Explaining Modern Risk-based Auditing

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


The other day, I was talking to an internal audit leader for whom I have great regard. I was stunned to hear him say that you do two risk assessments: one when you develop the audit plan to identify the processes, locations, and business units to audit, and a second one when you start each audit so you can identify the risks to assess in each area.

That is the way I learned to build the audit plan more than 20 years ago; one of the best at explaining the process was David McNamee (see here for his book on the topic).

Essentially, you build a “risk”-ranked audit universe. The first step was to identify all the potential areas for audit, including business processes, locations, data centers, etc. (A frequent question among auditors was “how large is your audit universe?”

You then considered (and some had very sophisticated models for this) various factors such as:

  • Revenue generated or accounted for at that location, by that process
  • Asset size
  • Time since last audit
  • The significance of any findings in the prior audit
  • The level of change in systems, process, and personnel
  • Management and board input on risk
  • Etc.

The audit plan included engagements at these locations or of these processes.

I moved away from this process in the early 1990’s because I didn’t believe it was helping me address the areas of significance to the board, top management, and the company. While it was “risk”-based, we were not talking about risks to the objectives of the organization. We were instead talking about the potential for any deficiencies in internal control to have an impact (in monetary terms) of some size. The difference may be subtle, but it is important. I want to focus my audits on ensuring the organization has the ability to achieve or surpass its objectives.

A jaw-dropping moment happened when I explained my risk assessment and audit plan to the audit committee of the oil company where I was CAE (Tosco Corporation). The CEO asked whether I had considered risks relating to the blending of gasoline, diesel, and jet fuel. As it happened, I had — but it was not considered high risk; it was more a compliance issue than anything else. But, when I talked to the company’s executives I heard that when Exxon performed an enterprise-wide risk assessment, this area had been identified as their #1 risk! Poorly-blended jet fuel could lead to Boeing 747s dropping out of the sky into densely-packed urban areas — with the potential to bankrupt the largest (at that time) company in the world. A few years later, I saw the effect of poor blending of diesel fuel when Southern California drivers had major problems and fingers were pointed at us as well as a few other oil companies.

So, I moved to an approach where I identified the top risks to the achievement of the company’s objectives (a risk universe), and then identified the engagements I could perform to provide assurance that the controls were adequate with respect to those risks and advice where they did not.

This, for me, is modern risk-based auditing.

I use a metaphor to explain my goal. In the old days, I might decide to perform an audit of my car. After all, it is a high-risk area. So, I will assess the quality and condition of the engine, steering, tires, air conditioning, etc. Perhaps I will find some defects and recommend service and repairs. These days, I would consider my objective: traveling from my home in San Jose to the airport in San Francisco (42 miles). The risks are a breakdown of the car, an accident involving my car or others, traffic congestion, and weather. My audit would include looking at aspects of the car that I rely on to address these risks, including whether I am tuned in to traffic and weather on the radio. I would also consider how I would ensure I am sufficiently awake (my flight is at 6am) and how I would know whether to take an alternate route.

The older audit is focused on auditing the car; the second is auditing my capability to arrive safely and on time.

This is how the IIA (UK and Ireland) defines risk-based auditing: “a methodology that links internal auditing to an organisation's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite”. 

Some prefer to focus on risks to value creation rather than to specific objectives. I am generally fine with that approach, as illustrated in a piece from the co-sourcing firm of Vonya Global.

A new IIA Practice Advisory (2120-3) (PDF) reinforces this view, as do Practice Advisories 2010-2 (Using the Risk Management Process in Internal Audit Planning) and 2200-2 (Using a Top-Down, Risk-Based Approach to Identify the Controls to be Assessed in an Internal Audit Engagement). However, I must admit that the older IIA guidance is at best unclear whether it supports the older and more traditional approach or modern risk-based internal auditing. I believe this merits attention from the various IIA standards and guidance groups.

What do you think?

Are you a proponent of the traditional or the modern risk-based internal audit approaches?

Posted on Jul 14, 2013 by Norman Marks

Share This Article:    

  1.  If anybody has a better link to the IIA UK position statement on risk-based auditing, please share.

  1. Now I have just understand the real advantages of RBIA over traditonal auditing (risk universe instead of audit universe). The example of (the car is so amazing and helpful). many thanks really I enjoy reading this important issue. and in my opinion l think RBIA IS THE BETTER?
  1. Norman; I think how IA allocates resources is an important one. Readers might be interested in a workshop exercise I used for many years asking experienced CAEs to rank 9 options. Assurance Resource Allocation Options 1. Straight cyclical coverage. 2. Based on requests from senior management. 3. Using a scoring formula maintained by internal audit which allocates points based on: (1) Annual sales volume (2) Assets at risk (3) Time since last audit (4) Previous audit rating 4. Based on a scoring formula maintained by internal audit which allocates risk points related to the following categories: (1) Property risk (2) Monetary assets (3) People risk (4) Commercial risk (5) Information (6) Legal Regulatory Risk (7) Political (8) Operational 5. Based on a scoring formula maintained by internal audit that scores each business unit on their overall “Risk Fitness”. 6. Based on results derived from anonymous voting workshops on the degree to which they believe their unit manifests control criteria in a specified control model such as COSO, CoCo, CARD®model, and discuss any concerns identified. 7. Based on a risk formula developed by internal audit that uses 19 variables. Ratings are assigned by internal audit judgementally based on available knowledge and information. 8. Based on performance indicator information on how well objectives are currently being achieved. 9. Based on the quality assurance reviews of control and risk self-assessments generated by work units.
  1.  Norman, as usual your thoughts are very insightful and thought provoking. However, I would point to a flaw in the logic used in your metaphor. The two audits are truly different, which is perhaps the reason you use that comparison. However, I would look upon the car audit as a type of maintenance audit while the get to work audit is more of a travel related audit. Both are valid audits, and both may end up being areas critical to achieving an organization's goals and objectives.  So, I don't believe your example illustrates the points you are striving to get across vey well. 

