Thank you very much to RSM South Africa and Anton Bouwer for hosting this info-sharing event online on the 17th June 2020.
The audit standards and definitions of audit make it clear that Internal Audit needs to transition from the business of providing subjective opinions on “control effectiveness” on a small fraction of the risk universe to ensuring senior management and the board are aware of the current residual risk status linked to key strategic value creation objectives and potential value erosion objectives.
The aim of the presentation is to outline a practical approach to objective and risk-based auditing which will enable audit to concentrate on the risks that matter to the organisation. In addition, risk management must be a ‘living’ system with real-time information as far as possible (e.g. utilising key indicators, continuous auditing), capable of alerting management to a changing risk landscape. Whilst we all know that financial management, budgeting, cash flow etc. are critical to the running of a business, so too is risk management when implemented effectively. One benefit of risk management (when implemented effectively), is that it acts an early warning system alerting the business to problems as they happen or are about to happen (knock on effects, trends, predictions etc.) as opposed to financial management / accounts which come out well after the fact when the damage is already done.
Since the Covid pandemic, management and boards seem to be far more attentive to risk management and BCM (business continuity management) which is an integral part of risk management. Many organisations were caught totally off guard when this pandemic struck and yet this disaster, although awful, is far less destructive and intrusive than an earthquake or flood or war for example. It has also forced all of us to adapt very quickly to a new way or working which otherwise would have taken many years to evolve. Working from home and conducting meetings online has become the norm and has turned out to be far more efficient than climbing into a car and / or plane and spending hours travelling when so much can be done online. Of course, we need to spare a thought for industries such as tourism, mining, manufacturing, airlines etc. and probably worst still to be hit will be the commercial property and related businesses as many of organisations downscale their physical footprint. Perhaps too, this pandemic is the catalyst required for an even faster transition to robotics in industries other than mining and manufacturing.
In my opinion, things have changed and risk management will no longer just be seen as a compliance tick-box exercise but rather as a critical management tool directly linked to strategy, business sustainability including BCM and the achievement of strategic, business and operational objectives.
In May 2020, the IIA published a new Practice Guide: Developing a Risk-based Internal Audit Plan Practice Guides (PG) which are recommended guidance but not mandatory. The following are a few stand out points:
As Norman Marks comments, “Providing assurance after auditing auditable entities is not the same as providing assurance on the more significant enterprise risks. Audit risks to the enterprise, not risks to an auditable entity”.
It is also concerning to see how many audit managers / CAE’s still talk about a three year rolling plan or what is often referred to as cyclical auditing. As Norman Marks comments: “This approach has been obsolete for at least 20 years. The idea that you can predict what you should audit in future years is beyond credibility (and contradicted by the first pages of the PG). Over my long career as a CAE, I never predicted with any degree of certainty what we would audit more than 3-6 months out”
Too often, we see risk management, compliance and audit operating in silos and even worse don’t have a common risk methodology and framework with risks being rated on a 10×10 rating scale in one area and a 5×5 scale in another area and/ or no common rating scale for control adequacy and control effectiveness.
Where there is a low level of risk maturity, audit planning tends to focus on controls alone. The discussion is around system descriptions and control objectives but little or no mention is made of what the purpose of the controls are in terms of managing the risk. Whilst, it may be expedient to have a bottom-up approach it is critical that you also have a top-down approach (objective and risk based approach) to ensure that the focus is on auditing controls that really matter to the organisation.
Even where there is a common methodology across the various service lines, we see auditing confined to a particular auditable entity and / or process rather than being objective and risk based which is cross-functional and cross-divisional. Risk management is also often performed in silos where cross-divisional, inter-related risks are not taken into account when assessing and managing a particular risk. In addition, effective risk management involves identifying contributing factors and controlling these as far as possible; in this way you treat the cause and not just the symptom.
Combined Assurance is the latest buzz word and there is always healthy debate around what and how many lines of defence there should be. Sadly, combined assurance is a non-starter if you don’t have the basic building blocks in place such as:
The following diagram (courtesy of UNISA) illustrates the audit approach, best suited, based on the risk maturity of the organisation:
In a mature environment, audit is able to focus more on assurance. In an immature environment, audit need to focus more on consultancy. The IIA standards both in terms of the 1000 (attribute) standards and the 2000 (performance) standards, outline the Consultancy and Assurance tasks.
