Risk is the potential for loss to an enterprise due to error, fraud, inefficiency, failure to comply with statutory requirements, or actions which bring disrepute to the entity. Risk is a synonym for all the adverse outcomes that the organization wishes to avoid. Risk is a function of the probability that such consequences will occur, their magnitude, and their imminence.
Risk assessment is a process of estimating a riskiness coefficient or score to be associated with each auditable unit within the organization. Risk assessment is typically undertaken to focus attention on significant audit areas, to allocate scarce audit resources to the most important audit areas, and to help with key audit prioritizing decisions such as audit frequency, intensity and timing.
Section 520.04 of the Standards for the Professional Practice of Internal Auditing suggests that criteria used for setting audit priorities should include:
These standards point out clearly that the riskiness of a specific auditable unit is only one of the key factors to be considered in establishing an audit coverage plan and schedule. A risk coefficient alone is not a sufficient basis for making appropriate audit planning decisions. It is also necessary to bring the cost of carrying out an audit into the picture; i.e., the riskiness coefficient of an audit unit must be "deflated" by the cost of eliminating, reducing, or maintaining that level of risk.
A fundamental flaw in many risk assessment methods used
in practice is their failure to take into account the fact that
auditing is a costly activity and to systematically factor this
consideration into the development of a long range audit coverage
Since relating costs and benefits is a fundamental principle of rational decision making, internal audit departments should focus not only on the riskiness of an auditable unit, but also on the cost of reducing risk through auditing.
One way of applying this cost/benefit approach is to simply calculate the ratio of the riskiness coefficient of a given auditable unit divided by the cost of auditing that auditable unit, yielding a measure of the benefits (in terms of risk reduction) to be derived from investing audit resources in a given activity (in terms of incurring the cost of the audit). The units assigned the highest audit frequency would be those with the highest "payoffs" as measured by their risk to cost ratios.
A more sophisticated method is used by the auditMASTERPLAN® system; the following formula approximates the approach used by auditMASTERPLAN® to calculate the optimal inter audit frequency:
Optimal Inter-Audit Interval =
where b is an audit unit's riskiness coefficient, M is the audit unit's maximum loss potential, and C is the average cost per audit. In this formulation, the smaller the inter-audit interval, the higher the audit priority.
Audit Frequency = Plan Horizon/Optimal Inter-Audit Interval
In Figure 1 the vertical axis represents cost, expressed in financial terms. The horizontal axis is audit frequency represented by the number of audits carried out over the period of time.that is the planning horizon. As the audit frequency increases (moves to the right) the curve representing the total expected losses, decreases. That is, the more frequently an auditor audits a unit, the less opportunity there will be for the expected losses to accumulate and, therefore, total losses will be lower. However, at the same time, the more frequently an auditor audits a given auditable unit, the more audit costs are incurred.
The total relevant cost is the sum of the audit cost and the cost attributable to the losses due to fraud, waste, error, and so forth incurred in the absence of auditing. It is in the best interests of the organization as a whole to minimize its total costs (i.e., the costs of auditing plus the costs of not auditing). The minimum point on the total relevant cost curve identifies the frequency which balances the cost of auditing a given unit so many times during its planning horizon against the cost of not auditing that audit unit, and incurring the expected losses instead. Since risk is a measure only of the cost of not auditing, it is not sufficient to merely look at risk ratings as the basis for developing audit coverage plans .
There are two fundamental ways of establishing risk scores: non-systematic and systematic.
Systematic approaches involve systematic decomposition of risk into individual factors which are assessed individually, then combined into an overall score reflecting an audit unit's riskiness. The process requires identification of key areas of risk (i.e., termed risk factors) important to management, grouping risk factors into categories based on similar characteristics, and assigning weights to the risk factors indicating their relative importance in a model for setting audit scope (frequency, intensity and timing).
Clearly, the second approach is more onerous than the first. Why chose it? Well, research conducted into the reliability of subjective global judgments in a variety of fields shows that global judgments such as those required by the non-systematic approach are prone to significant errors. The general consensus of this research is that professionals should refrain from trying to make global intuitive judgments such as, "The riskiness of audit unit A is ..." Instead, they should apply their judgment to:
1) decompose complex global judgments into component factors,
2) assess these specific areas of risk and concern, and
3) leave the combining process to mathematical models, since it has been found that computational models and algorithms consistently outperform even seasoned professionals.
Virtually all of the important literature that deals with planning emphasizes that the formal process whereby individuals engage in a systematic consideration of important factors makes a key contribution to the quality of subsequent decisions.
