ERM-based audit reports: auditors can give clients a better view of control weaknesses by aligning their reporting process with enterprise risk management
Sean De La Rosa
MUCH HAS BEEN WRITTEN IN recent years about the need for increased alignment and interaction between the assurance functions of enterprise risk management (ERM) and internal auditing. Because many corporate governance standards are broad in their coverage, they often do not provide auditors with practical suggestions for how this alignment process should take place and what the final output of audit reporting should be. Also, many internal audit departments have limited resources available to focus on improving alignment strategies due to shrinking head counts, time constraints on completing audits, and the need to meet the increased demands of the audit committee.
Sawyer's Internal Auditing, 5th edition, by Lawrence B. Sawyer, indicates that one way of improving audit reporting is to summarize and communicate audit results from a risk perspective. This approach is a significant departure from traditional audit reporting techniques in which internal audit departments provide detailed feedback to audit clients solely based on their findings. Although the degree of interplay between the various assurance tiers in an organization will differ from business to business, the need for strong ties between ERM and internal auditing is fundamental. Auditors can use the following steps and illustrations to integrate ERM principles into routine internal audit reporting, including audit scoping, producing the final audit report, and providing follow-up feedback about significant items identified during audits.
DETERMINING THE SCOPE
IIA Standard 2201 requires internal auditors to communicate in writing the objectives, scope, and responsibilities of internal auditing and any client expectations for significant audit engagements. The determination of the audit scope is achieved by assessing the associated business objectives, significant risks to each activity being audited, resources used within the function, and effectiveness of existing risk management activities.
The scope of most audit activities should be documented to ensure that there is no ambiguity regarding the service the audit department will render. Documentation can elevate the profile of the internal audit function by making the audit approach more transparent and clearly defining the areas of assessment for the client. Scope documents issued before an audit begins should include key planning dates, scoping criteria, and an introduction to ERM principles. Key dates should include time scheduled for fieldwork, preparing and finalizing reports, and follow-up.
To define the scoping criteria, auditors should hold discussions or self-assessments with management during the planning phase to determine what managers consider to be the most significant business risks. Based on these assessments, auditors should provide a listing of risks and the controls that they intend to review (see "Internal Audit Expectations" on page 74). Auditors should also bring to management's attention any additional risks they detect during their review.
To achieve maximum results, the documented scope should be agreed upon and formally issued to the client about two to three weeks before the assignment begins. Final audit report results can be depicted using an ERM heat map that classifies control weaknesses based on the likelihood that they will occur, their severity, and financial impact. The probability and severity criteria used to report audit findings should coincide with the common language used by the ERM function within the organization. The severity of weaknesses could be classified as catastrophic, critical, major, medium, minimal, and insignificant.
FINAL AUDIT REPORT
After auditors have finalized their fieldwork and discussed their draft audit results with the client, the final audit report is issued. IIA Standard 2400 requires the final report to include the engagement's objectives and scope, as well as applicable conclusions, recommendations, and action plans.
Following Sawyer's guidance, auditors should provide the client a table indicating the scores they have assigned to the risks that were detailed in the scope document. Communicating the results this way gives the client credit for risks that were well-managed at the time of the review. A composite score should be calculated and plotted on the ERM heat map based on the risk summary and the auditor's final assessment of the process that was reviewed. The auditor then provides a brief executive summary of the individual risks that were assessed, which are classified as minor weaknesses, management attention, and/or major deficiencies (see "Risks Requiring Improvement" on this page). The degree of detail within this section of the executive summary should be standardized and agreed upon by senior management each year. The executive summary should conclude by giving the audit client's management team an opportunity to remark on the composite score provided by the auditors and make any additional comments.
Finally, individual appendices should be attached to the executive summary and referenced appropriately. Each appendix should detail the nature of the issue, internal auditing's concern statement and recommendation, management's comments and action dates, and the person responsible for resolving the issue.
FOLLOW-UP
Once auditors have submitted their report and management has reviewed its findings, IIA Standard 2500 states that the chief audit executive should establish a follow-up process to monitor and ensure that management actions detailed in the report have been effectively implemented or that senior management has accepted the risk of not taking action. The follow-up report should be consistent with the ERM principles introduced in the scoping process and the overall look and feel of the audit report. The results of this follow-up exercise should produce a revised composite score, which can either reflect an improvement or deterioration in the control weaknesses identified in the original audit report (see "Follow-up Results" on this page). Results supporting the revised composite score are provided in the table that follows the heat map. Issues identified in the table as "not yet addressed" or "requiring further management action" should be discussed in the remainder of the report by way of appendices.