The following diagram depicts the misguided effort of audit if not driven by a top-down strategic and business objective approach:
Among the more than 10,000 companies that make up CEB’s global membership including almost 2,000 general counsel, chief compliance executives, chief audit executives, chief information security officers, and heads of ERM – the best companies employ three standout risk management practices to avoid organisational drag:
When one considers what goes into a running a successful business and keeping it running in an ever-changing environment, it is quite overwhelming. The following are just a few areas that any business needs to have in place and needs to continually monitor and adapt in order to be sustainable:
|Stakeholder commitment (shareholders, employees, clients, suppliers, society, environment, government)||
|External Environment / Threats||
|Information and data management||
Given the complexities above, it becomes apparent that risk management is not just about reviewing a list of the top 20 risks once a year in an Excel spreadsheet. Risk management, when implemented in a systematic and disciplined way is an invaluable, strategic management system, allowing management to keep a finger on the pulse across all areas of the business and to be in a position to respond quickly to changing risk factors. In order to be effective, risk management needs to be implemented as a living system as well as driving ownership and accountability for risk management at every level of the organisation within the defined risk appetite and tolerance levels. Live monitoring of key risk indicators supported by continuous auditing makes it possible to respond to changing risk factors in real time. It is impossible to perform risk management effectively without an integrated system!
The beauty of risk management is how simple and logical it is! For example:
Once we have decided on the most significant goals/objectives, we can assess which risks to take and/or contain/mitigate. I.e. assess the impact and likelihood of the various risks linked to our goals/objectives. Now we know where to focus in order to maximize the achievement of our goals/objectives:
The trick to effective risk management is:
The diagram above shows a typical organisational structure with a hierarchy of branches, business units, divisions and processes. Strategic, business and operational objectives are linked at every level of the organisation often utilising a combination of a top-down and bottom-up approach. Risks that threaten the objectives or need to be taken to achieve the objectives are identified and linked to the relevant objective at every level of the organisation. Risks are assessed and rated according to impact and likelihood and depending on the control strategy, controls put in place to mitigate the risks. The risks and controls are monitored either manually, automatically (continuous auditing / Key Indictors) or both, providing an early warning system of a changing risk environment. Risks can be linked cross-divisionally / cross-functionally to other risks whereby the owner of a risk is alerted (dynamic re-assessment) when risk/s in another area/s impact the owner’s risk. This ensures a non-silo, integrated approach to the management of risk. Assigning action plans with due dates to owner/s, drives ownership and accountability for managing risks and controls. Assurance is provided by independent assurance providers such as the compliance and audit divisions by the verification and testing of risks and controls. Combined assurance together with performance monitoring and reporting gives management peace of mind that the significant risks linked to key objectives are being managed.
The diagram above shows the breakdown of high level strategic objectives into specific objectives at every level of the organisation. Risks are identified and rated both qualitatively and quantitatively with risk appetite and tolerance levels being set at every level of the organisation.
Continuous auditing, provides the ability to monitor controls on a real-time basis, proactively triggering risk assessments, providing early warning alerts of a changing risk environment.
Strategy and risk management are inseparable. Risk and assurance management is a critical management tool which enables an organisation to optimise the level of risk being taken to best achieve the organisation’s objectives whilst still operating within the risk appetite of the organisation. Risk management, business continuity and sustainability are more important now than ever.
Please see attached presentation here.
Once again thank you Anton for your time and for your informative presentation and thank you to all those who attended our info sharing session. We look forward to seeing you at our next info sharing session. Please keep a look out for our upcoming events at: http://www.barnowl.co.za/events/
Director – BarnOwl GRC and Audit software
Anton Bouwer is a Regional Divisional Directors in RSM’s Johannesburg office and Head of Data Analytics.
Anton has over 30 years of audit and continuous auditing experience. He is also Director of RSM subsidiary Beta Software (Pty) Ltd, the Southern African distributor of Arbutus Data Analytical Software & Solutions.
During his career he has worked for various companies including ACL Europe, PwC, Deloitte and the recipient of the ISACA (Information Systems Audit and Control Association) 2019 Award for Innovation.
Director | RSM South Africa
+27 82 371 0578
Jonathan Crisp has a BSc Honours in Computer Science, as well a Risk-Based Internal Auditing certification. He has over 30 years’ experience in the IT industry and is one of the founding directors of IDI Technology Solutions.
IDI are the owners and software developers of the BarnOwl GRC and Audit software solution which is the preferred GRC solution in the public sector, endorsed by the Office of the Accountant General (OAG) of South Africa.
Jonathan is an active member of the Risk Intelligence Committee at IRMSA (Institute of Risk Management SA) and is a member of the IIA (Institute of Internal Audit SA).
Director | BarnOwl
+27 83 260 1653 (mobile)
+27 11 540 9100 (office)
BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 200 organisations in Africa, Australasia and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.
Please see www.barnowl.co.za for more information.