Audit Risk Management (Driving Audit Value, Vol. II) - The Best Practice Strategy Guide for Minimising the Audit Risks and Achieving the Internal Audit Strategies and Objectives

PART I

-

AUDIT

RISK MANAGEMENT

Figure 2 – PART I: Audit Risk Management

Where were the Auditors?

Major corporate scandals 2010-2016

VOLKSWAGEN EMISSIONS SCANDAL

September 2015 – The US Environmental Protection Agency caught VW cheating on diesel emissions tests to falsely pass the maximum allowed levels. Diesel models had software installed to fraudulently show that the cars were more environmental friendly than they actually were. More than 11 million cars had to be refitted, regulatory fines amounted to more than $15 billion, civil and criminal suits cost further billions. High profile managers and the CEO were dismissed.

Possible audit risks:

Focus risk

Overlooking issues risk

Execution risk

FIFA CORRUPTION SCANDAL

May 2015 – The FBI indicted the FIFA organisation and officials with racketeering, fraud, corruption, and with paying millions of dollars in bribes to influence FIFA elections, locations for hosting the World Cup, sponsorship contracts, broadcasting rights, and more.

Possible audit risks:

Focus risk

Overlooking issues risk

Support risk

BP OIL SPILL SCANDAL

April 2010 – The Deepwater Horizon rig explosion caused the largest environmental disaster of the 21st Century. Oil and gas producer BP had the worst health, safety and environment practices, which caused damages and cost by far exceeding $25 billion, and destructed shareholder value by more than $100 billion.

Possible audit risks:

Focus risk

Overlooking issues risk

Support risk

YAHOO HACKING SCANDAL OF 1 BILLION USER ACCOUNTS

December 2016 – Yahoo disclosed that a data breach exposed the private information of more than 1 billion user accounts. It related to a theft of names, email addresses, telephone numbers, birthdates, and unrecognisable passwords, as well as encrypted and non-encrypted security questions and answers.

Possible audit risks:

Focus risk

Overlooking issues risk

WELLS FARGO SCANDAL OF FAKE ACCOUNTS

September 2016 – Over the period 2011-2016, Retail Banking employees created 1.5 million phoney deposit accounts and issued 0.5 million fake credit cards, without the knowledge or permission of the related customers. Employees resorted to fraud in order to meet challenging growth quotas. The bank paid $185 million in fines and fired 5’300 employees.

Possible audit risks:

Focus risk

Overlooking issues risk

OLYMPUS ACCOUNTING AND BRIBERY SCANDAL

October 2011 - Olympus hid $1.7 billion in losses over a period of 13 years and admitted to paying kickbacks and foreign bribery.

The company paid more than $0.5 billion to settle criminal and civil investigations.

Possible audit risks:

Focus risk

Overlooking issues risk

Support risk

PETROBRAS CORRUPTION SCANDAL

March 2014 – Executives and key management of Brazil’s state-owned Oil & Gas Company were accused of bribery of officials as well as siphoning off money for their own use. In criminal investigations, more than 80 managers and politicians were charged with money laundering and bribery of more than $8 billion.

Possible audit risks:

Focus risk

Overlooking issues risk

Execution risk

LIBOR RIGGING SCANDAL

June 2012 – Criminal investigations into the manipulation of interest rates spread to 10 countries and involved more than 20 major banks. Total fines reached more than $10 billion.

Possible audit risks:

Focus risk

Overlooking issues risk

Execution risk

Where were the internal auditors?