The use of a formal/quantitative approach to risk assessment does not eliminate the need for the exercise of judgment. On the contrary, it highlights some of the important judgments that are required:
In summary, there need not be a conflict between the application of professional judgment and intuition and reliance on formal or systematic approaches to risk analysis. Indeed the best approaches to problem solving strive to combine elements of intuition and systematization in such a way as to take advantage of the best features of humans and computational models. The auditor applies expertise in identifying critical risk factors and using them to record key observations about issues such as internal control. A system can be used to combine these ratings consistently since that is something that a system can do best and an auditor cannot do as well.
In many organizations, it is assumed that all units will be audited at least so often during a planning horizon that typically covers 3 to 5 years. The issue is, "How often within this planning horizon should each auditable unit be audited?" The general opinion is that riskier audit units should be audited more frequently, although the actual audit frequency can be set in various ways.
A fixed frequency policy is based on the implicit assumption that there are natural frequencies associated with audit units. The problem then becomes finding the "right" fixed frequency for each unit. This approach is followed by many internal audit departments, although frequencies may be adjusted periodically. It may be argued, however, that if auditees "learn" the fixed frequency, they may be motivated to perform at peak levels only at or near the audit dates. In addition, to the extent that the frequencies are imperfect, some auditable units would be consistently overaudited, while others would be consistently underaudited.
Under a conditional audit frequency approach all auditable units are monitored continuously or at specified intervals for signs of abnormal activity. Two approaches to conducting such monitoring activities are analytical review and periodic risk assessment. Audits would be scheduled when units exhibited a deterioration along some key dimension. The reasoning is that when compliance with set policies and procedures or sound management practices deteriorates, this adversely affects the unit's activity. Abnormal activity may be an indicator of control failures, etc. and vise versa. Thus, by monitoring various relevant economic indicators, the internal auditor might be alerted to problems such as non-compliance with control procedures. Conversely, by monitoring risk factors such as adequacy of controls, the internal auditor might be alerted to impending deterioration of economic activity. A variety of indicators can be used individually or in combination with other factors.
Riskier units should be audited more intensely; however, audit intensity may be a complex function of time, samples sizes, seniority, skill, etc. There is no known simple or unique relationship between the riskiness of an audit unit and these intensity factors, since in some cases one factor can substitute for another, while in other instances it might not.
No audit department has the resources to audit all of its auditable units simultaneously. Therefore, a third key audit decision is the timing of the audit. In the absence of other considerations, the riskier audit unit should be audited sooner than the less risky audit units. Unfortunately, direct application of such simple logic is rarely possible, since a variety of constraints intervene, such as limited availability of the appropriate audit personnel at a given point in time, personnel development considerations, management requests, auditee considerations, etc.
There are three main alternatives for scheduling audits: fixed, random or conditional timing.
A fixed timing policy is based on the assumption that there are fixed times best suited to the conduct of specific audits. As mentioned earlier, if auditees know the timing of audits, they may "dress up" for the occasion, giving an inaccurate impression of their effectiveness, efficiency, etc..
Under this policy the frequency and timing of audits is unpredictable. Since auditees cannot guess when they will be audited, it is argued that they would be motivated to maintain their controls and procedures at reasonable levels. Surprise audits are examples of the use of this policy. If surprise audits are used to motivate compliance or deter non-compliance, randomization becomes an important technique for scheduling audits.
Under a conditional audit approach audits are scheduled when units exhibit a deterioration of controls or performance along some key dimension. In addition, other scheduling criteria could be used such as availability of human resources, personnel development criteria, the need to balance effort over a time horizon, etc.
4. Internal Audit Department Size and Capability
As mentioned earlier, no internal audit department is of a sufficient size to carry out all the necessary audits simultaneously, or even within the time span of one fiscal year. A fundamental principle of internal audit administration is that the internal department be of a sufficient size and capability to address the areas of concern to management, with an adequate frequency, over a reasonable time horizon of 3-5 years. If risk factors reflect management concerns, then they can be used as a basis for establishing the department size required to address the most important audit units (i.e., those with the highest risks or those with the highest [risk/audit cost] payoffs) .
A systematic approach to risk analysis consistent with the Professional Standards of the Institute of Internal Auditors. entails a number of specific steps and techniques:
These steps are discussed in more detail next, with illustrations from practice.
J. Efrim Boritz
School of Accountancy, University of Waterloo, Waterloo, Canada N2L 3G1
© Copyright 1992, 1993 All Rights Reserved