GUEST BLOG POST
When I became a chief audit executive (CAE) for the first time in 1990, I determined that a risk-based internal audit approach was not sufficient.
A risk-based approach focuses on how well management can handle a potentially bad event or situation. It assesses the design and operation of the internal controls relied upon to prevent losses or other bad effects, such as financial statement errors, fraud, or reputation damage.
The risk-based approach is suggested by the Institute of Internal Auditor’s professional practice standards, as described in Risk Assessment in Audit Planning from IIA Belgium that Marinus de Pooter was kind enough to share with me. It quotes relevant IIA Standards:
- IIA Standard 2010 requires: “The chief audit executive must establish risk-based plans to determine the priorities of the internal audit.”
- IIA Standard 2010.A1 requires: “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually. The input of senior management and the board must be considered in this process.”
It says:
- These standards require the head of internal audit (HIA) to develop a risk-based plan. The HIA should take into account the organization’s risk management framework, including risk appetite levels set by management for the different activities or parts of the organization. If a risk management framework does not exist, the HIA uses his or her own judgment of risks after consideration of input from senior management and the board. The HIA must review and adjust the plan, as necessary, in response to changes in the organization’s business, risks, operations, programs, systems, and controls.
- The main challenge faced by a majority of internal audit functions is how to allocate limited internal audit resources in the most effective way—in other words, how to choose the audit subjects to examine. This requires an assessment of risk across all the auditable areas that an auditor might examine.
I do not recommend the IIA Belgium guide for several reasons, including the fact that in the detail it talks about identifying and assessing the risks to the objectives of auditable entities (the audit universe, a concept that should be retired) instead of the risks to the objectives of the extended enterprise (captured in a risk universe).
When I became CAE, that was the prevalent thinking, to risk-prioritize auditable entities. I started talking, instead, about enterprise-risk-based auditing.
Putting Value Ahead of Risk
There are times, however, when we should be focusing more on where we can add value, rather than on where the greatest sources of enterprise risk lie. While they are more often than not the same, that is not always the case.
First, there are situations where the level of risk is and should be considered “low,” but there is great value that could be mined and delivered by internal audit.
The first of these that I experienced was highlighted by the chair of the audit committee, Clarence Frame. Tosco, where I served as CAE, at that time was a $2B revenue oil refining and marketing company. However, its roots were in its name.
In a previous era, the name of the company was The Oil Shale Company, abbreviated to TOSCO and later changed to Tosco when it found that there was no money to be made mining oil shale. It acquired a number of oil refineries and concentrated on that space. It continued to own land, however, with oil shale deposits and the water rights crucial to any future mining activity.
Clarence was concerned and wanted to ensure that the company complied with the rules that mandated certain continuing activities if it were to maintain those water rights. Yet, there was no associated revenue, only costs, and management had no desire to spend any time on the past dreams of its founders.
The risk was that we would lose the rights, but we all knew that if we did it would have no effect on the company’s operations or results in the foreseeable future. Still, Clarence and the audit committee, with some support from the CEO, saw value in knowing that appropriate actions were being taken to preserve the potential long-term revenue from oil shale. If the price of crude oil rose significantly (seen then as highly unlikely), the oil shale and water rights would be of high value.
We know now that Clarence was right and the rights needed to be preserved. By the time the oil shale became viable, though, Tosco had been sold to Phillips Petroleum (now part of Conoco) and I had moved on.
We completed the audit and found that certain actions were required to preserve the rights. Management reluctantly agreed and the shareholders of the successor companies have benefited. Had we made the decision to include the audit on the plan or not based solely on the perceived risks to the business at the time, we likely would have left it off. That would have resulted in the loss of the water rights and the loss of the value that would be realized down the line.
We should always pay attention and consider audit projects that are of high value to the audit committee or CEO. They are not, in my opinion, automatically included but should be given strong consideration.
High Risk, but Low Value
Then there are situations where the risk is high, but the value of an audit is low.
When I started as CAE at Solectron, a former electronics manufacturing company that was acquired by Flex Ltd. in 2007, the company was still engaged in acquiring smaller businesses and their assembly plants around the world. It was a contract manufacturer for electronics companies such as IBM, Intel, and many others, and our more than 120 plants served their needs around the globe. But 120 was too many and the average utilization rate (which measured how much of our capacity we were using) was well below 50 percent. Costs were rising at the same time as our competitors were pushing sales prices down. They were able to use their factories more efficiently and it showed in their competitive bids.
