When Enterprise Risk-Based Audit Plans Are Not Enough

GUEST BLOG POST:
I am a huge believer, as are most leading internal audit practitioners, in enterprise risk-based auditing.

That means that the audit plan is designed to provide assurance, advice, and insight on the more significant sources of risk to the organization and the achievement of its objectives.

It also means that the audit plan should be carefully scrubbed and cleansed of audits of lower-level risks (such as risks to auditable entities), because that time is needed to focus on more important areas. Similarly, the scope of planned audits should be scrubbed of areas of low risk to focus on the high-risk areas.

But, as the title of this blog states, taking a risk-based approach is not always quite enough.

There are two reasons:

1) Even audits of seriously important sources of risk can sometimes deliver little value.
2) Areas with known problems may merit our attention, even if a purist would not say there was a “risk.”

Let’s Take each of those in turn.

When a ‘Risky’ Area Isn’t in Need of an Audit

One of the reasons for not auditing an area that presents a significant risk is when it would be a duplicative effort.

When I was chief audit executive (CAE) of Solectron Corp., a major problem (and a significant contributor to its eventual demise) was that it had too many manufacturing and assembly plants around the world.

Over the years, it had grown through acquisition and while it had a few large plants (in Suzhou, China; Penang, Malaysia; Charlotte, North Carolina; and Milpitas, California) it also had a great many small ones all over the globe.

On average, the plants were operating at about 40 percent of their capacity. As a result, they were marginally profitable at best. The company needed to rationalize, even though that would be a very painful operation.

I considered auditing whether the company was managing the capacity of its worldwide manufacturing operations effectively, including whether it was taking the appropriate steps to rationalize. But when I talked about this with senior management, I found that they had already established a task force to address that exact issue.

I met with the members of the task force, and it was clear that these were senior individuals with experience, expertise, and the courage to make the right recommendations. There was little value in duplicating their efforts with a risk-based audit.So, I monitored their work and attended some of their meetings. But even though this rated as a high risk, I didn’t include a related project in the audit plan.

In hindsight, I missed the real risk—that the CEO and his team wouldn’t have the courage to accept the recommendations. But even in hindsight, that is not something for internal audit to audit.

When a Non ‘Risk-Based’ Internal Audit Can Add Value

When I was in audit leadership roles and I would discuss my audit approach with the audit committee and others, I would describe it as “risk and value auditing.”

The second point is that risk management purists might say that if something is pretty certain to happen, it’s not a “risk,” and therefore doesn’t necessitate an internal audit.  I think that is semantics.

Solectron’s capacity utilization problem was something that, in different circumstances, would merit internal audit attention.

Many of the audits my team has performed over the years have focused on known problems. Unless action was taken, they would continue to limit enterprise performance and the achievement of its objectives. Since the problems were known, a purist might say they were not a risk. Yet an internal audit was still value additive.

Examples include:

• The audit of a Maxtor manufacturing facility where the scrap rate appeared high. It focused on the procurement of quality materials, inspection of receipts, quality assurance, and other processes that could have been contributing.
• An audit of the global sales contracting process. It was known to be fragmented and the company was failing to leverage its total relationship with major customers. We recommended changes that were embraced by the global executive vice president of sales.
• The audit of a high-cost manufacturing plant, looking for cost-saving opportunities.
• The operational audit of a capital expenditure approval process (I talked about it in a recent video).
• An audit of the legal review of sales contracts in the United Kingdom. The known problem was that the attorneys were spending too much time on the reviews, which limited their ability to provide legal advice to management.

Each of these was an audit that delivered valuable assurance, advice, and (especially) insight to top management and the board, even if they weren’t necessarily of areas deemed to be “high risk.”

I am not a purist, and I included these areas of risk where an audit could add value in my enterprise risk and audit approach.

Do you do the same? I welcome your thoughts. Please share your own experiences in the comment section below.  

Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.

Note: This article was republished with permission from Norman Marks on Governance, Risk Management, and Audit.