    However, with that said, there are key points that I do agree with. The biggest among these is shifting how you define the audit universe so that it aligns with the stated goals and objectives of the organization. I would love to see much more detail on how you accomplish this. Can you give specific examples of how your development of the audit universe varies from the traditional approach?

  1. Here it is.

  1.  Dan, they are indeed different audits. One is about the car and the other is about the risk to my objectives. The first has some value, the second has relevance to how I operate and create value. Since my objective is not travel but safe arrival, a risk-based audit would not audit "travel" per se.

  1. Norman, as you might guess from my website I am totally in favour of risk based internal auditing. I was also involved with the IIA-UK's work on risk based auditing when I was a member of its Technical Development Committee. Since the only reason for having internal controls is to manage risks, it follows that risk based auditing is the only auditing we should be doing. Systems based and compliance auditing are subsets of risk based auditing but without examining the risks behind the controls. This causes problems, for example in compliance auditing, if you don't understand the underlying risks, how do you know that the controls you are auditing for compliance are complete? If you find weaknesses, how do you know their impact without understanding the risks being managed? One of my more controversial opinions is that the risk and audit universe should be driven out of the organisation's risk universe. That means internal audits are driven by the organisation's view of its risks, not the internal audit's department view. Internal Audit's responsibility is to ensure the organisation's risk universe is comprehensive. Dan - this is how you align the stated goals and objectives of the organisation with the audit universe - the latter comes out of the former. These views are generally in line with UK guidance from the Financial Reporting Council. The Corporate Governance Code states, 'The board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives. The board should maintain sound risk management and internal control systems.' So if the board knows its significant risks, it is internal audit's job to confirm that these risks are being managed to within the board's risk appetite. Which is risk based internal auditing!
  1.  Norman - yes agree - audit universes are passe. There is, however, a practical element that objectives and risks flowing from those objectives, are managed through systems, processes, people and departments. To audit just risks from objectives risks being esoteric and disconnected from the reality and organisational tools that actually manage that risk. Take admissions at university. The risk of not getting enough students enrolled falls to marketing, comms, internet, IT, academics, employability, finance etc. So it makes sense to break this risk management down into more manageable processes (hence an audit universe).

    To see my full debate, see my blog.

  1. Norman:

    A risk based audit universe is relevant and achievable.  The risks which affect the achievement of the organization's objectives are known by the Executives and have to be applied to achieve a risk based audit universe.  The risks must be elicited through any means of  workshops, presentation,  dialogues, one on ones, etc. The audit universe must be developed and the two combined to define the risk based audit universe/audit plan.   Before conducting any audit, a risk assessment is prudent and should be dynamic, that is updated during the audit. 

    Overall,  I like the GTAG approach (Defining the IT Audit Universe), which if broadened to all parts of the organization, would I believe fit the development of an audit unverse in any organization. 

  1.  After serving as a CAE for 11 years I had the oppotunity to run a $200 million in revenue company as CEO.  We were controlled by a large organization but run independently.  I was surprised how the audit function of the large organization was tone deaf to our concerns.  For example, I was concerned about our basic accounting and treasury controls.  The auditors thought these risks were passe and wanted to get into the risks of the core operations that could cause significant loss if not mitigated.  Sure enough we experienced a significant embezzlement  that cost the company money and several decent people lost their jobs over it.  The root cause was classic.  A person in need of money saw the opportunity to take advantage of a new CFO coming on board, a segregation of duties conflict, and rationalized he would give the money back.  Sound familair?  I would argue substance over form in assessing risk and most importantly  listen.

  1. I totally agree with your approach especially the gas blending example is such a nice example to understand the importance of risk based approach. We definitely need to start from organization objective then risk to those objectives and then control and then testing of those control. To be honest with you i am in field of internal audit for last 7 years. I have worked in Asia, Africa and Middle East. Audittee don't take us very much serious because our directions of work and organization priorities are not in line. Hence, we are not able to convince them that we are here to add value. It could only be possible if we start from mission / vision and organization objective then risk to them and so on rather than identification of existing control and test the effectiveness and efficiency of them.
  1. Dear Mark, I am new to Internal Audit and couldnt clearly grasp your concept of Risk Universe.  Could you explain what is Risk Universe of an organization, and where can I read more about that.   ................... Thanks

Leave a Reply