There was a serious possibility that the market would continue to put pressure on prices, maybe even more pressure, and if we didn’t do something to seriously rationalize our footprint we would go out of business. So, obviously, I had this as a high-risk issue.
But when I started looking further into the problem, I found that management had already established a high-power task force to assess the situation and make recommendations to consolidate or sell off units. It was clear to me that the right work was already being done by the right people, with access to and support from top management.
There was little to no value to any audit project, whether assurance or consulting. I considered an audit to evaluate whether management had sufficient reliable information to enable an informed decision, but the task force leaders assured me that they did. So instead, I continued to monitor the project through periodic meetings with the task force leaders. Had we taken a solely risk-based approach to internal audit, we would have conducted an audit that would have been redundant and likely have created some unnecessary tension with the task force.
The Opportunity Side of Risk
Another consideration when prioritizing value over risk is that the risk-based approach tends to focus on the possibility for harm. Yet auditors should also consider whether management has controls and procedures to ensure they are seizing opportunities.
For example, I have seen:
- Situations where controls could have been improved to ensure management is aware of and putting the best resources towards not only winning a sales contract but optimizing it.
- Opportunities that were not recognized by management to deploy new technology and realize great benefits. Sometimes, it was technology that had been acquired but was under-utilized. Sometimes, it was because management didn’t have any discipline about understanding how new technologies could be used in its business.
Finally, there are situations where there really isn’t a risk as such. I am talking about where the concern is not about something that might happen at some point in the future, but with the current situation.
For example, at Maxtor, a manufacturer of disk drives that was acquired by Seagate in 2006, the cost of our manufactured product was greater than that of our competitors. The reason was two-fold: First, we had some manufacturing operations in high-cost California, while our major competitor had similar manufacturing in China. Second, we had outsourced some manufacturing of essential parts to a Taiwanese company where we were a minor customer, while our competitor had it all in-house in China. As a result, we were unable to develop a next-generation hard drive at a cost that would enable us to make money.
I spent a fair amount of time on a consulting project, looking to see whether there were opportunities to realize cost savings and then sitting in with management as we planned a new site in Thailand or Vietnam to replace the high-cost California operation. The best value that internal audit could provide was in these types of consulting and advising engagements, rather than any particular audit.
Putting this together, I believe in a tweak to the traditional risk-based audit approach. Instead, audit leaders should take an enterprise risk and value additive approach to internal audit.
I’d like to hear your views on this topic. Please leave your thoughts in the comments below. 
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.
Hi, I work in Lead and acid-based Battery Manufacturing company mostly used in Cars, motorbikes, UPS, INverters, etc., It is a very helpful article for me, could you please give some more examples of a manufacturing company that where are the high risks but the value is Low and where are the low risks but the value is high, examples related to the current scenario like COVID-19. climate change, technology improvements/shifts in the automotive industry, management change, etc.
Norman,
I enjoyed reading your article and couldn’t agree more. I was thinking of how value could be utilized in a risk assessment and I think the solution is simple. Simply add a “value” category in the risk assessment. Obviously, value would have to be defined and there would be a lot of fine tuning involved here, but I think it would be a good start.
Also, I appreciate that you mentioned the opportunity side of risk. Too many auditors focus purely on risk, and the harm that could happen if this or that is not done. People get numb to that sort of talk after a while. I think the reluctance of auditors to talk about opportunities is maybe they feel that they are stepping into more of decision making role through specific recommendations. I have known too many auditors that are so neutral in their language, that you start to wonder if they are adding any value at all. Those are some of my quick thoughts about your article. Thanks and take care.
-Billy Poulos
Well written article. I believe that an integrated process review framework is one that will make internal audits, more effective and efficient in bringing out value add whilst recognising enterprise risk management factors. The audit must take into consideration, the current business strategy, understand predominant events that this strategy is likely create, map out the use cases related to these events, and review if the portfolio of processes are fully geared to handle the functional and controls aspects needed to optimally facilitate these use cases. Whilst this review identifies opportunities for process reengineering, how well the process gets enforced, will depend on how well the existing systems are geared to facilitate the functional and controls aspects of each process.