There are many ways of combining judgments, including the mean, median, geometric mean, similar measures adjusted for outliers, and other weighted combinations
Averages
Many of the calculations performed in risk assessment involve some form of averaging.
Weighted Arithmetic Average:
Weighted Geometric Average:
Modified Weighted Average:
The difference between these methods of averaging is most noticeable for low input values. For example, assuming M = N = 1, the arithmetic average of 1 and 9 is 5, whereas the geometric average is 3, and the modified weighted average is 1. In some cases, the geometric average produces results which are more "intuitively correct" than the arithmetic average. Similarly, the modified weighted average sometimes produces results that seem most intuitively appealing.
Weighted Averages
Values for M and N in the above averages enable you to weight input values to reflect their relative importance. The ratio of M to N controls how much each input value influences the result.
Re-expression
A drawback of averages is that they tend to clump in the middle of the possible range. This clumping becomes even more pronounced if the input data tends to clump as well. Re-expression is the process of redistributing data over a whole range of acceptable values. Keep in mind that when re-expression is used it is possible that the relative riskiness rankings of some units will change.
Don't: choose calculations which are susceptible to masking the meaning behind the risk ratings or whose implications you do not understand..Don't go for overly complex formulations, but don't settle on simplistic methods which defeat the purpose behind undertaking the risk assessment in the first place.
Do: choose calculations that will yield consistent and comparable scores. Experiment with weighted averages and re-expression.
Once Risk Scores are developed for all the audit units, they can be sorted into a list according to their order of importance. That list can be subdivided into audit frequency categories to balance the audit intensity and audit frequency so that available resources are not exceeded. Some units will be subjected to a comprehensive audit and others to only a partial audit.
Figure 9: Cyclical Audit Coverage Plan
| Planning Horizon | ||||||||
| Priority Category | Audit Phase | 1 | 2 | 3 | 4 | 5 | 6 | |
| X1 | Planning | X | X | X | X | X | X | |
| Annual | Review and Evaluation | X | X | X | X | X | X | |
| Full | Testing | X | X | X | X | X | X | |
| Reporting | X | X | X | X | X | X | ||
| X2 | Planning | X | X | X | X | X | X | |
| Annual | Review and Evaluation | X | X | X | ||||
| Partial | Testing | X | X | X | ||||
| Reporting | X | X | X | X | X | X | ||
| Y1 | Planning | X | X | X | ||||
| Biennial | Review and Evaluation | X | X | X | ||||
| Full | Testing | X | X | X | ||||
| Reporting | X | X | X | |||||
| Y2 | Planning | X | X | X | ||||
| Biennial | Review and Evaluation | X | X | |||||
| Partial | Testing | X | ||||||
| Reporting | X | X | X | |||||
| Z1 | Planning | X | X | |||||
| Triennial | Review and Evaluation | |||||||
| Full | Testing | X | X | |||||
| Reporting | X | X | ||||||
| Z2 | Planning | X | X | |||||
| Triennial | Review and Evaluation | X | ||||||
| Partial | Testing | X | ||||||
| Reporting | X | X | ||||||
Don't: choose fixed cyclic audit patterns assuming that all audits are the same.
Do: set up several audit intensity levels and use them to set audit cost and relate them to other features of audit units besides risk scores
This section outlines the key elements which form part of the planning approach incorporated within auditMASTERPLAN®. This approach uses risk ratings, financial measures of loss potential and audit costs to calculate an optimal audit frequency given a planning horizon for the audit universe as a whole.
Figure 10 illustrates a hypothetical pattern in the growth of expected losses over time due to fraud, inefficiency, error, etc. for a given auditable unit or activity.
Figure 10: Pattern of Expected Losses over Time
Along the vertical axis are the expected losses (in financial terms per unit of time), and along the horizontal axis is time. Losses accrue in the absence of auditing. The dotted line across the top represents a conceptual maximum. If the losses reach that point, management will automatically call for an audit; for example, if a massive fraud or other loss were to occur within an auditable unit, then, regardless of where in the auditor's schedule a specific unit was, it would be immediately audited.
