RSM / BarnOwl Info Sharing session: 17 June 2020
Presented by Anton Bouwer, Director, RSM South Africa and Jonathan Crisp, Director, BarnOwl
Thank you very much to RSM South Africa and Anton Bouwer for hosting this info-sharing event online on the 17th June 2020.
The audit standards and definitions of audit make it clear that Internal Audit needs to transition from the business of providing subjective opinions on “control effectiveness” on a small fraction of the risk universe to ensuring senior management and the board are aware of the current residual risk status linked to key strategic value creation objectives and potential value erosion objectives.
The aim of the presentation is to outline a practical approach to objective and risk-based auditing which will enable audit to concentrate on the risks that matter to the organisation. In addition, risk management must be a ‘living’ system with real-time information as far as possible (e.g. utilising key indicators, continuous auditing), capable of alerting management to a changing risk landscape. Whilst we all know that financial management, budgeting, cash flow etc. are critical to the running of a business, so too is risk management when implemented effectively. One benefit of risk management (when implemented effectively), is that it acts an early warning system alerting the business to problems as they happen or are about to happen (knock on effects, trends, predictions etc.) as opposed to financial management / accounts which come out well after the fact when the damage is already done.
Since the Covid pandemic, management and boards seem to be far more attentive to risk management and BCM (business continuity management) which is an integral part of risk management. Many organisations were caught totally off guard when this pandemic struck and yet this disaster, although awful, is far less destructive and intrusive than an earthquake or flood or war for example. It has also forced all of us to adapt very quickly to a new way or working which otherwise would have taken many years to evolve. Working from home and conducting meetings online has become the norm and has turned out to be far more efficient than climbing into a car and / or plane and spending hours travelling when so much can be done online. Of course, we need to spare a thought for industries such as tourism, mining, manufacturing, airlines etc. and probably worst still to be hit will be the commercial property and related businesses as many of organisations downscale their physical footprint. Perhaps too, this pandemic is the catalyst required for an even faster transition to robotics in industries other than mining and manufacturing.
In my opinion, things have changed and risk management will no longer just be seen as a compliance tick-box exercise but rather as a critical management tool directly linked to strategy, business sustainability including BCM and the achievement of strategic, business and operational objectives.
Objective and Risk based auditing
In May 2020, the IIA published a new Practice Guide: Developing a Risk-based Internal Audit Plan Practice Guides (PG) which are recommended guidance but not mandatory. The following are a few stand out points:
- While the annual risk assessment is the minimum requirement articulated in the Standards, today’s rapidly changing risk landscape demands that internal auditorsassess risks frequently, even continuously. Risk-based internal audit plans should be dynamic and nimble. To achieve those qualities, some CAEs update their internal audit plan quarterly (or a similar periodic schedule), and others consider their plans to be “rolling,”
- Which types of internal audit engagements will provide senior management and the board with adequate assurance and advice that significant risks have been mitigated effectively?
- …. need to continuously assess risks, re-evaluate risk priorities, and adjust the plan to accommodate the new priorities.
As Norman Marks comments, “Providing assurance after auditing auditable entities is not the same as providing assurance on the more significant enterprise risks. Audit risks to the enterprise, not risks to an auditable entity”.
It is also concerning to see how many audit managers / CAE’s still talk about a three year rolling plan or what is often referred to as cyclical auditing. As Norman Marks comments: “This approach has been obsolete for at least 20 years. The idea that you can predict what you should audit in future years is beyond credibility (and contradicted by the first pages of the PG). Over my long career as a CAE, I never predicted with any degree of certainty what we would audit more than 3-6 months out”
Too often, we see risk management, compliance and audit operating in silos and even worse don’t have a common risk methodology and framework with risks being rated on a 10×10 rating scale in one area and a 5×5 scale in another area and/ or no common rating scale for control adequacy and control effectiveness.
Where there is a low level of risk maturity, audit planning tends to focus on controls alone. The discussion is around system descriptions and control objectives but little or no mention is made of what the purpose of the controls are in terms of managing the risk. Whilst, it may be expedient to have a bottom-up approach it is critical that you also have a top-down approach (objective and risk based approach) to ensure that the focus is on auditing controls that really matter to the organisation.
