If auditors want to adopt the corporate risk register as the basis of their audit planning, they need to adapt their approach in several ways. The risks that appear on corporate risk registers are not the sort of risks that auditors are used to addressing and do not resemble the risks envisaged by the COSO framework on internal controls, except in principle. Auditors have a huge role in embedding risk management, but it's going to require some new skills.
When internal auditors abandon their traditional audit plans and programs and start planning their work around the content of the corporate risk register, what happens? One organization that has been quite open about this, presenting its story repeatedly at professional conferences, is BAA plc, which runs Britain's airports. BAA's overall audit plan and the content of each review changed dramatically as a result of basing them on the corporate risk register. All this was very exciting, and the general feeling was that it was turning its attention toward things of greater importance to the business and interest to senior management.
One side effect was that traditional core audit topics got less attention. Did this mean that BAA had been over-auditing those areas in the past, and the intellectual rigor of the new approach had revealed this habitual waste? Probably not.
What Goes into Risk Registers?
The content of risk registers varies greatly depending on why the exercise is being done. But if you just get some senior executives or business managers in a room and ask them to think of risks, you can expect to see the following.
Lots of risks concerning…
But not many concerning…
New business initiatives
Business as usual
Competitive strategies
Health and safety (except in industries where the omission would be a scandal)
Business results
Reliable accounting
Projects
Compliance with existing legislation and regulations
Things that need to be improved
Things that don't need to improve
It is human nature to mention objectives that relate to new initiatives. For example, if someone asked you on January 1 what your personal goals for the year were, would you list all the things you will have to do that are just continuation of what you have been doing in the past? Of course not. You might say, if true, that you aim to learn to play the guitar, or get fit (finally), or spend more time with your family.
On top of that, senior executives have a rather unusual perspective as they spend a lot of their time on change. Consequently, an audit program based on the contents of a typical corporate risk register will be in danger of skimping on the boring compliance matters that have traditionally been the bedrock of auditing.
Why Is this a Surprise?
It shouldn't be a surprise, but if we base our expectations of risk registers on the COSO framework for internal control and documents inspired by it, we will be. The COSO framework for internal control describes an internal control system in abstract terms and puts something it calls "risk management" at the top of a pyramid, with the job of monitoring risks and revising the control system to meet them. So far so good, with nothing there that narrows down what sort of risk is to be considered or what constitutes a control.
However, turn to the implementation guide, which provides detailed risk-control tables, and the main target of the COSO framework is clear. The analysis grinds through accounting cycles suggesting controls that would help to keep the accounts correct and avoid obviously bad or fraudulent deals or loss of valuable assets. The framework was written by accountants, and perhaps it seemed to them that anyone faced with populating a risk register would focus on the same risks they had.
Risk Management versus Internal Control
In principle, there is no difference between a risk management system and an internal control system. You may feel differently, and there are many views on this, but the scope of each phrase seems to be getting wider, and they are converging. However, there are big differences in emphasis, with many practical implications.
Risk Management Favorites
Internal Control Favorites
Nonroutine
Routine
Management
Clerical
Thinking
Procedures
Flipcharts
Documents
Change
Business as usual
Projects
Processes (accounting cycles)
Objectives
Constraints
Achievement
Compliance
What could happen
What could go wrong
Running the business
Maintaining the control system
Practical Implications
There are a number of things that auditors need to adapt to if they want to start working from the corporate risk register.
Coverage
I've already mentioned the change in coverage that results and hinted that some of this is not desirable. Some kind of adjustment needs to be made to ensure that "boring" objectives not mentioned by senior executives nevertheless appear alongside the exciting ones when the audit managers start working on their annual plans.
Recommendations
The kind of control recommendations auditors like to make should change as the nature of the audits changes. Coming from a background of commenting on improvements to clerical procedures, it is normal to concentrate on procedural matters, documents, control checks, sign-offs, and the form of work rather than its content (because usually the content is very simple).
However, improving the management of business risks means that more often, the content is complex and needs attention. It is often better to plan to reduce inherent risk rather than add control checks to catch it if it occurred. The conversations people have are often more important than the documents that eventually get signed off.
This tendency to add control checks can be seen in the style of risk management that accountants/auditors promote, which is little more than control self-assessment, i.e., a review of controls/risk responses against risks intended primarily to show, retrospectively, that all is well.
Upside and Downside
Looking at operational and accounting procedures, there is no real need to think about things that might go unexpectedly well. All risks are bad. However, many of the items in a typical corporate risk register can have upsides too. For example, "loss of market share" could and should have "gain of market share" joined to it because the full picture is that we have uncertainty about future market share.
This perspective takes some getting used to, which may be why, although nearly all risk management standards include upside risks in their scope, very few include any technical adjustments to accommodate upside risks.
Quantification
Something else that doesn't come up often when you only look at operational and accounting risks is a need for quantification. In traditional audit work, saying that a risk is "high," "medium," or "low" seems quite sophisticated. For some other areas of risk, including those that often feature prominently in corporate risk registers, it is woefully inadequate.
For example, understanding the impact of changes to project structures requires a more sophisticated understanding of quantitative modeling. What happens if you increase the time between useful deliveries to end users? What happens if you decrease the number of dependencies in a plan?
Modeling Choices
Likewise, thinking through the risks of an accounting process tends to involve few decisions about how to structure the model. It is easy to get the impression that the risks are a natural product of the process itself and alternative analyses are not possible, or are likely to be extremely similar.
Yet, in looking more widely at business risks, there are many choices of how to divide the universe of risk and different approaches yield radically different sets of risks.
