The Absurd Notion of a Balanced Audit Plan

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.
 

OK, it’s time for a rant. And this one is sure to upset some people.

For some time, thought leaders (such as PwC and certain individuals within our profession) have been talking about the need for "balance" in the audit plan. For example, I just read this from an IIA paper: “Internal audit plans are reflecting much more balanced coverage among operational, financial, and compliance risks than was in evidence for much of the past decade.”

"Balance" implies that you need some percentage of your audit plan dedicated to this area, another percentage to that area, and so on. But I believe that the audit plan should be designed to address the more significant risks, whether that results in "balance" or not.

For example, several years ago my company had an environment where not a single individual in financial reporting held a CPA or equivalent, the prior year SOX assessment included three material weaknesses and a variety of significant deficiencies, we had restated prior year annual and quarterly financial statements, and we had a revolving door among leadership and staff at our European shared services center. Did we seek a balanced audit plan? No, it was tilted way over to financial reporting and related risks.

At another company, I joined at a time when we had just self-reported to the federal government — for the second time — non-compliance with export regulations. The audit coverage was, again and rightly so, unbalanced.

Then, there was the situation when Business Objects was going to be acquired by SAP. In addition to the risks involved in migrating to a new ERP and consolidating some business processes, a significant number of key people involved in those processes were leaving the company. The audit plan gave scant attention to financial reporting, but a lot to risks related to the integration.

My opinion is that seeking a balance among financial, operational, IT, compliance, and strategic risks is not only misguided but high risk.

Instead, all these areas of risk should be understood and considered for inclusion in the audit plan based on their significance to the business, and not some theoretical need to have one from column A, one from column B, and so on. Take the top risks regardless of how they are categorized. If that means that the audit plan has nothing around strategic risks and 80% of the plan is directed at operational risks, that’s not just OK it is right. If that means that 80% of the plan is on strategic risks, then that’s OK.

Focus on what matters most.

When the ground is unsteady, you naturally lean to one side so you can keep going. Internal audit should do the same — leaning towards the more significant risks.

OK. So who is going to take the first shot at me?

Posted on Apr 10, 2012 by Norman Marks

Share This Article:    

  1. I do not think so that the intent behind balanced mean that you need to certain % for each area... Its like this

    Assume Internal audit as "Building Security" guarding a building (an enterprise) which has multiple entry/exits (each entry / exit can be correlated as financial, IT, Operational etc)...

    While i do agree that the focus should be on most risky entry/exits but at the same time, we need to ensure that other entry/exists are safe as presumed otherwise, the building security (internal audit) will just end up fire fighting (focusing on those entry/exits that require most attention).

    Also, the balanced approach gives early insights of risk movement, thereby help internal audit to sensitize organisation to immediately address them instead of waiting for the risk to become significant to grab the attention of internal audit / management

     

  1. Thank you for the comment.

    When people bemoan a lack of balance, they then continue by saying there has to be more of this or that - as if there is a quota.

    On the point about the number of entrances/exits, I would check out the ones that represented the greatest risk first. I would only look at the others if I had sufficient resources. It's nice to think we have the resources to check not only the doors and windows, but the floors and roof as well. In practice, resources are limited and we need to make sure we are working on what matters most.

    Having said which, I do agree that some form of monitoring is desirable that will tell you that what used to be lower risk areas are increasing in their 'threat level'.

  1.  Norman,

    I agree with you that this "balanced" notion causes more confusion and reduces focus on the more significant risks. The whole aspect is determined by time spent on audit and relying on others work. Unfortunately, in some cases i have noticed, that audiotrs and risk managers weren't even in a position to identify the high risk processes. Now this may sound wierd, but let us say a BPO has 100 processes, which ones are high, medium and low risks can be difficult to determine? Secondly, for each process, the nature of risk differs? WIthout the groundwork in understanding the business, risk mangers and auditors can't do any balanced risk management or audit. 

    So my view here is whether risk managers, external or internal auditors, a plan can be developed only after a full assessment of business risks. Putting people or departments in place, without really fucising on high risks and mitigating them is just an eye wash. 

    Sonia

  1. Couldn't agree with you more, Norman - it's all about risk . . . and should always have been so . . .In many industries today, that may mean a significant focus on governance, regulatory compliance and IT risks. The profession went "off base" when some shops took on a Finance role with implementation of SOX compliance work. Obviously, this was in line with "thought leaders" selling these services to CFOs. So, hopefully Internal Audit is back to a risk based approach and plan, encompassing all risks, while focusing on the most significant.