ALIGNMENT IS A JOURNEY
The process described in this article is just one way of integrating risk management into audit reporting. Internal audit departments should try out new techniques in consultation with their ERM functions to find the methods that work best for their organization. Auditors should see the process of aligning audit reporting with ERM as a journey that will advance as the internal audit and risk management disciplines grow.
SEAN DE LA ROSA, DCOM, CIA, CISA, CCSA, works in the ERM function for PricewaterhouseCoopers in Johannesburg, South Africa.
To comment on this article, e-mail the author at sdelarosa@theiia.org.
A version of this article was first published in IIA-South Africa's Adviser magazine.
To share emerging risk issues and best practices from your own audit experiences, or to request coverage of a particular risk, e-mail jamesroth@audittrends.com.
RELATED ARTICLE: Follow-up Results
The heat map below depicts the improvement in the control environment for risks assessed in the initial audit report (this is shown as a movement from A to B):
[GRAPHIC OMITTED]
IMPACT SEVERITY FINANCIAL IMPACT (in South African Rand*)
Catastrophic > 500 million
Very Critical 100 million-500 million
Critical 10 million-100 million
Major 1 million-10 million
Medium 100,000-1 million
Minimal 10,000-100,000
Insignificant 0-10,000
* 1 South African Rand = US $0.15.
The status of these issues is set out below:
RISK STATUS NUMBER PERCENTAGE
A. Issues satisfactorily resolved
* High Risk (H) 3 27
* Moderate Risk (M) 2 18
* Low Risk (L) 3 27
B. Issues not yet addressed
* High Risk (H) 0 0
* Moderate Risk (M) 1 10
* Low Risk (L) 0 0
C. Issues partially resolved but requiring
further management action
* High Risk (H) 2 18
* Moderate Risk (M) 0 0
* Low Risk (L) 0 0
Total 11 100
Risks Requiring Improvement
AGREED-UPON
APPENDIX ACTION DATE
1 Risk: The risk that approved authority
limits are not in place, resulting in
unauthorized transactions.
Findings: * Current Authority Limits Manual did 07/29/2005
not include key transaction types
such as capital expenditure.
* Current Authority Limits Manual
assigned any director unlimited
authority.
* The limits for the revised Authority
Limits Manual relating to check
payments were too high.
2 Risk: The risk that inconsistent credit and
collection procedures could increase
the possibility of bad debts and delay
cash flow.
Findings: * Draft credit management policy in 12/31/2005
progress.
* The criteria according to which all
current customers were assessed as
a basis for determining credit
worthiness were not documented.
Internal Audit Expectations
RISK DESCRIPTION EXPECTED CONTROLS
Manage Sales Activities
Sales personnel disregard marketing * Develop realistic sales
strategies. strategies and quotas in
accordance with the group
strategy.
Sales personnel lack knowledge about * Provide product awareness
product features or benefits. training.
* Retain qualified and
experienced sales personnel.
* Provide staff with initial and
periodic product and customer
service training.
Incomplete or inaccurate customer * Maintain key customer
information/Inadequate information information that will be useful
systems. in marketing the entity's
products.
* Periodically verify the accuracy
of customer information.
* Maintain accurate and timely
product and customer
information.
Poor customer service may result in * Ensure a formalized customer
loss of key customers and sales complaints/claims process is in
and have a negative impact on the place.
reputation of the company. * Continuously monitor service
levels between customer
service/sales personnel and
third parties, such as
applicable business units,
logistics, and supply chain,
for the timely resolution of
customer complaints/claims.
COPYRIGHT 2005 Institute of Internal Auditors, Inc.
COPYRIGHT 2008 Gale, Cengage Learning
2 comments:
Thank you so much! That did the trick, you saved me more endless hours of searching for a fix.
Auditors in Johannesburg
You rock particularly for the high caliber and results-arranged offer assistance. I won't reconsider to embrace your blog entry to anyone who needs and needs bolster about this region.tax consultancy in dubai
Post a Comment