These eight examples represent some of the major scandals, bribery, corruption, fraud, and non-compliance cases in the period 2010-2016. In each of these cases, you can rightfully ask Where were the internal auditors? The answers to this question are manifold:

Focus risk: the audit function did not have the topics in their audit universe, as other assurance providers covered these topics:

External audit: Olympus

Compliance and EHS departments: BP, VW

IT security: Yahoo

Focus/execution risk: the audit function did have the topics in their audit universe, but:

did not assess the risks correctly: VW, BP, Petrobras, Wells Fargo, Yahoo

did not understand the transactions: Libor, Olympus

did not have an appropriate focus: Petrobras, FIFA, BP, Yahoo

did not have the right auditor skills: could be all of them

had scope limitations or insufficient support: FIFA, Petrobras

Execution risk: the audit function did audit the related topics, but:

did not identify the issues: Libor, Wells Fargo, Yahoo

did not agree with management on effective risk mitigation: BP, Yahoo

did not follow-up on the risk reduction: BP, Yahoo

management hid the problems: Olympus, Petrobras

Support risk: the audit function did raise the relevant issues, but:

management did not support the audit function: FIFA

management did not implement risk mitigation: BP, Yahoo

We will never know the real reasons for these companies’ audit functions inability to successfully identify these issues and have management mitigate those risks. For the internal audit functions of these companies, it is already too late. Their effectiveness will probably have been seriously questioned, and this might have resulted in the dismissal of the CAE, downsizing or upsizing of the audit function, combined with a refocus of the audit function’s strategy and objectives. However, for your company’s audit function a similar scandal can be avoided. The strategic audit risk management model presented in this book comes to the rescue, and provides practical guidance for preventing and reducing such audit function risks.

Focus, focus, focus

When you analyse the audit risks of these eight cases, a clear trend can be identified. In all these scandals two audit risks stand out: the focus risk and the risk of overlooking significant issues. These two risks are predominantly present in the risk profile of each and every audit function, irrespective of the type of organisation, the industry, the size of the audit function or the geographic location. The focus risk can be present at the audit function level as well as the audit engagement level, whereas the risk of overlooking significant issues applies to the audit engagement level only. It is clear that mitigating the focus risk and the risk of overlooking significant issues are the major contributors to safeguarding the success of any audit function.

Support risk is the next dominant risk for the audit function. In case management and the board do not (or insufficiently) support the internal audit function, it will be difficult for the CAE to ensure the necessary execution of the annual audit plan and the audit engagements focus on the value-added topics. Mitigating the support risk is, therefore, a strict requirement for achieving the customer value proposition of any audit function.

No risk, no reward

The primary objective of the audit function must be to add value. This means that the CAE must be value driven, as she aims to mitigate the business risks that may keep the company from reaching its objectives. Some CAEs’ first objective, however, is to limit the risks of the audit function. They are driven by their personal risk-aversion, by creating a comfort zone, and not do anything that may antagonise management or put them in the spotlight (low risk-appetite). However, the CAE needs to be willing to take some risks to achieve bigger audit results. Had the internal audit functions in the above examples taken some bigger risks in addressing the scandalous topics, perhaps they could have prevented these from occurring, or they could have been timely mitigated before being exposed. The CAE needs to understand her audit risks and manage them, to achieve big audit results.

The CAE can provide significant added value to the company, while at the same time reducing her audit risks. She can create a win-win (for the company and herself), but she needs to follow the guidance in this book to realise this. Her appetite for the added value of the internal audit function must lead the way, as the audit risks are a result of the selection of the audit engagements that add to that value. It should not be done the other way around, by letting her appetite for the audit risks determine which added value audits are going to be undertaken. The CAE must find the appropriate trade-off between the level of the audit risk and the potential for generating audit value.

Why manage audit risks?

To be able to add value to the organisation, the CAE must ensure that she does not have:

a lack of support from the process owners, local management, executive management and the board, as a result of which the board limits the approved resources and the audit products are not utilised.

a mismatch between the risk profile and the main business strategies and objectives of the company or subject matter, and the focus of the annual audit plan or the audit engagement.

a negative input – output ratio, if the costs of the audit function and the audit engagements are considered to be too high compared to the value generated.

