Are you sure that your Auditors are spending time on the biggest risks in your organization? One of our clients, a large financial services firm, thought they were doing risk-based prioritization until I simply asked one of their auditors “Why?” Here was the conversation:
Client Auditor (CA): “What do you think of this audit issue we?ve just written”?
Ramaley Group (RG): “Why is this finding a big deal?”
CA: “They violated a company policy.”
RG: “Why does that policy matter?”
CA: “It was in scope for the review.”
RG: ?”Why was it in scope for the review?”
CA: “It’s one of the core processes for this auditable entity.”
RG: “Why were you covering this auditable entity?”
CA: “We hadn’t been in there in a long time.”
Does anybody hear anything that sounds like a good reason for the finding being a big deal? Of course, like in so many audit departments, this client was simply working their way around the company’s org chart, providing coverage as they go and hoping to find something that aligns with a true business priority. This client needed to conduct a true risk assessment so they could spend their time deeply covering the most critical areas of the company, rather than diluting their influence by presenting issues that are ancillary to the firm’s key risks.
Following this dialogue, Ramaley Group worked with the client to establish an end-to-end risk assessment process in a few easy steps:
- The firm’s audit entities are assessed for inherent risk across critical dimensions (strategic, operational, financial, etc.).
- Inherent risk is combined with factors reflecting existing controls, recency of coverage, degree of automation, and other factors to establish a weighted risk score for each.
- The entity-level weighted risk scores are used to determine each entity’s place in the audit cycle (i.e., coverage frequency and type).
- When it’s time to audit each entity, its core processes are risk-assessed using a similar methodology.
- The highest risk core processes are selected to be in-scope.
- Within each process, controls are identified and ranked based on the value they provide and the nature of the risks they are designed to mitigate.
- The highest-value controls are selected for testing.
Following this methodology, the client can be assured that every test is being executed against a high-value control, in a high-risk process, in an entity that is receiving appropriate coverage frequency. By focusing tests on these most critical controls, the client was able to cut their volume of tests executed by nearly 70% and write far more meaningful audit issues.
Of course, the devil is in the details. The specific risk assessment methodologies used – risk types, entity breakdown, scoring methodology, weightings, and assessment tools – were all tailored for the client to deliver an approach that would fit their environment.
To learn more about how your own planning approach could be enhanced so that your auditors are allocating their time to the most impactful activities in your firm, please contact Ramaley Group: ken@audit.ramaleygroup.com.