When internal auditors abandon their traditional audit plans and programs
and start planning their work around the content of the corporate risk register,
what happens? One organization that has been quite open about this, presenting
its story repeatedly at professional conferences, is BAA plc, which runs Britain's
airports. BAA's overall audit plan and the content of each review changed dramatically
as a result of basing them on the corporate risk register. All this was very
exciting, and the general feeling was that it was turning its attention toward
things of greater importance to the business and interest to senior management.
One side effect was that traditional core audit topics got less attention.
Did this mean that BAA had been over-auditing those areas in the past, and the
intellectual rigor of the new approach had revealed this habitual waste? Probably
not.
What Goes into Risk Registers?
The content of risk registers varies greatly depending on why the exercise
is being done. But if you just get some senior executives or business managers
in a room and ask them to think of risks, you can expect to see the following.
New business initiatives | Business as usual |
Competitive strategies | Health and safety (except in industries
where the omission would be a scandal) |
Business results | Reliable accounting |
Projects | Compliance with existing legislation
and regulations |
Things that need to be improved | Things that don't need to improve |
It is human nature to mention objectives that relate to new initiatives.
For example, if someone asked you on January 1 what your personal goals for
the year were, would you list all the things you will have to do that are just
continuation of what you have been doing in the past? Of course not. You might
say, if true, that you aim to learn to play the guitar, or get fit (finally),
or spend more time with your family.
On top of that, senior executives have a rather unusual perspective as they
spend a lot of their time on change. Consequently, an audit program based on
the contents of a typical corporate risk register will be in danger of skimping
on the boring compliance matters that have traditionally been the bedrock of
auditing.
Why Is this a Surprise?
It shouldn't be a surprise, but if we base our expectations of risk registers
on the COSO framework for internal control and documents inspired by it, we
will be. The COSO framework for internal control describes an internal control
system in abstract terms and puts something it calls "risk management" at the
top of a pyramid, with the job of monitoring risks and revising the control
system to meet them. So far so good, with nothing there that narrows down what
sort of risk is to be considered or what constitutes a control.
However, turn to the implementation guide, which provides detailed risk-control
tables, and the main target of the COSO framework is clear. The analysis grinds
through accounting cycles suggesting controls that would help to keep the accounts
correct and avoid obviously bad or fraudulent deals or loss of valuable assets.
The framework was written by accountants, and perhaps it seemed to them that
anyone faced with populating a risk register would focus on the same risks they
had.
Risk Management versus Internal Control
In principle, there is no difference between a risk management system and
an internal control system. You may feel differently, and there are many views
on this, but the scope of each phrase seems to be getting wider, and they are
converging. However, there are big differences in emphasis, with many practical
implications.
Nonroutine | Routine |
Management | Clerical |
Thinking | Procedures |
Flipcharts | Documents |
Change | Business as usual |
Projects | Processes (accounting cycles) |
Objectives | Constraints |
Achievement | Compliance |
What could happen | What could go wrong |
Running the business | Maintaining the control system |
Practical Implications
There are a number of things that auditors need to adapt to if they want
to start working from the corporate risk register.
Coverage
I've already mentioned the change in coverage that results and hinted that
some of this is not desirable. Some kind of adjustment needs to be made to ensure
that "boring" objectives not mentioned by senior executives nevertheless appear
alongside the exciting ones when the audit managers start working on their annual
plans.
Recommendations
The kind of control recommendations auditors like to make should change as
the nature of the audits changes. Coming from a background of commenting on
improvements to clerical procedures, it is normal to concentrate on procedural
matters, documents, control checks, sign-offs, and the form of work rather than
its content (because usually the content is very simple).
However, improving the management of business risks means that more often,
the content is complex and needs attention. It is often better to plan to reduce
inherent risk rather than add control checks to catch it if it occurred. The
conversations people have are often more important than the documents that eventually
get signed off.
This tendency to add control checks can be seen in the style of risk management
that accountants/auditors promote, which is little more than control self-assessment,
i.e., a review of controls/risk responses against risks intended primarily to
show, retrospectively, that all is well.
Upside and Downside
Looking at operational and accounting procedures, there is no real need to
think about things that might go unexpectedly well. All risks are bad. However,
many of the items in a typical corporate risk register can have upsides too.
For example, "loss of market share" could and should have "gain of market share"
joined to it because the full picture is that we have uncertainty about future
market share.
This perspective takes some getting used to, which may be why, although nearly
all risk management standards include upside risks in their scope, very few
include any technical adjustments to accommodate upside risks.
Quantification
Something else that doesn't come up often when you only look at operational
and accounting risks is a need for quantification. In traditional audit work,
saying that a risk is "high," "medium," or "low" seems quite sophisticated.
For some other areas of risk, including those that often feature prominently
in corporate risk registers, it is woefully inadequate.
For example, understanding the impact of changes to project structures requires
a more sophisticated understanding of quantitative modeling. What happens if
you increase the time between useful deliveries to end users? What happens if
you decrease the number of dependencies in a plan?
Modeling Choices
Likewise, thinking through the risks of an accounting process tends to involve
few decisions about how to structure the model. It is easy to get the impression
that the risks are a natural product of the process itself and alternative analyses
are not possible, or are likely to be extremely similar.
Yet, in looking more widely at business risks, there are many choices of
how to divide the universe of risk and different approaches yield radically
different sets of risks.
Conclusion
If auditors want to adopt the corporate risk register as the basis of their
audit planning, they need to adapt their approach in several ways. The risks
that appear on corporate risk registers are not the sort of risks that auditors
are used to addressing and do not resemble the risks envisaged by the COSO framework
on internal controls, except in principle. Auditors have a huge role in embedding
risk management, but it's going to require some new skills.