  1. Norman,

    I agree with you 100%. The idea of a "balanced" approach is contrary to a risk-based approach linked to company objectives. When I think of balance, I think of it in the context of the risk assessment itself. Have you considered whether strategic risk is a significant risk to the company or have you blindly gone down the same path you always have because its comfortable. If your risk assessment is balanced in that you've considered the full composition of risks then your audit plan should be "unbalanced" in most instances. After over 20 years in the business, I haven't yet seen a company whose risks were equal across the board.

  1. Excellent point, Tiffany. If the risk assessment is not 'balanced' to consider all risks, then the results will be warped

  1.  Music to my ears Norman. Bravo!!!!

  1. Norman,

    I think there is another meaning to the word 'balanced' when it comes auditors in some cases.  That is, balanced in judgment as opposed to being dogmatic in approach or being adamant about certain principles even when circumstances dictate otherwise.  This meaning of the word is a harder call to make because it requires depth of experience in all participants in such a discussion if there is to be any meaningful discussion at all.

     

  1. Fascinating Discussion! 

    A few things spoke to me; I compared the risk audit world to public education.  Public educators are trying to bring "balance" into the classroom by smothering the day with bits of everything, when children can't effectively read, write etc.  Visit a classroom near you to understand.

    When I think of my audit days, I spent more time on what historically problematic.  Other entities within the organization wanted their areas reviewed or wanted to morph the audit.  It becomes more than one person or even a team can complete, which potentially degrades quality of all areas.

    My thought is to create a baseline and adjust from there.

     

     

     

  1.  Norman, I am going to disagree with you and Tiffany that the risk assessment needs to be balanced. In the same way the audit plan should be weighted toward the highest risks and not just following some quota system, your risk assessment should be weighted toward your most important objectives.

  1. I agree that the audit plan should avoid some arbitrary quotas for the COSO areas, but "balance" means more than that.  There's an old adage that when the only tool you have is a hammer, every problem is a nail.  We need to avoid that type of thinking, so just because you have no CPAs on staff doesn't mean that you can ignore the financial risks.  If you have no IT auditors, that does not minimize the IT risks.  But I do understand that, without a trained financial auditor, it is difficult to effectively assess the financial risks; and without an IT auditor, it is just as hard to identify the IT risks.  But these risks still exist whether we assess them or not, and that's what I believe is meant when looking for balance in the audit plan.  Not a quota system, but some level of assurance to the Board and senior management that Internal Audit is looking at the enterprise and not just at the same old risks or the same old resources.

  1. Norman,

    Let me go one step further ... not only does your plan need to be unbalanced, but it should actually accent those areas which will be near future high risk areas. Internal audit often has the advantage of being the corporate/institutional memory and ideally the picky mother-in-law, pointing out all the flaws you didn't even knew as an issue. We need to be there, with our noses sniffing around, critcally challenging the assumptions held.

    Look at financial institutions. I know more than one audit department was aware of the issues before the crisis hit. We need a seat at the table, we need to earn that seat, and therefore we need to go where the risks are about to hit, not where they have already hit, because then we will be irrelevant.

    Hence, our biggest challenge may be indeed our biggest opportunity, and an unbalanced audit plan is a very good step in the right direction.

    Thanks for the great article.

    Cheers, Ben 

  1. Ben, thanks for the insightful comment.

    There's an old story that behind every successful person there's.........an astonished mother-in-law.

    At some companies, behind every successful manager is an astonished auditor.

  1.  

    I have to find the commentary quite fascinating. Fascinating in that it might be completely missing the intended point. In the SOX era, internal audit focus was overweighted to controls over financial reporting, this resulted in many an audit plan to be significantly redirected toward financial risks and controls as a disproportionate part of the “audit plan.” As we continue to recover from this non-risk based focus of internal audit efforts, we are seeing internal audit plans “rebalance” to being more equally focused on financial, operational and compliance areas. Is that the right answer for every company? Of course the answer is, without question, NO. In fact, indications are that not enough internal audit effort is being directed toward focusing on critical areas that key stakeholders expect of internal audit: paying adequate attention to strategic risks and risk management assurance activities. So, yes, survey results indicate that internal audit plans are rebalancing from a place we should all agree was not ideal, but that is not to say that a plan should be equally “balanced.”
  1.  

    Hal, it’s good to hear from you and thank you for the comment.

    I believe the discussion is completely on point: rather than seeking "balance" as portrayed in several pieces over the last few years - including this year - internal audit should be focusing its limited resources on what matters most to the organization.

    It's not a matter of balance. It's a matter of allocating resources based on organizational needs for assurance (and consulting) services.

