A change of focus: internal auditors in Australia get a broader view of risks by linking their risk analysis to an ERM framework

Internal Auditor, August, 2005 by Andrew MacLeod, Bob Overell

TRADITIONALLY, INTERNAL audit functions have used risk analysis techniques to identify candidate areas for audit coverage. The objective of these techniques is to prioritize areas for review by providing a comparative risk ranking of those functions. Some common risk analysis variables, such as dollar value and changes in key personnel, are now considered part of the enterprise risk management (ERM) framework. As organizations establish their own ERM frame-works, many are expecting their internal audit department to align its risk analysis with their framework to establish a consistent basis for setting priorities and to promote risk management throughout the organization.

Recently, the audit committee of the Brisbane City Council directed its Assurance & Audit Services (A & AS) department to integrate its internal audit planning more directly with the council's own corporate risk management frame-work to ensure that audits assess risks and controls in line with the framework. In the past, A & AS has used nine risk assessment factors to prioritize areas for internal audit attention, but that analysis functioned independently from the council's framework. Some members of the audit committee argued that there was considerable overlap among key variables in the A & AS risk analysis.

Like many internal audit departments, A & AS lacked a strategy for linking its risk analysis to an ERM framework. One of the problems the department faced was that the corporate risk management framework lacked the detail needed to permit audit planning to occur at the level required to schedule and manage reviews. To address this problem, A & AS decided to go beyond the corporate framework and look at the more detailed divisional and branch risk management plans (risk registers). An alignment exercise was undertaken to identify more direct links between risk categories and aspects contained in the risk registers and, where applicable, the items that were already included in the audit universe recognized by A & AS. Some risk categories found in the registers, such as workplace health and safety, did not lend themselves to internal audits and would need to be reviewed by specialists in those areas.

Another problem the council encountered was the need to prioritize items that are rated at least a high inherent risk. Although such risks warrant audit attention, there are too many to review. The risk registers usually provide assessments of inherent risks and current risks, after taking into account the controls put in place. Managers and staff from each area use a self-assessment process to gauge the adequacy and effectiveness of controls and mitigating strategies in place, but these individuals may lack the detailed knowledge and objectivity necessary to provide an accurate assessment. Based on these self-assessments, existing or proposed mitigation strategies or actions that are judged to reduce the risk of a system or process significantly are considered key controls. Subsequently, an important focus of A & AS' internal audit planning is to consider inherently high-risk areas that have been reduced by users to low current risks through the self-assessment of controls.

A NEW STRATEGY

To comply with the audit committee's directive, A & AS approached risk analysis in a new way that directly links the annual audit plans to the divisional and branch risk registers, and through them to the corporate risk management framework. This strategy also allows A & AS to focus more on the value of self-assessed, but untested, controls, using a conversion chart developed by corporate risk management that assigns numerical values to inherent and current risk ratings (see "Risk Rating Calculation" above). Auditors calculate a mathematical value of the risk treatments based on the numerical difference between the inherent and current risks, and scale up the differential based on ratings assigned by A & AS under the headings of "executive management interest," A & AS control perception," and "time since last audit" (see "Risk Differential Scaling Factors" below).

Using A & AS' risk analysis methodology to calculate this differential directs auditors' attention to areas of inherently high risk where key controls may not be as effective as local management believes them to be. This situation may have occurred because independent reviews of these areas have not been scheduled. A & AS will provide separate reports to the audit committee detailing its risk analyses of areas where the divisional or branch risk registers show a high rating for inherent risk, where the current risk remains largely unchanged, and where no action by management or review coverage is planned. Several of the highest risk areas where no action by management or review coverage is planned could be included in the department's annual audit plan, such as where the chief executive officer or a divisional manager have particular concerns and A & AS resources are available. In addition, A & AS continues to include a selection of depot or site reviews each year, even though these areas are not rated a high risk in the A & AS risk analysis.