The Risk Assessment (RA) exercise is quite tough since it involves participation from the management’s view of point on risk assessment exercise, existing controls and managment action plan. The RA is to provide information on the business plans, KPI, organization chart, processes and activities, P&P, financial information and so on. But the most important is the business objectives of the each management entity in the organisation.
Based on the business objectives, what is the main risks that prevent the achievement of the business objectives. What are the controls that have been established to control, mitigate, manage and transfer the risks. These controls are very important elements to determine the rating of the risks whether it is high, moderate or low. So, some risks are beyond the management control. These risks are called ‘inherent’ risks.
These controls set by the management should be documented, verified and tested to ensure the adequacy and effectiveness. That is why it is important that Audit should play a consulting role in giving direction and guidance on the risk management activities. These controls are to show the level of assurances committed by management to ensure that the company’s objectives are achieved. Then, what is Audit’s next course of action? Audit the process or audit the control? As an Auditor, you can figure out the answer…
The RA exercises are the responsibilities of Audit if the company does not have Risk Management Unit. However, it is important that the RA should be done diligently, comprehensively and completely because the information gathered will assist Audit in doing the annual planning, prioritizing of auditable areas. Failing which, the audit plan will fail to give assurance to the Board that Audit has covered the auditable areas which coloured in Red (High Risk).
My next question is? Do we need to do a lot of sampling in the audit work? I leave you to decide. What is the different between 10% of 1,000 and 50% of 1,000? The answer is the values that derived from the computation, ie. 10% equal to 100 and 50% equal to 500. Covering 10% will consume 10 days of your audit fieldwork but covering 100% will consume 100 days. But if the current existing controls to mitigate the above 10% or 50% risks are found to be ineffective. Which one is the main issue, either the control is ineffective or the 10% or 50% the impact due to ineffective control.
The main audit issue is to highlight the ineffective controls, let the management understood that the existing controls need to be further improved. If not, the values (10% or 50%) will be the impact of the deficiency. If you cover 10% of 1,000 and you find half of 10% is not working properly, stop everything you do and apply the Pareto Method. It means that your coverage is enough to support your audit finding to management. But, if you want to show the 100% impact, this will make you to consume extra energy, time and efforts and you need another 50 days to complete audit work. But again, if Auditor feels that it is their responsibility to give absolute assurance by covering 100% testing, the Auditor will end up utilised 50 unnecessary days to complete the audit work. At the end of the day, the Board is only asking you what is the main issue? control deficiency, lacking in monitoring, no supervision, breach of procedures and other related reasons of ineffective controls. Please try to be a smart auditor.
One of the most approachable audit work is data mining (DM). DM assists Audit in many ways, i.e. giving sampling data, testing data, highlighting ‘red flags’ or exceptional item and many more. This will be the most ‘value-added’ audit approach. Audit should utilized the DM for the continuous improvement in Audit and to the organisation. DM can contribute the improvement of effectiveness and efficiency in day-to-day operations of Audit and organisation.
It is known as future audit process or automation audit where Audit jointly involved with the management in using DM process. This DM process will give a sign of ‘red flags’ of deficiencies in processes, fraudulent activities, breach of procedures and other exceptional events as required by Audit and the management. By doing so, part of Audit roles in giving assurance to the Board are well managed and executed. The controls established by the management via DM is an ‘on going’ monitoring tools to detect any deficiency and so on. (Please refer to COSO Control Framework- under monitoring).
Why Audit needs to waste a lot of time and efforts by doing this assurance (compliance) audit where some of the assurance audit can be ‘outsourced’ to the management thru DM. What Audit need to do is to initiate the DM process with the full support from the management, do the acid test to convince the Board that the project will worth doing and add value to the management. Hit a big bang issue via providing exceptional events from the DM process and persuade that the management should hold the responsibility to continuously monitor the deficiency in processes, activities and transactions.
On the other hand, the DM is only useful if the database of the company is tip-top and 100% reliable. If not, all testings through the DM process will be useless. By freeing up more time, Audit can concentrate with other critical auditable areas such as product/ services development, project management, corporate governance, strategic business arrangement, budget and execution, business planning, strategic alliances, and etc.
Audit should be advised not to take a 100% sampling just to find fault due to management deficiency because it will portray a bad image of audit and create hostile relationship with management. Audit should realize that Audit is a part of the organization and under the ambit of the same organisation except Audit operates independently. Audit role is to give ‘reasonable assurance’ to the Board based on the new definition internal audit by Institute of Internal Auditors. Must remember, for the coming year ahead, audit will do the RA exercise again with the management, wrong footing will give a first bad impression to the management and this definitely will not help Audit to progress effectively in the organisation.
No comments:
Post a Comment