I am a huge believer, as are most leading internal audit practitioners (IMHO and I hope the IIA’s Standards Board will come around), in enterprise risk-based auditing.
That means that the audit plan is designed to provide assurance, advice, and insight on the more significant sources of risk to the organization and the achievement of its objectives.
It means that the audit plan is carefully scrubbed and cleansed of audits of lower-level risks (such as risks to auditable entities), because that time is needed to focus on more important areas. Similarly, the scope of planned audits is scrubbed of areas of low risk to focus on the high risk areas.
But, as the title of this blog says, taking a risk-based approach is not quite enough.
There are two reasons:
- Even audits of seriously important sources of risk can sometimes deliver little value.
- Areas with known problems may merit our attention, even if a purist would not say there was a “risk”.
Taking each of those in turn.
When I was CAE of Solectron Corporation, a major problem (a major contributor to its eventual demise) was that it had too many manufacturing and assembly plants around the world.
Over the years, it had grown through acquisition and while it had a few large plants (in Suzhou, China; Penang, Malaysia; Charlotte, North Carolina; and Milpitas, California) it also had a great many small ones.
On average, the plants were operating at about 40% of their capacity. As a result, they were marginally profitable at best.
The company needed to rationalize, even though that would be a very painful operation.
I considered auditing whether the company was managing the capacity of its worldwide manufacturing operations effectively, including whether it was taking the appropriate steps to rationalize.
But when I talked about this with senior management, I found that they had already established a task force to address that exact issue.
I met with the members of the task force, and it was clear that these were senior individuals with experience, expertise, and the courage to make the right recommendations.
There was little value in duplicating their efforts with an audit.
So, I monitored their work and attended some of their meetings. But even though this rated as a high risk, I didn’t include a related project in the audit plan.
In hindsight, I missed the real risk – that the CEO and his team wouldn’t have the courage to accept the recommendations. But even in hindsight, that is not something for internal audit to audit.
When I discussed my audit approach with the audit committee and others, I described it as ‘risk and value auditing’.
The second point is that risk management purists might say that if something is pretty certain to happen, it’s not a “risk”.
I think that is semantics.
Solectron’s capacity utilization problem was something that, in different circumstances, would merit internal audit attention.
Many of the audits my team has performed over the years have focused on known problems. Unless action was taken, they would continue to limit enterprise performance and the achievement of its objectives.
- The audit of a Maxtor manufacturing facility where the scrap rate appeared high. It focused on the procurement of quality materials, inspection of receipts, quality assurance, and other processes that could have been contributing.
- An audit of the global sales contracting process; it was known to be fragmented and the company was failing to leverage its total relationship with major customers. We recommended changes that were embraced by the global Executive Vice President, Sales.
- The audit of a high-cost manufacturing plant, looking for cost-saving opportunities.
- The operational audit of a capital expenditure approval process (I talked about it in a recent video).
- An audit of the legal review of sales contracts in the UK. The known problem was that the attorneys were spending too much time on the reviews, limited their ability to provide legal advice to management.
Each of these was an audit that delivered valuable assurance, advice, and (especially) insight to top management and the board.
I am not a purist, and I included these areas of risk where an audit could add value in my enterprise risk and audit approach.
Do you do the same?
I welcome your thoughts.