of it.
A Risk Checklist
Checklist for internal auditors:
- How does your market cVaR compare to credit cVaR and operational cVaR?
- What risks contribute the most to the probability of breaching covenants / liquidity risk?
- Are risks within set limits? Have stop losses been activated recently? What is the forecast against key limits?
- Which operational risks have the highest risk exposure?
- What risks had significant change in historical losses?
- What confidence level is used in risk models across the organization?
- What significant risks could dramatically affect EBITDA forecasts over the coming 1,3,5 years?
- How concentrated are the investment projects?
- What is company / project NPV@risk?
If you found these questions confusing, probably not a good idea to do a risk assessment without risk professionals present.
I’m sure Mr. Sidorenko’s analysis hits home for retail businesses, banks, insurance companies and other financial institutions. I’m not so sure it applies to all organizations. A manufacturer or government agency will have a different view on appropriate risks and may find that operational risks or compliance risks are just as critical, if not more so, as financial risks. It is not always necessary to have a mathematician on the team, especially when the 2nd line ERM process doesn’t involve anything more complex than algebra.
On the positive side, though, I do like the idea of including an audit question in the proxy to find out what shareholders are thinking. I can get some of those concerns on the quarterly earnings call, but a specific question would identify more specific concerns.
This piece is more of a criticism than a solution for internal auditors! Regardless of the specific IIA practice guide mentioned by Mr Alex Sidorenko, I am of the opinion that ISO 31000:2018 (Risk management — Guidelines) and IEC 31010:2019 (Risk Assessment Techniques) are good enough for internal auditors to learn risk assessment related to the risk-based internal audit plan. There are over 40 techniques with different characteristics that will help internal auditors to decide which techniques are best for their organizations. Therefore, the use of quantitative measurement alone is not as important as other factors that will significantly influence the use of particular techniques in assessing risks related to how internal auditors determine their priorities.
The author was the Head of risk management (or equivalent) for RusNano, in Russia. He is very vocal in his disdain for Internal auditors.
Hid credibility might improve if he was transparent about how his expertise in risk management failed to prevent Chubais (Putin’s friend) from stealing all the billions of dollars invested, and failing to build the nanotech industry in Russia.
What models / software can predict Putin’s friend = likely thief = stolen billions???