Risk-based auditing is a new method developed by the US Office of the Comptroller of the Currency (OCC). Its fundamental concept is that of merging several aspects of risk management with the characteristics of auditing. This is achieved in an efficient manner by capitalizing on the fact that, at least in principle, internal auditors act as independent agents when they can carry out their study uninhibited by senior management influences:
• Independence permits internal auditors to render impartial and unbiased judgements essential to the proper conduct of audits.
• Well documented risk-based results are achieved through the auditing department's organizational status and objectivity, to which are added analytical control characteristics.
The OCC has established certain requirements for the reliable execution of risk-based auditing. At the top of the line is that for every job they are doing, internal and external auditors should have the support of the board and of senior management. This allows them to perform their work free from interference from different elements in the organization, and it is exactly what an efficient risk control methodology requires. Other requirements include:
• A risk-based audit should benefit from broad coverage
• Adequate consideration must be given to risk management reports and
• Recommendations for corrective action are incorporated into the feedback.
Executives at the OCC made the point, during our meeting, that while risk- based auditing might be seen as overlapping with the work done by line risk management, in reality the goal is different. Risk-based audits are a metalayer of the exercise of line control over the bank's exposure (see a similar reference to internal auditing made by Bank Leu in Chapter 6).
96 Why Internal Control Systems Must be Audited
To plan a risk-based audit, the OCC suggests, the auditor should obtain a sufficient understanding of each of the elements of the internal control structure. This understanding should include knowledge about trading policies, and the way they are executed; the nature and extent of supervisory procedures; and the interactive use of databased information. In planning the risk-based audit, knowledge should be used to:
• Identify sources and types of potential misstate me nts
• Consider factors that affect the risk being investigated and
• Design substantive tests concerning hypotheses which guide the auditor's hand.
The leader of a risk-based audit project should be in direct communication with senior management, because this type of support provides effective means to do a neat job and also permits keeping the board and senior executives informed on matters of exposure. As with all management control projects, independence is enhanced when the board concurs in the appointment or removal of the director of auditing.
To these conditions which have been advanced by the OCC I would add, based on my own experience, that a risk-based auditing effort will be enhanced if the board and CEO carefully define the company's risk tolerance. This should be done by class of instruments: equities, bonds, derivatives - and subdivisions thereof. Metrics used for expressing risk tolerance and for monitoring reasons should be chosen and tested. For instance, a growing volume and/or value of trades in derivatives is an evidence of increased tolerance of risk.
In the background of any tolerance-based approach is the aim of providing the auditors with some quantitative standards for the evaluation of internal control. Tolerances' is an engineering design concept which can be effectively used in finance - particularly for setting limits and for risk control purposes. Let me briefly describe what it means.
Let us take as an example a nuts and bolts assembly. To assemble mass- produced nuts and bolts we must observe their tolerance. Quality assurance should see to it that this happens; it does in the upper half of Figure 4.4, but not in the lower. Nuts and bolts coming from low-quality production would not assemble when their dimensions fall in area I, and would hold together in a lousy way when their dimension falls in areas II and III. Think in these terms when evaluating limits, whether these are associated with credit risk, market risk (Chorafas* 1999), or other risks.
Quality assurance in a production line, from manufacturing to loans authorization and trading, should be seen not as a one-off event but as a
New Standards and Risk-Based Audits 97
HIGH QUALITY
BOLTS
FREQUENCY
NUTS
TOLERANCE TOLERANCE SIZE OF DIAMETER
FREQUENCY
LOW QUALITY
NUTS BOLTS
TOLERANCE SIZE OF DAMETER TOLERANCE
Figure AA High quality means that tolerances are observed at all times; low quality fails to observe tolerances
98 Why Internal Control Systems Must be Audited
trend. This is very important for a successful implementation of risk-based auditing: The trend reveals auditing-related secrets which cannot be easily seen in a snapshot, because in a snapshot they can hide behind 'this' or 'that' issue.
As far as financial control is concerned, a great deal can be learned from manufacturing because the manufacturing industry was first in implement- ing statistical quality control (SQC) methods. Close monitoring of any process can prove that each item has been made within a carefully designed set of parameters that helps to assure compliance:
• For product certification we must provide details of each item's history to help trace the chain of responsibility and give 100 per cent quality assurance.
This is just as applicable to critical items as it is to general assembly or service operations addressing a standardized product:
• For control over quality we must use the information gathered from monitoring, and compare how different products, and batches of products, perform.
Real-time analysis can detect anomalies in products, processes and procedures and abort operations that may cause damage - whether this concerns the machinery which incurs expensive down-time or a financial product with associated credit risks, market risks, and operational risks.
Statistical process control sees to it that problems within a process chain can be identified quickly, avoiding costly fixes and/or inordinate exposure.
The same is true of workforce verification. Plots resulting from monitoring and recording product and processes can be employed to compare human efficiencies and inefficiencies, determine which line or desk has been creating inordinate exposure, identify problem workstations, and settle disputes. Every one of the issues just mentioned is crucial to auditing, and it can best be identified through risk-based analysts and statistical quality control procedures (Chorafas, 2000a).
