First Reference Talks

Discussions on Human Resources, Employment Law, Payroll and Internal Controls

You are here: Home / Finance and Accounting / When enterprise risk-based audit plans are not enough

By | 3 Minutes Read

When enterprise risk-based audit plans are not enough

risk-based audit

I am a huge believer, as are most leading internal audit practitioners (IMHO and I hope the IIA’s Standards Board will come around), in enterprise risk-based auditing.

That means that the audit plan is designed to provide assurance, advice, and insight on the more significant sources of risk to the organization and the achievement of its objectives.

It means that the audit plan is carefully scrubbed and cleansed of audits of lower-level risks (such as risks to auditable entities), because that time is needed to focus on more important areas. Similarly, the scope of planned audits is scrubbed of areas of low risk to focus on the high risk areas.

But, as the title of this blog says, taking a risk-based approach is not quite enough.

There are two reasons:

  1. Even audits of seriously important sources of risk can sometimes deliver little value.
  2. Areas with known problems may merit our attention, even if a purist would not say there was a “risk”.

Taking each of those in turn.

When I was CAE of Solectron Corporation, a major problem (a major contributor to its eventual demise) was that it had too many manufacturing and assembly plants around the world.

Over the years, it had grown through acquisition and while it had a few large plants (in Suzhou, China; Penang, Malaysia; Charlotte, North Carolina; and Milpitas, California) it also had a great many small ones.

On average, the plants were operating at about 40% of their capacity. As a result, they were marginally profitable at best.

The company needed to rationalize, even though that would be a very painful operation.

I considered auditing whether the company was managing the capacity of its worldwide manufacturing operations effectively, including whether it was taking the appropriate steps to rationalize.

But when I talked about this with senior management, I found that they had already established a task force to address that exact issue.

I met with the members of the task force, and it was clear that these were senior individuals with experience, expertise, and the courage to make the right recommendations.

There was little value in duplicating their efforts with an audit.

So, I monitored their work and attended some of their meetings. But even though this rated as a high risk, I didn’t include a related project in the audit plan.

In hindsight, I missed the real risk – that the CEO and his team wouldn’t have the courage to accept the recommendations. But even in hindsight, that is not something for internal audit to audit.

When I discussed my audit approach with the audit committee and others, I described it as ‘risk and value auditing’.

The second point is that risk management purists might say that if something is pretty certain to happen, it’s not a “risk”.

I think that is semantics.

Solectron’s capacity utilization problem was something that, in different circumstances, would merit internal audit attention.

Many of the audits my team has performed over the years have focused on known problems. Unless action was taken, they would continue to limit enterprise performance and the achievement of its objectives.

Examples include:

  • The audit of a Maxtor manufacturing facility where the scrap rate appeared high. It focused on the procurement of quality materials, inspection of receipts, quality assurance, and other processes that could have been contributing.
  • An audit of the global sales contracting process; it was known to be fragmented and the company was failing to leverage its total relationship with major customers. We recommended changes that were embraced by the global Executive Vice President, Sales.
  • The audit of a high-cost manufacturing plant, looking for cost-saving opportunities.
  • The operational audit of a capital expenditure approval process (I talked about it in a recent video).
  • An audit of the legal review of sales contracts in the UK. The known problem was that the attorneys were spending too much time on the reviews, limited their ability to provide legal advice to management.

Each of these was an audit that delivered valuable assurance, advice, and (especially) insight to top management and the board.

I am not a purist, and I included these areas of risk where an audit could add value in my enterprise risk and audit approach.

Do you do the same?

I welcome your thoughts.

Latest posts by Norman D. Marks, CPA, CRMA (see all)
The Essential HR Policy Guide Banner

Get the Latest Posts in your Inbox for Free!

About Norman D. Marks, CPA, CRMA

Norman has led large and small internal audit departments, been the Chief Risk Officer and Chief Compliance Officer, and managed IT security and governance functions.

He retired in early 2013. However, he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.

Leave a Reply

Your email address will not be published. Required fields are marked *

About us

Established in 1995, First Reference is the leading publisher of up to date, practical and authoritative HR compliance and policy databases that are essential to ensure organizations meet their due diligence and duty of care requirements.

Main Menu

Stay Connected