Even where there is a common methodology across the various service lines, we see auditing confined to a particular auditable entity and / or process rather than being objective and risk based which is cross-functional and cross-divisional. Risk management is also often performed in silos where cross-divisional, inter-related risks are not taken into account when assessing and managing a particular risk. In addition, effective risk management involves identifying contributing factors and controlling these as far as possible; in this way you treat the cause and not just the symptom.
Combined Assurance is the latest buzz word and there is always healthy debate around what and how many lines of defence there should be. Sadly, combined assurance is a non-starter if you don’t have the basic building blocks in place such as:
- A common risk methodology and framework across all assurance providers such as Risk, Compliance, Audit, IT Audit, Forensics, H&S etc.
- Objective and risk driven approach to assurance.
- Non-siloed approach to risk management identifying inter-related risks (cross-divisional and cross-functional) as well as contributing factors and key risk indicators.
The following diagram (courtesy of UNISA) illustrates the audit approach, best suited, based on the risk maturity of the organisation:
In a mature environment, audit is able to focus more on assurance. In an immature environment, audit need to focus more on consultancy. The IIA standards both in terms of the 1000 (attribute) standards and the 2000 (performance) standards, outline the Consultancy and Assurance tasks.
The imperative for Objective / Risk based auditing
The following diagram depicts the misguided effort of audit if not driven by a top-down strategic and business objective approach:
Among the more than 10,000 companies that make up CEB’s global membership including almost 2,000 general counsel, chief compliance executives, chief audit executives, chief information security officers, and heads of ERM – the best companies employ three standout risk management practices to avoid organisational drag:
- Incorporate Risk Management in Strategy (and Vice Versa) and Establish a Healthy Risk Appetite,
- Coordinate Disparate Risk Information for Decision Makers,
- Manage Human Behaviour as Part of the Risk Management Process.
The benefits of effective risk management
When one considers what goes into a running a successful business and keeping it running in an ever-changing environment, it is quite overwhelming. The following are just a few areas that any business needs to have in place and needs to continually monitor and adapt in order to be sustainable:
|Stakeholder commitment (shareholders, employees, clients, suppliers, society, environment, government)||
|External Environment / Threats||
|Information and data management||
Given the complexities above, it becomes apparent that risk management is not just about reviewing a list of the top 20 risks once a year in an Excel spreadsheet. Risk management, when implemented in a systematic and disciplined way is an invaluable, strategic management system, allowing management to keep a finger on the pulse across all areas of the business and to be in a position to respond quickly to changing risk factors. In order to be effective, risk management needs to be implemented as a living system as well as driving ownership and accountability for risk management at every level of the organisation within the defined risk appetite and tolerance levels. Live monitoring of key risk indicators supported by continuous auditing makes it possible to respond to changing risk factors in real time. It is impossible to perform risk management effectively without an integrated system!
The beauty of risk management is how simple and logical it is! For example:
- What are we trying to achieve (goals / objectives),
- What are the risks that we are prepared to take and to what extent (risk appetite / tolerance) in order to achieve our objectives,
- Which risks and opportunities, if managed correctly, will ensure the best result,
- To what extent and at what cost can we control our risks,
- What contributes to the risk (contributing factor / cause) and to what extent and at what cost can we control the contributing factors,
- Identify the key indicators (KPIs, KRIs and KCI) with upper and lower thresholds. Key Indicators can be compared to your motorcar dashboard with warning lights for oil, temperature, speed, ABS, park distance control etc.