To be able to add value to the organisation, the CAE must ensure that she does not issue:

an unqualified, satisfactory, audit opinion/report, without reporting any significant issues, whereas significant issues do exist in the audited subject matter.

a qualified, unsatisfactory, audit opinion/report, pointing out significant issues, whereas the issues are either not significant, or do not exist in the audited subject matter.

a full scope audit opinion/report on the audited subject matter, whereas she should not issue such an opinion/report based on significant limitations in the audit scope or the audit execution.

Understanding, identifying, measuring, and proactively managing the audit risks are necessary for ensuring the audit function’s and the CAE’s success in the company.

The next chapter introduces the Beumer Audit Risk Management Model© creating a unique new framework for managing the audit risks and preventing your company’s name to be included in the listing of where were the auditors?.

Audit Risk Management

Beumer Audit Risk Management Model©

The Beumer Audit Risk Management Model© captures the quintessence of managing the audit risks in an innovative way. Through its holistic approach, the model can be used with any risk management standard, such as COSO-ERM or ISO 31000. Use the following guidance for the interpretation of the model:

The risk management flow captured in the top-left quadrant (with the light-grey colour background) shows the 1st and 2nd lines of defence (in the management processes integrated risk management and control systems respectively the separate functions that overlay them, such as risk management and compliance). The risk management process flows from the company objectives, the board’s risk appetite, the 1st and 2nd lines of defence, to the resulting company or subject matter risks, are not discussed in this book, as these relate to management’s risk management processes (as opposed to the audit function’s risk management processes).

The other three quadrants show the risk management of the 3rd line of defence itself: the audit function.

Similar to the company’s risk management process, the audit function’s risk management process starts with the audit function objectives, against which the risks need to be measured.

The CAE’s risk appetite determines the level of internal process risks that he is seeking to maintain in the pursuit of his audit function objectives. For the audit assurance on the company’s risks, however, the risk appetite of the board is decisive.

The audit function structure, organisation, processes and procedures act as the 3rd line of defence. The understanding and managing of the audit function’s inherent risks and control risks enable the CAE to reduce the occurrence of the audit function risks.

From the audit function’s risk management perspective, the audit function risks (to the achievement of the audit function objectives) are captured in the audit function’s risk universe. This risk universe can be divided into two categories: the audit assurance risks and the audit process risks.

The audit assurance risks arise from applying the audit function risks of value, focus and execution to the company’s risk universe.

The audit process risks arise from applying the audit function risks of performance, reporting and compliance to the audit assurance activities.

The audit assurance risk mitigation (in order to achieve the desirable level of residual assurance risk) depends on the risk appetite of the board, whereas the audit process risk mitigation (in order to achieve the desirable level of residual process risk) depends on the risk appetite of the CAE.

The residual audit assurance risks reflect the level of risk consistent with the risk appetite of the board.

The residual audit process risks reflect the level of risk consistent with the risk appetite of the CAE.

The Beumer Audit Risk Management Model© shows that the audit function is exposed to two main sources of the audit risks:

1.      The assurance operations of the audit function. These assurance operations are linked to the objectives of improving the company by helping the company achieve its objectives. They are the drivers for the audit risk management.

2.      The internal operations of the audit function. These internal operations are linked to the objectives of running an efficient and effective audit function. They are the enablers for the audit risk management.

Figure 3 – Beumer Audit Risk Management Model©

Audit Assurance Risk Management Model©

Consistent with the Beumer Audit Risk Management Model©, the audit assurance risks reflect the application of the audit function’s value risks, focus risks and execution risks to the company’s risk universe. Use the following guidance for the interpretation of this model:

The 14 audit assurance objectives represent the audit function’s strategies to create value for the board and management, ensuring an appropriate focus of the annual audit plan and the audit engagements, and executing the annual planning and the audit engagements in such a way that value is created.

The audit assurance risks show the 33 potential risks to which the audit function can be exposed. The level of the risk exposures depends on several factors:

The risk appetite of the CAE.

The level of the inherent risk and control risk of the audit function (driven by the risk appetite of the CAE).

The size of the audit function’s risk universe.

The risk appetite of the board.

The level