Evaluation of a Risk-Based Internal Auditing and Control

In recent years, risk taking and its management has taken on a new dimension. This is why business owners are starting to have a sound risk management strategy, something that the board are responsible for (IOD, 2009: 73–76), but that internal auditors need to ensure is functioning efficiently and effectively (IOD, 2009: 80; IIA, 2012: 2120); and, if so, incorporate the investigation of the mitigation of the key risks threatening the organization into their activities. At the same time, the evolution of corporate governance has forced management to revisit the roles and responsibilities of various parties.

Risk management and internal auditing have a connection, but there is still a lack of understanding of what risk-based internal auditing entails for the performance of an audit engagement. The investigation into the evolution of the internal audit engagement revealed that internal auditing has been influenced over the last few decades by the changing business environment, and has undergone, and is still undergoing, a number of transformations. The steps in the risk management process (COSO, 2004) are linked to the planning phase of an internal audit engagement according to the guidance provided by the Institute of Internal Auditors (2012: 2200–1) formal standards: First, objectives are set for either the strategic level or the operational levels of the organization during the risk management process. Internal auditing relies on the outcome of the process as documented in the risk register and uses these objectives as the basis for the internal audit engagement objectives. Second, the inherent risks that are threatening the achievement of these objectives should be considered by the internal auditor. All inherent high-risk areas are considered to be included in the engagement planning. All hazards and opportunities should be included as potential risks.

Third, the internal auditor may use the assessment of inherent risks as documented in the risk register in terms of the likelihood and impact. How inherent risk in areas outside the scope of the engagement could affect this engagement and vice versa should also be considered. The assessment of the residual risk should also be obtained from the risk register for all inherent risks that are not within the risk appetite boundaries. The investigation of controls and other activities that are mitigating the high inherent risks are automatically included in the engagement work program, either for in-depth inspection to determine the adequacy and the effectiveness, or for suggestions to facilitate improvement. Low inherent risk areas could be eliminated entirely, to save the internal auditor’s time and reduce cost.

Fourth, the internal auditor should align the recommendations of each internal audit finding to the appropriate risk response as well as the residual risk level. These could be made on a timely manner by issuing an interim internal audit report. Recommendations could focus on either the lowering of the impact or of the likelihood of a risk when additional procedures are needed to mitigate that risk. Internal auditing should keep track of management’s action plans to mitigate the risk as well as the impact of the organization and ensure that management is aware of it.

Risk-based auditing provides an independent, objective examination of the inherent risk of an organization, a facility or a process; it involves selecting subjects to assess by comparing measurable likelihood and impact metrics that represent risk. To clearly define risk – based auditing, the following is an example explaining site risks. Advantages of Risk – based auditing includes:

• It allows for a lean audit group.
• It increases the chance of exposing risks.
• It provides management with a more current view of where the highest organizational risk resides. This allows leadership to better manage/resource based on risk.

Disadvantages to consider:

• Audit site selection is more complex and time consuming.
• A flawed site selection process may cause existing high risk to become less visible.
• Budgeting is more difficult and less predictable due to a less-rigid schedule (especially when planning international audits).

Understanding Facility Risk Ranking Factors

To conduct a risk-based audit, a company must carefully identify and score the factors that will identify risk and guide what, where and when to audit. These factors can be divided into likelihood (input or leading) factors that represent inherent risk, and impact (output or trailing) factors that measure events experienced by a site as a result of its inputs. The site selection process incorporates several likelihood and impact risk factors that can be macro in nature or company or site-specific.

Likelihood factors:

Employee population size (large employee populations are more difficult to manage)

Turnover in key site positions

Human-machine interface complexity (how and how often employees’ interface with the process/machinery create varying levels of risk exposure)

Site environmental impact/ complexity (e.g. air, industrial wastewater, soil, chemicals, waste streams and permits).

Impact factors:

• OSHA recordable incident rate (rate at which the site experiences injuries)
• Lost-time case rate (rate at which the site experiences injuries)
• Nonconformities/citations (regulatory or internal noncompliance issues/citations that a site has experienced)

Evaluating Risk Levels

Once risk factors are identified, a company must select a methodology to compare its sites. Each defined risk factor must be quantitively defined. Then, these factors are compared for each potential audit site, resulting in a stacked ranking of facilities in order of potential risk relative to each other. Risk weighing (or staking) is not about defining good or bad; rather it is about it is about identifying which sites are more or less risky relative to each other.

Defining Pass-Through Gates

Next, management should consider pass-through gates that can affect where a facility falls on the targeted site list. Some factors will automatically move a site to the top or bottom of the list. For example, suppose a site had never received a corporate audit. Until an independent view is gained, its risk picture remains unclear, and an initial audit is needed to establish a risk baseline. Therefore, never having been audited would be a pass-through gate.

Additional Considerations & Final Audit Schedule

At this point, if sites to be audited were selected based solely on the basis of risk value, audit results may create an incomplete view of risk. The numeric risk ranking process might not create a good cross-sectional view of risk across various business groups or regions. By design, some processes contain more risk, and these sites could all reside within a single business group. Thus, care should be taken to ensure that each business unit and region of the world is represented in the year’s audit plan. This provides company leadership a complete picture of risk.

Exposing Site Risk

Management must then determine what type of audit to conduct at each targeted site. Selection factors include desired outcome, site location, safety systems in place and current outcomes. Audits are often some combination of the following:

• Compliance audits (aim to meet regulatory requirements)
• Implementation assessments (aim to meet corporate standards)
• Effectiveness assessments (aim to assess risk and risk control process, whether identified in regulations, corporate standards or neither. Are they known and effectively managed?)
• Process audit (assess a specific safety-related process or control at a group of facilities).
• Facility self-assessments (risk identified and control maintained, or risk brought back under control, through accurate self-assessment, which leads to sustainable, measurable controls)

The results of the audits and assessments conducted overtime align with and can serve as input back into the risk ranking process.

1. Measuring the change desired
2. Define the organization’s auditing universe
3. Define meaningful input and output risk factors.
4. Create and document a scoring (risk stacking) methodology
5. Collect, score and analyze data
6. Rank site based on potential risk
7. Define and consider meaningful pass-through gates.
8. Consider additional strategies to provide various leadership groups with a view of risk
9. Create a final audit plan
10. Define measurement for selected sites. Design audits to create the change desired at each facility.
11. Leverage the resulting audit data.

A risk-based audit approach allows companies to understand current risks and assess the effectiveness of current controls at sites that present the most risk. A risk-based approach allows management to best target its resources and achieve the greatest reduction in risk.