Once we have decided on the most significant goals/objectives, we can assess which risks to take and/or contain/mitigate. I.e. assess the impact and likelihood of the various risks linked to our goals/objectives. Now we know where to focus in order to maximize the achievement of our goals/objectives:
The trick to effective risk management is:
- identifying and populating meaningful data (objectives, risks, contributing factors, controls etc.) into the system. It’s a typical case of ‘garbage in, garbage out’,
- up to date / real time monitoring of risks and controls utilising techniques such as continuous auditing, live feeds or regularly updated key indicators (KPIs, KRIs and KCIs). One of the aspects which detracts from the value of risk management is that risk and control ratings are not kept up to date and/or their ratings are too subjective. Whilst, risk management is part art (subjective / gut feel) and part science; often the science / hard core numbers are missing. Key indicators are critical to effective risk management. In addition, risks should be rated qualitatively as well as quantitatively where possible. Nothing focuses the mind more when one has a view of the value at risk. i.e what something going wrong will cost your organisation,
- the tone from the top,
- embedding risk management at all levels of the organisation and
- holding people accountable for risk, facilitated by RCSAs (Risk and Control self-assessments), action plans, owners, due dates, progress tracking etc.
Implementing Objective / Risk based Assurance
The diagram above shows a typical organisational structure with a hierarchy of branches, business units, divisions and processes. Strategic, business and operational objectives are linked at every level of the organisation often utilising a combination of a top-down and bottom-up approach. Risks that threaten the objectives or need to be taken to achieve the objectives are identified and linked to the relevant objective at every level of the organisation. Risks are assessed and rated according to impact and likelihood and depending on the control strategy, controls put in place to mitigate the risks. The risks and controls are monitored either manually, automatically (continuous auditing / Key Indictors) or both, providing an early warning system of a changing risk environment. Risks can be linked cross-divisionally / cross-functionally to other risks whereby the owner of a risk is alerted (dynamic re-assessment) when risk/s in another area/s impact the owner’s risk. This ensures a non-silo, integrated approach to the management of risk. Assigning action plans with due dates to owner/s, drives ownership and accountability for managing risks and controls. Assurance is provided by independent assurance providers such as the compliance and audit divisions by the verification and testing of risks and controls. Combined assurance together with performance monitoring and reporting gives management peace of mind that the significant risks linked to key objectives are being managed.
The diagram above shows the breakdown of high level strategic objectives into specific objectives at every level of the organisation. Risks are identified and rated both qualitatively and quantitatively with risk appetite and tolerance levels being set at every level of the organisation.
Continuous auditing, provides the ability to monitor controls on a real-time basis, proactively triggering risk assessments, providing early warning alerts of a changing risk environment.
Strategy and risk management are inseparable. Risk and assurance management is a critical management tool which enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation. Risk management, business continuity and sustainability are more important now than ever.
Presentation and Video links:
Please see attached presentation here.
Useful and associated links:
Once again thank you Anton for your time and for your informative presentation and thank you to all those who attended our info sharing session. We look forward to seeing you at our next info sharing session. Please keep a look out for our upcoming events at: http://www.barnowl.co.za/events/
Director – BarnOwl GRC and Audit software
About Anton Bouwer, Director, RSM South Africa
Anton Bouwer is a Regional Divisional Directors in RSM’s Johannesburg office and Head of Data Analytics.
Anton has over 30 years of audit and continuous auditing experience. He is also Director of RSM subsidiary Beta Software (Pty) Ltd, the Southern African distributor of Arbutus Data Analytical Software & Solutions.
During his career he has worked for various companies including ACL Europe, PwC, Deloitte and the recipient of the ISACA (Information Systems Audit and Control Association) 2019 Award for Innovation.
Director | RSM South Africa
+27 82 371 0578
About Jonathan Crisp, Director, BarnOwl
Jonathan Crisp has a BSc Honours in Computer Science, as well a Risk-Based Internal Auditing certification. He has over 30 years’ experience in the IT industry and is one of the founding directors of IDI Technology Solutions.
IDI are the owners and software developers of the BarnOwl GRC and Audit software solution which is the preferred GRC solution in the public sector, endorsed by the Office of the Accountant General (OAG) of South Africa.
Jonathan is an active member of the Risk Intelligence Committee at IRMSA (Institute of Risk Management SA) and is a member of the IIA (Institute of Internal Audit SA).
Director | BarnOwl
+27 83 260 1653 (mobile)
+27 11 540 9100 (office)
BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 200 organisations in Africa, Australasia and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.
Please see www.barnowl.co.za for more information.