    On the matter of SOX, my argument - which is strongly held - is that management and the board were entitled to ask internal audit to play a significant role in management's SOX compliance activity. The organization realized great value from our contributions. SOX work adds as much if not more value than other work internal audit routinely performs which is outside its core assurance role, such as fraud detection, healthcare audits, and detection of duplicate payments.

    The problem was not that this resulted in a lack of balance.

    The problem was that instead of adding resources for additional work, organizations took resources away from our ability to fulfill our core mission.

  1. When I was CAE, I made sure I had resources to perform both the necessary SOX work and the core internal audit assurance (and consulting) service work necessary to address the more significant risks to the organization.

    I may have had 50% of my total team working on each area. Was that balanced or unbalanced? Who knows and who cares? The point is that I had sufficient resources to do both, and do both well.

    One thing people forget is that if you look at GAIN surveys from the pre-SOX era, on average internal audit functions spent a majority (as much as 80%) of their time on financial risks. Was this unbalanced? Who knows and who cares? The problem with that era was that the typical audit plan was not based on providing assurance on the more significant risks to the organization. In particular, strategic risks were often not considered in developing the audit plan.

    Do we have a problem today?

  1.  Here is my view:

    1. Too few audit departments are developing a flexible (i.e., changing as today's risks change) audit plan designed to provide assurance (and consulting services) on the more significant risks to the organization.

    2. Too few departments are considering all the risks, including risks due to defective governance and risk management process, as well as strategic, operational, financial, compliance, and IT-related risks.

    3. Few audit departments have risen to the challenge and provided formal overall (or macro-level) reports to the board and management on the management of the more significant risks, and the effectiveness of related governance, risk, and control processes.

    4. In their haste to move away from SOX, many internal audit functions are overlooking the risk of error in external financial reporting. Each organization should at least give consideration to the more significant risks, including external audit failure. Should they rely on other assurance provides, including the external auditors and SOX teams?

  1. 5. Internal audit departments are not providing assurance at the speed needed by management and the board. Audits take too long. We need to change the audit approach and mindset so we can deliver assurance pretty much on demand. That will require changes in process and tools.

    6. Too many seek to "align" with the expressed desires ot the stakeholders, especially the board, when the latter may not be aware of what we can and should be doing. "Alignment" is a word like "balance" that we should not be using nearly as much as we do. We need to educate and demonstrate our capabilities and potential.

    I welcome comments.

  1.  When you go away on holiday all the action starts! 

    I think the one thing about "balance" is that it raises a question to IA teams who are putting all their eggs in one basket (e.g. financial controls or IT security) whether this is sensible.

    The behavioural issue is that of risk fads and IA has to be wary of being overly swayed to work in an area that everyone is excited about but is looking at already. It may make IA popular to be working on the fashionable issue, but the danger is that IA is acting in a second or even first line role (rather than third line) and being swayed by management impressions of net risk exposure, rather than key risks at a gross level that the organsation thinks are under control, but are not, in fact.. This point speaks to the alignment comment Norman makes.. 

    This underlying question is how we pull our IA plans together in the first place ~ gross risks or net risks ~ areas management wants us to look at or areas they'd rather we didnt? ~ processes, locations, risks, key objectives or all of these? And who do we consult ~ the board and senior managers only or  line managers and other heads of assurance, or take only limited account of all of these! ?? .. Further all of my experience with clients highlights challenges of presenting the IA plan to I) take into account the role of other assurances and II) make it crystal clear what is NOT being looked at by IA and III) to explain how this links to any overall opinions being sought (a whole other ball game!).

    CAEs need to challenge themselves whether they are being transparent enough about their plans..  

    The link provided is to an article on IA planning I wrote on this that the theiia.org have posted ~ In my humble opinion not nearly enough is being done to develop a deep understanding of good practice in this area.. 

  1. Hi Norman,

    Maybe the risk is that it is a traditional plan and not a flexible strategy to provide independent assurance on the effectiveness of the management of the highest risks to achieving the objectives of the organisation. Audit plans based on risk assessments even 3 months old are probably not all that useful as the risk may well have changed but the auditor is held accountable to completing the outdated audit plan. Risks are not polite and static. What would be more useful would be IA focussing on providing assurance around current and emerging risks to achieving the major objectives of the organisation. 

    This requires looking at the effectiveness of the risk management processes applied to the higher opportunity/risk projects/new products/organisational changes/external environment etc. It also requires looking beyond systems and processes and commenting on the culture of the organisation.

    This means IA being close to the top action so that it can give an independent view in a much more timely and useful manner on the areas that matter. The issue is whether executive management will be willing for IA to be in the Board room! If IA is not there then it will continue to underperform and be a target when relevance is raised or the big issue is missed.

Leave a Reply