The curve represents the pattern of expected losses. The losses rise at a decreasing rate until they hit the maximum, at which point an audit is automatically called. The losses stop growing because the auditor is assumed to be effective at identifying and eliminating the cause of the losses that are occurring within an auditable unit due to fraud, inefficiency, or error. In fact, the rate of loss drops to zero for an instant. However, the auditor leaves, and the losses start growing again.
This model is valuable because it can yield a workable risk analysis approach based on theory. As Figure 10 illustrates, expected losses, in the absence of an audit, rise at some rate and that rate is represented by the steepness of the curve as pictured in Figure 11.
Figure 11: Various Loss Curves
If the curve is very steep, then this indicates that the unit is very risky and the losses accrue at a very high rate. If the curve is fairly shallow, this indicates that the unit is less risky and the losses due to fraud, waste, etc. accrue at a relatively modest rate.
Figure 12: Audit Frequency Patterns over a Planning Period
Figure 12 shows a pattern of audits taking place over the planning horizon. As the diagram indicates, if a shallower rate of losses was characteristic of a specific audit unit, then there would be fewer cycles over the planning horizon. In contrast, if the rate of expected losses was steeper, then there would be many more of these cycles within the planning horizon.
Figure 13: Audit Frequency Patterns (cont'd)
A question that sometimes arises from a consideration of these diagrams is, "Why does the auditor apparently not change, for the better, some fundamental risk characteristics of the audit unit permanently?" If he or she did, then the pattern would get progressively shallower as illustrated in Figure 13.
This diagram shows that each audit results in a shallower risk curve (e.g., stemming from worthwhile recommendations, etc.). In fact, this should be the case, otherwise it would be difficult to justify repeated auditing of the same unit.
One way of achieving approximately the same result is by updating the previous risk assessment for an audit unit at the conclusion of each audit, or more appropriately, upon completion of the follow-up visits. This revised assessment would be used to establish the appropriate timing of the subsequent audit. Upon its completion, an updated risk assessment would be used to establish the appropriate timing of the subsequent audit, and so on.
Don't: use fixed audit frequencies unrelated to management concerns, risk scores or audit costs. Don't make arbitrary timing choices.
Do: use a conditional audit frequency approach based on cost/benefit analysis. Given your audit frequency decisions, make sure that the timing of those audit activities makes sense; i.e., high risk items are fron-loaded unless staff availability or other key factors intervene. Relate your audit intensity decisions to your and risk assessments and audit frequency judgments. Update your risk rating and cost data upon completion of each audit.
Once there is a list of audit units ordered as to their importance, it is possible to use it to help establish the appropriate size of audit department commensurate with the level of risk/coverage deemed acceptable for the organization, as illustrated in Figure 14.
Opposite each auditable unit we can record an estimated number of hours that it takes to carry out that audit. We can then add through the list until we hit the number of hours represented by current staff size. For example, assuming a department size of six employees, we may find that we can carry out eight of the most important audits on the list.
The question then arises, "What would happen if we cut back on one authorized position?" We would now only be able to carry out the first four audits on the list. Similarly, if the audit risk scores indicated that the first 10 audits needed to be incorporated into the audit plan, then it would be clear that an additional auditor would be required.
Don't: use risk scores alone in your analysis; be sure to compare risk-based zero-base analyses with payoff-based analyses.
Do: use a zero base budgeting approach to show management and the audit committee the coverage implications of alternative staffing levels.
