In designing risk-based auditing and monitoring activities, it is important that the internal auditor works closely with the organisation’s senior leadership and the board, or committee of the board, to gain a clear understanding of auditing and monitoring expectations and how these activities can be leveraged together to help minimise and mitigate risks for the organisation.
These discussions should also include leadership from the legal, compliance and risk management functions, if they are not already a part of the senior leadership team.
This is according to Sheryl Vacca, senior VP and chief compliance and audit officer at the University of California (UC), and Ian Huntly, CEO of Rifle-Shot Performance Holdings, representatives in sub-Saharan Africa of SoftExpert, a market leader in software and services for enterprise-wide business.
This process should include performing periodic audits to determine compliance with respect to applicable regulatory and legal requirements and to provide assurance that management controls are in place for the detection and/or prevention of noncompliant behaviour.
Additionally, risk-based auditing and monitoring should include mechanisms to determine that management has implemented corrective action through an on-going performance management process to address any noncompliance.
Once the common framework for the risk-based auditing and monitoring program has been established, four key tasks must be performed:
* Assessment and prioritisation of risks, conducted enterprise-wide;
* Development of a risk-based auditing and monitoring plan;
* Execution of a corrective action plan developed by management to mitigate risks and/or resolve risks; and
* Periodic assessment of the overall process for effectiveness.
Risk assessment
The Committee of Sponsoring Organisations of the Treadway Commission (COSO) helped to define “risk” as any event that can keep an organisation from achieving its objectives. According to the COSO model, risk is viewed in four major areas:
* Operational (processes and procedures);
* Financial (data rolling up to internal/external statements);
* Regulatory (federal, state, local, organisational policy); and
* Reputation (institutional).
There are several ways in which risk assessments in these areas can be conducted. These include the use of:
* Focus groups to assist in the identification of risks;
* Interviews of key leadership and the board;
* Surveys; and
* Reviews of previous audit findings, external audits conducted in the organisation, and identifying what is occurring within the industry and the local market.
Once risks have been identified, a prioritisation process is needed to identify the likelihood of the risk occurring, the ability of management to mitigate risk (that is, are there controls in place for risk, regardless of the likelihood of those risks of occurring), and the impact of risk on the organisation.
Risk prioritisation is an on-going process and should include periodic reviews during the year to ensure that previous prioritisation methods, when applied in real time, are still applicable for the risk.
It is important that senior leadership participate in, and agree with, the determination of the high-risk priorities for the audit and monitoring plan. This will ensure management buy-in and focus on risk priorities. Also, with managers involved at the development stage of the plan, they will be educated as to the type of activities being planned and the resources needed to conduct these activities.
Hence, during the plan year, if there are changes, management will understand the need for additional resources or a change in focus in the plan as the business environment and priorities may change.
Developing the plan
Risk assessments and prioritisation are important elements in the development of a risk-based auditing and monitoring plan. Considerations related to the plan should also include:
* Review of other business areas in the organisation which may be conducting an audit or monitoring activity in this area;
* Resources available to implement plan;
* Hours needed to complete the plan;
* Projected timeframes;
* Defined auditing or monitoring activities and determination as to whether they are outcomes or process oriented; and
* Flexibility incorporated into the plan to address changes in risk priorities and possibly unplanned compliance risks/crises which may need an immediate audit or monitoring to occur.
The process of risk assessment continues through the execution of the plan where the engagement objectives would reflect the results of the risk assessment. Risk-based auditing and monitoring is on-going and dynamic with the needs of the organisation.
Execution of the plan
Each activity should have a defined framework which will provide management with an understanding of the overall expectations and approach as users execute the plan. The framework for these activities should include the following actions:
* Set the purpose and goal for the activity (audit or monitoring);
* Conduct initial discussion with the business area for input related to audit attributes, timing and process;
* Finalise the approach and attributes;
* Conduct the activity;
* Identify preliminary findings and observations;
* Provide an opportunity for findings and observations to be validated by the business area;
* Finalise the report;
* Identify processes for the follow-up after management has taken corrective action related to activity findings and observations;
* Data collection and tracking are critical because they provide trend analysis and measurement of progress; and
* Determine the key points of activity that may be provided to leadership and/or in reporting to the board.
The overall process of developing the audit and monitoring plan should be documented. This would include a description of how the risk assessment was conducted and the methodology for prioritisation of risks. Working papers to support the audit findings, reports, and corrective action plans should be documented and filed appropriately.
Prior to the audit activity, be sure to define and document what should be considered as part of the working papers.
At the end of each plan year, it is important to conduct an evaluation of the overall effectiveness of the plan. Questions to consider may include:
* Was the plan fully executed?
* Were appropriate resources utilised for the plan’s execution?
* Were the activities conducted in a timely manner?
* Did the plan “make a difference” in regard to the organisation’s strategy and business?
* Did the plan reach the goal of detecting, deterring, and/or preventing compliance research risks from occurring?
Annual evaluations may be conducted through self-reviews or independently of the internal audit function by a third party, that is a peer review conducted with auditors from other organisations, Quality Assessment Review conducted according to IIA standards (every five years), etc.
However, while self-reviews are less resource intensive, it is recommended that an independent review be conducted at least every other year to assess the effectiveness of auditing and monitoring efforts.
