Moving towards risk-based approach to internal audit

(First of two parts)

Do you have a robust, reliable and credible internal audit department? Is the function still into the traditional, “police-type”, compliance-based audit? Or has it adopted a risk-based approach?

As companies grow and evolve in today’s rapidly changing business environment, they continuously face new sets of risks and challenges. To help executive teams address these changes, internal audit departments can no longer afford to employ traditional audits. Internal Audit teams need to be flexible and innovative in their approach by utilizing their resources to focus on the critical areas of the business (e.g. higher risks).

New demands from the board, executive management and regulators, have triggered a shift in focus beyond regulatory compliance issues. In this environment, the industry leaders recognize the need for internal audit to play a larger role in the organization – one that expands on its historic focus on value preservation (control focus) to encompass activities related to value creation (performance focus).

What is risk-based internal audit?

A risk-based audit approach is the latest “best practice” in the evolution of internal auditing, aimed at maximizing the impact of audit by focusing on the major strategic, regulatory, financial and operational risks that confront an organization. This approach targets high risk areas and helps the auditors achieve maximum value for the company from their efforts. It involves challenging existing structures and processes to identify areas for improvement and propose value-adding changes to the organizations.

Is risk-based approach (RBA) an option?

This approach is not an option; rather, RBA is mandated by the Institute of Internal Auditors’ (IIA) International Professional Practice Framework (IPPF), which covers the International Standards for the Professional Practice of Internal Auditing (ISPPIA or the Standards). It is important to note that the Philippine Securities and Exchange Commission (SEC) has required through the promulgation of the SEC’s Code of Corporate Governance (SEC Memorandum Circular No. 2, Series of 2002) that “the internal auditors of publicly listed companies shall plan and conform its work in accordance with the ISPPIA”.

This was followed suit by the Bangko Sentral ng Pilipinas in November 2005 for Philippine banks when they issued a circular on “Audit Committee and the Internal Audit Function” (Circular No. 499 Series of 2005) stating that “the internal audit should... ensure compliance with sound internal auditing standards, such as the Institute of Internal Auditors’ International Standards for the Professional Practice of Internal Auditing.” Last year, Philippine SEC issued a Revised Code of Corporate Governance (SEC Circular No. 6 Series of 2009) reaffirming once again the need for the Internal Auditor to be guided by the ISPPIA (Article 3 - Board Governance, section H, paragraph iii).

It is interesting to note that even ISACA – a global professional association of information systems (IS) audit and control professionals – is also requiring its members and CISA (Certified Information Systems Auditor) certification holders to “develop and document a risk based approach” under IS Auditing Standards No. 5 on Planning (S5.04) and “to evaluate IS function” using “risk-based approach” under IS Auditing Standards No. 10 on IT Governance (S10.07).

How does this approach (RBA) differ from the other approaches?

The other approaches to internal auditing are the so-called “shotgun” or “police-type”, compliance-based and control-based approaches. These approaches are the old, traditional ways of auditing, usually long and time-consuming, using an extremely high number of samples (if not 100 percent), based on gut-feel or intuition of the auditor, which often lead to adverse and counter productive relationships with the auditees (or audit customers). Let me discuss them one by one.

Shotgun approach

The “shotgun” approach is “full-blast” auditing based on individual auditor’s experience and judgment (usually gut-feel or intuition) or triggered by “tips” from whistle blowers or “concerned employees”, with the intent of seeking or uncovering mistakes, errors and irregularities, and identifying and reporting malicious, negligent, or incompetent people. A number of times this approach works in catching “culprits” or “violators” and is viewed as appropriate under a not-so-ideal, “dark” or “ominous” control environment.

However, some critics complain that the shotgun approach leans or borders on trivial or small items and veers away from the more important business concerns of serving the customers well, creating and preserving values and improving operational efficiency and effectiveness. Typically, this type of audit is time intensive and requires involvement of many audit resources. Invariably, the auditor’s relationship with the auditee is strained and may not promote transparency on the part of the auditee.

Compliance-based approach

The compliance-based approach involves a rigorous check of current practices against established policies and procedures as well as with existing laws and regulations. This is not bad per se and is in fact quite useful in many instances to the company. Its drawback is when it ignores the possibility that the non-compliant behavior of the auditees is actually a welcome innovation and appropriate response to the new business requirements or paradigm. Thus, an audit exception may be raised and the auditee is bitterly and unjustifiably criticized when, on the contrary, the auditee should really be commended for a job well done.

If the auditor does not put himself in the shoes of the auditee and does not “go deeper” to see the auditee’s perspective, this audit approach may be counterproductive, and even discourage creativity and initiatives for improvements. It does not make sense to apply this approach if the existing policies and procedures are outdated and not in line with the organization’s needs.

Control-based approach

The control-based approach is similar to compliance-based, except that the auditor is using “best practices in internal control” (e.g. a checklist or an inventory of generally accepted controls using various control frameworks or from peers in the same industry or same profession) not yet adopted or employed by the company in addition to current control policies and procedures.

While better than the two previously mentioned approaches, one drawback to the control-based focus is that it tends to overemphasize controlling activities, while overlooking the practical factors and cost-benefit considerations associated with implementing the required controls. The result is often disagreement with the auditee management on the necessity of performing the additional controls.

Risk-based approach and beyond

The risk-based audit methodology is the preferred and modern approach required by the ISPPIA (the Standards). With this approach, the auditor must first understand the company’s mission/vision, strategies, objectives, targets, key result areas and goals (corporate ends); and then identify and analyze the risks (risk assessment) that may hinder or prevent the achievements of the said corporate ends. The auditor then determines whether controls are in place (or test of design) and whether such controls are effectively working as designed (or test of operating effectiveness) to address those risks assessed to be high or have significant impact to the business objectives (both operational and control objectives).

Moving beyond today’s risk-based audit approach, we are seeing a convergence of the governance, risk and compliance functions. Companies with an improved understanding of risks are establishing appetite thresholds for accepting versus controlling the various types of risk and embedding risk management activities within the business processes. 

As companies continue to enhance their processes, such as through the implementation enterprise risk management frameworks, future internal audit functions will need to work closely with the risk management functions to provide an additional layer of monitoring and proactively address risks before they materialize. 

(To be concluded)

(Reginald C. Nery, CPA, CISA, CISSP, CIA, CCSA, CFSA, CISM. He is the Head & Partner of Performance and Technology Advisory Services of Manabat Sanagustin & Co., CPAs, a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity.

This article is of general information only and is not intended to be, nor is it a substitute for, informed professional advice. While due care was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances. For comments or inquiries, please email manila@kpmg.com or rcnery@kpmg.com)

Show comments