AUTHORITY AND RESPONSIBILITY FOR RISK-BASED AUDITING SOLUTIONS
For everything we do, if we wish to succeed, we must develop a sound methodology able to estimate the value, sensitivity, and accuracy of the
New Standards and Risk-Based Audits 99 product or system we are after. This is absolutely true with internal controls, but it is not enough all by itself. Another requirement is to establish the level of authority and responsibility of a risk-based auditing process. These should be defined in a charter, and the chief auditor must seek approval of the charter by the board. This charter should:
• Outline the goal(s) of risk-based audits within the organization,
• Authorize access to records, personnel, and other resources such as databases and
• Define the scope of risk-based internal auditing activities further out in time.
To better appreciate this reference to 'further-out' scope we should recall the comment made by General George Marshall to the nuclear scientists when they presented to the chief of staff of the US military their plans for factories designed for the production of materials for nuclear weapons. Marshall asked one simple question: How many bombs per day were these factories supposed to produce? The bunch of renowned scientists answered that this was not taken yet into consideration, to which Marshall responded that:
• If it is only one shot, it does not really matter how powerful a weapon is.
• The power of the military rests on its ability to continue to deliver.
The same is true of any auditing process, evidently including risk-based auditing and any other type of auditing that matters. The plans for risk- based auditing should definitely reflect the ability to continue to deliver.
They should also be consistent with the internal auditing department's charter and with the goals of the organization. This planning process involves audit work schedules, staffing plans, level of technology to be used, and financial budgets. Goals should be:
• Accomplished within specified operating plans and budgets and
• Measurable in terms of deliverables - that is, end-results.
Risk-based audit work schedules detail the activities which are to be audited, when they will be audited, and the exact nature and extent of the audit work to be performed. For instance:
• The precise nature of risk being audited
• Department(s) and people included in the audit
• The amount of financial exposure and potential loss.
100 Why Internal Control Systems Must be Audited
Specific requests by senior management may well impact on necessary processes and associated skills on behalf of the audit staff. Staffing plans should make explicit the number of auditors to be employed, their know- how, disciplines required to perform a risk-oriented examination, and tools at their service - including technology tools. Also, the nature and frequency of the activity reports to be submitted to the board and to senior management.
As with all audits, objectivity in risk-based investigations is a mental attitude which should be maintained at all times, in performing the work in question. Reports to the board and senior management should explain the background of basic findings, such as major variances in exposure being taken, and the meaning of these findings. In this connection, SQC charts can be of great service (see below).
Objectivity requires us to perform risk-based audits in such a manner that no quality compromises are made. The general rule is that internal auditors are not to be placed in situations in which they feel unable to make objective professional judgements because there are pressures on them. For instance, it may be that certain managers or professionals may hide information and can get by with procrastination without being sanctioned.
For reasons of professional proficiency risk-based auditing requires a very good appreciation of credit risk, market risk, payments risk, legal risk, technology risk, execution risk, and other risks. Attention should also be paid to the extent of agency costs characterizing the organization (see above). The internal auditing department should assign to each project those persons who collectively possess the necessary:
• Knowledge
• Skills, and
• Disciplines.
Internal auditing should also provide assurance that the technical proficiency and educational background of internal auditors are appropriate for the risk-based audits to be performed. The director of internal auditing should establish suitable criteria of education and experience, giving due consideration to the scope of work and level of responsibility.
The OCC suggests that as risk-based audits spread, the internal auditing staff should collectively possess the knowledge and skills essential to this practice, making, if need be, use of consultants who are qualified in such disciplines as finance, the evaluation of risk and reward, exposure control, statistical quality control, experimental design, engineering, and law.
New Standards and Risk-Based Audits 101 After a risk-based audit policy is instituted, the chief internal auditor becomes responsible for providing appropriate supervision, including suitable instructions to subordinates. Such instructions should be given at the outset of the audit. He or she must also assure that risk-based audit working papers are maintained and that they adequately support findings and conclusions. Working papers should always be available for control reasons (see Chapter 1).
As a matter of principle, great attention should be paid to audit trails.
Since in many computer-based environments audit trails, such as risk-based analyzes and investigations, exist for only a short period of time, the director for audit should give instructions that they are databased. Also, the audit process must move closer to the transactional environment at its entry point into the system . Another requirement is that people involved in risk- based auditing have a say in software development and in system design, to ensure that:
• Knowledge artefacts are on hand to assist in examinations and in datamining
• Fully accurate and complete databases are in place, updated in real-time and
• It is possible to integrate fraud prevention and detection measures into the system.
Because sophisticated solutions create a need for increased reliance on internal controls, internal and external auditors should both periodically and by exception perform comprehensive reviews of internal controls that extend beyond those normally done during the course of a classical audit.