Conclusion
If auditors want to adopt the corporate risk register as the basis of their audit planning, they need to adapt their approach in several ways. The risks that appear on corporate risk registers are not the sort of risks that auditors are used to addressing and do not resemble the risks envisaged by the COSO framework on internal controls, except in principle. Auditors have a huge role in embedding risk management, but it's going to require some new skills.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
If auditors want to adopt the corporate risk register as the basis of their audit planning, they need to adapt their approach in several ways. The risks that appear on corporate risk registers are not the sort of risks that auditors are used to addressing and do not resemble the risks envisaged by the COSO framework on internal controls, except in principle. Auditors have a huge role in embedding risk management, but it's going to require some new skills.
When internal auditors abandon their traditional audit plans and programs and start planning their work around the content of the corporate risk register, what happens? One organization that has been quite open about this, presenting its story repeatedly at professional conferences, is BAA plc, which runs Britain's airports. BAA's overall audit plan and the content of each review changed dramatically as a result of basing them on the corporate risk register. All this was very exciting, and the general feeling was that it was turning its attention toward things of greater importance to the business and interest to senior management.
One side effect was that traditional core audit topics got less attention. Did this mean that BAA had been over-auditing those areas in the past, and the intellectual rigor of the new approach had revealed this habitual waste? Probably not.
What Goes into Risk Registers?
The content of risk registers varies greatly depending on why the exercise is being done. But if you just get some senior executives or business managers in a room and ask them to think of risks, you can expect to see the following.
It is human nature to mention objectives that relate to new initiatives. For example, if someone asked you on January 1 what your personal goals for the year were, would you list all the things you will have to do that are just continuation of what you have been doing in the past? Of course not. You might say, if true, that you aim to learn to play the guitar, or get fit (finally), or spend more time with your family.
On top of that, senior executives have a rather unusual perspective as they spend a lot of their time on change. Consequently, an audit program based on the contents of a typical corporate risk register will be in danger of skimping on the boring compliance matters that have traditionally been the bedrock of auditing.
Why Is this a Surprise?
It shouldn't be a surprise, but if we base our expectations of risk registers on the COSO framework for internal control and documents inspired by it, we will be. The COSO framework for internal control describes an internal control system in abstract terms and puts something it calls "risk management" at the top of a pyramid, with the job of monitoring risks and revising the control system to meet them. So far so good, with nothing there that narrows down what sort of risk is to be considered or what constitutes a control.
However, turn to the implementation guide, which provides detailed risk-control tables, and the main target of the COSO framework is clear. The analysis grinds through accounting cycles suggesting controls that would help to keep the accounts correct and avoid obviously bad or fraudulent deals or loss of valuable assets. The framework was written by accountants, and perhaps it seemed to them that anyone faced with populating a risk register would focus on the same risks they had.
Risk Management versus Internal Control
In principle, there is no difference between a risk management system and an internal control system. You may feel differently, and there are many views on this, but the scope of each phrase seems to be getting wider, and they are converging. However, there are big differences in emphasis, with many practical implications.
Practical Implications
There are a number of things that auditors need to adapt to if they want to start working from the corporate risk register.
Coverage
I've already mentioned the change in coverage that results and hinted that some of this is not desirable. Some kind of adjustment needs to be made to ensure that "boring" objectives not mentioned by senior executives nevertheless appear alongside the exciting ones when the audit managers start working on their annual plans.
Recommendations
The kind of control recommendations auditors like to make should change as the nature of the audits changes. Coming from a background of commenting on improvements to clerical procedures, it is normal to concentrate on procedural matters, documents, control checks, sign-offs, and the form of work rather than its content (because usually the content is very simple).
However, improving the management of business risks means that more often, the content is complex and needs attention. It is often better to plan to reduce inherent risk rather than add control checks to catch it if it occurred. The conversations people have are often more important than the documents that eventually get signed off.
This tendency to add control checks can be seen in the style of risk management that accountants/auditors promote, which is little more than control self-assessment, i.e., a review of controls/risk responses against risks intended primarily to show, retrospectively, that all is well.
Upside and Downside
Looking at operational and accounting procedures, there is no real need to think about things that might go unexpectedly well. All risks are bad. However, many of the items in a typical corporate risk register can have upsides too. For example, "loss of market share" could and should have "gain of market share" joined to it because the full picture is that we have uncertainty about future market share.
This perspective takes some getting used to, which may be why, although nearly all risk management standards include upside risks in their scope, very few include any technical adjustments to accommodate upside risks.
Quantification
Something else that doesn't come up often when you only look at operational and accounting risks is a need for quantification. In traditional audit work, saying that a risk is "high," "medium," or "low" seems quite sophisticated. For some other areas of risk, including those that often feature prominently in corporate risk registers, it is woefully inadequate.
For example, understanding the impact of changes to project structures requires a more sophisticated understanding of quantitative modeling. What happens if you increase the time between useful deliveries to end users? What happens if you decrease the number of dependencies in a plan?
Modeling Choices
Likewise, thinking through the risks of an accounting process tends to involve few decisions about how to structure the model. It is easy to get the impression that the risks are a natural product of the process itself and alternative analyses are not possible, or are likely to be extremely similar.
Yet, in looking more widely at business risks, there are many choices of how to divide the universe of risk and different approaches yield radically different sets of risks.
Conclusion
If auditors want to adopt the corporate risk register as the basis of their audit planning, they need to adapt their approach in several ways. The risks that appear on corporate risk registers are not the sort of risks that auditors are used to addressing and do not resemble the risks envisaged by the COSO framework on internal controls, except in principle. Auditors have a huge role in embedding risk management, but it's going to require some new skills.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.