Figure 14: Zero-Base Budget
| Audit Units in Order of Time Required | Time | Increment 1 (5 Auditors; 7,500 hours) | Increment 2 (6 Auditors; 9,000 hours) | Increment 3 (7 Auditors; 10,500 hours) | Cumulative Time Requirements |
| Unit 8 | 100 | 100 | 100 | 100 | 100 |
| Unit 7 | 200 | 200 | 200 | 200 | 300 |
| Unit 6 | 200 | 200 | 200 | 200 | 500 |
| Unit 11 | 500 | 500 | 500 | 500 | 1000 |
| Unit 10 | 500 | 500 | 500 | 500 | 1500 |
| Unit 1 | 500 | 500 | 500 | 500 | 2000 |
| Unit 4 | 1000 | 1000 | 1000 | 1000 | 3000 |
| Unit 9 | 1000 | 1000 | 1000 | 1000 | 4000 |
| Unit 5 | 1500 | 1500 | 1500 | 1500 | 5500 |
| 5500 | 5500 | ||||
| Unit 2 | 2500 | 2500 | 2500 | 8000 | |
| 8000 | 8000 | ||||
| Unit 3 | 2500 | 2500 | 10500 | ||
| 10500 |
| Audit Units in Order of Time "Priority" | AUPS | Increment 1 (5 Auditors; 7,500 hours) | Increment 2 (6 Auditors; 9,000 hours) | Increment 3 (7 Auditors; 10,500 hours) | Cumulative Time Requirements |
| Unit 1 | 11 | 500 | 500 | 500 | 500 |
| Unit 2 | 10 | 2500 | 2500 | 2500 | 3000 |
| Unit 3 | 9 | 2500 | 2500 | 2500 | 5500 |
| Unit 4 | 8 | 1000 | 1000 | 1000 | 6500 |
| 6500 | 6500 | ||||
| Unit 5 | 7 | 1500 | 1 | 8000 | |
| Unit 6 | 6 | 200 | 200 | 8200 | |
| Unit 7 | 5 | 200 | 200 | 8400 | |
| Unit 8 | 4 | 100 | 100 | 8500 | |
| 8500 | 8500 | ||||
| Unit 9 | 3 | 1000 | 9500 | ||
| Unit 10 | 2 | 500 | 10000 | ||
| Unit 11 | 1 | 500 | 10500 | ||
| 10500 |
| Audit Units in Order of Time Required | Time | Increment 1 (5 Auditors; 7,500 hours) | Increment 2 (6 Auditors; 9,000 hours) | Increment 3 (7 Auditors; 10,500 hours) | Cumulative Time Requirements |
| Unit 8 | .0400 | 100 | 100 | 100 | 100 |
| Unit 6 | .0300 | 200 | 200 | 200 | 300 |
| Unit 7 | .0250 | 200 | 200 | 200 | 500 |
| Unit 1 | .0220 | 500 | 500 | 500 | 1000 |
| Unit 4 | .0008 | 1000 | 1000 | 1000 | 2000 |
| Unit 5 | .0047 | 1500 | 1500 | 1500 | 3500 |
| Unit 2 | .0040 | 2500 | 2500 | 2500 | 6000 |
| Unit 10 | .0040 | 500 | 500 | 500 | 6500 |
| 6500 | |||||
| Unit 3 | .0036 | 2500 | 2500 | 9000 | |
| 9000 | |||||
| Unit 9 | .0030 | 1000 | 10000 | ||
| Unit 11 | .0020 | 500 | 10500 | ||
| 10500 |
External auditors are often called upon to review the activities of internal audit departments as part of their justification of their reliance on internal audit work in reducing the scope of their own work in some areas or as part of a special engagement on behalf of management or the board of directors. Long range planning activities and risk assessment methods are often an important focus of such reviews and also of related critical comments by external auditors.
Don't: Take shortcuts, fly by the seat of your pants, keep part of your legitimate audit universe outside the process, ignore management and auditee input, make casual, inconsistent or inappropriate judgments, override or short-circuit your formal risk assessment.
Do: Follow a systematic approach and document your decisions. Involve management in your risk assessment process. Show the relationship between your audit coverage decisions and your staff availability. Keep the external auditors involved. Educate them but be prepared to back up your approach.
by
School of Accountancy, University of Waterloo, Waterloo, Canada N2L 3G1
© Copyright 1992, 1993 All Rights Reserved