An integral part of the methodology advanced by the OCC is to include reviews of internal controls in connection with their ability to monitor the dependability of computer-based solutions - which leads us to the theme of the next section.
PAYING ATTENTION TO INFORMATION REQUIREMENTS FOR RISK-BASED AUDITING
Risk-based auditing has much to do with the premise that the board, the CEO, and senior management are responsible for assuring that systems designed for compliance, risk management, and other critical internal control functions are reliable and are regularly reviewed as well as maintained. Because auditing requirements address not only transactions
102 Why Internal Control Systems Must be Audited
but also policies, plans, procedures, laws, and regulations, risk-oriented auditing reports should include:
• A brief explanation of why current internal controls track these crucial issues in a dependable manner
• A description of weaknesses found in component parts of the internal control structure
• Any surprises experienced or detected in management's reaction to risk- based findings and
• A track record of immediate corrective action based on previous recommendations.
Risk-based audits should also review the means used to safeguard assets from various types of losses in trading, investing, loans, and other activities; verifying the existence of assets; assuring such assets are allocated where they should be; and evaluating their type, quality and value. Under no condition should a risk-based audit be characterized by lack of attention, time and care - or lack of backbone.
The observance of professional standards is evidently important. This, however, is an issue which should characterize all types of procedures followed by internal auditors and independent public accountants, as well as what they should perform to evaluate transactions positions and records.
Therefore, it is not surprising that technology becomes a focal point of interest.
Risk-based audits place a great deal of stress on the information technology used by the institution: networks, databases, workstations, servers, and, most evidently, the accuracy and sophistication of the software being used - including expert systems. They do so in regard to both the state of the art and the connection resources need to focus on the examination of exposure. For this reason, risk-oriented auditors should be computer literate, just as they should understand the overall business environment and how the various accounting systems used in the four corners of the entity relate to one another (see also Chapter 3).
Given that competitive information systems today are based more and more on sophisticated technology, the bank's senior management, internal auditors, and independent public accountants face an urgent need to become well acquainted with computers and models. The better they master interactive computational finance, the better able they will be to make and evaluate decisions about the risks being taken, and the appropriate level of security against fraud and other events.
Because risk-based auditing needs a significant amount of computers and communications technology, there is a likelihood that a risk of computer
New Standards and Risk-Based Audits 103 fraud might be created. Furthermore, since risk-based audit is a new discipline the chief auditor should personally make sure, at least for a reasonable period of time, that reports are accurate, objective, clear, concise, constructive, and timely. Also that there is appropriate evidence to satisfy eventual requests by supervisors that findings are documented.
The OCC suggests that an audit department entrusted with risk-based analyzes and investigations should provide assurance that the work conforms with high standards and that such professional standards are spelled out in the internal auditing department's charter. A quality assurance (QA) programme should include:
• Supervision
• Internal reviews and
• External reviews
Supervision of the work of risk-based auditing should be carried out continually to guarantee there is conformance with standards, policies, and programmes. Performance reviews of processes supported by technology should take place in the same manner, and with the same diligence, as any other internal audit.
External reviews of risk-based auditing should be done to help appraise the quality of the department's operations, executed by qualified persons who are independent of the line organization and who do not have either a real or an apparent conflict of interest. Such reviews should encompass not only skills, but also:
• The reliability and integrity of information being used in auditing and
• The entity's past record of compliance with policies, plans, and regulations.
Among other objectives to be targeted, risk-based audits should ascertain that financial and operating records and reports of the credit institution contain accurate, reliable, timely, complete, and useful information. Also that controls over record-keeping, databasing, datamining, and reporting are adequate and effective:
• Information should be collected on all matters related to the audit objectives and scope of work
• This information should be sufficient, competent, relevant, timely, and accurate.
104 Why Internal Control Systems Must be Audited
By 'sufficient information' is meant factual, adequate, and convincing elements so that a prudent, informed person would reach the same conclusions as the auditor preparing a risk-based audit report. Competent information is reliable and typically attainable through the use of appropriate technology, and by means of observing rigorous auditing techniques. Relevant information supports the findings and recommenda- tions of the risk-based audit and is consistent with its objectives. Audit procedures, including sampling and testing techniques employed, should be selected in advance. The same is true about models to be used, including:
• The assumptions sustaining them
• The method of their employment
• The tests of hypotheses being made and
• The milestones to the conclusion and report to the board.
Working papers that document the risk-based audit should be prepared and reviewed by the director of the internal auditing department. These papers should record the information obtained, the analyses made, and the test being used - not only the results. In a factual and documented manner they should support the basis for the audit's findings and recommendations.
A written, signed report should be delivered after the risk-based audit examination is completed. Interim reports may also be needed, issued and transmitted formally or informally. The OCC strongly recommends that the findings of a risk-based audit are discussed at appropriate levels of management in an objective, clear, concise and constructive manner - and followed by corrective action where it is needed. I would add to this conclusion that use of the threat curve discussed in Chapter 3 can be instrumental in visualizing the results of a risk-based audit.