Gone are the days when audits are simply done according to existing processes and procedures or according to the business divisions and units. Recent events across the world which includes the current corona virus pandemic have further validated that audits can no longer be business as usual but that audits have to be based on the risks been faced by the entity been audited. These risks include both current and future risks.
For any audit practice to remain relevant therefore, this has to be the approach to its auditing practice.
Audit can no longer be business as usual: Before now, auditors will typically have an audit plan at the beginning of a year comprising of the business’ processes and business divisions/units. This audit plan, having been approved by the board of directors, would be followed religiously all through the year no matter what happens within the year. It gives room for little or no flexibility as the approve audit plan is seen as ‘law’.
This is however no longer the case.
While it is still encouraged that there are audit plans in place, such audit plans need to give room for flexibility. It should be such that changes can be made to these audit plans at the slightest notice depending on happenings involving the business.
Using the COVID-19 as a case study, no matter what audit plan was approved for a business for the year 2020 (approval for the year 2020 would have been gotten by December 2019), almost all businesses should have immediately conducted an audit of its ability to cope with the challenges of COVID-19 to its business once the pandemic was declared (from March 2020 by the World Health Organization). This would be what would be most relevant to the business at that time and not whatever was on the audit plan. Alternatively, the audit of the readiness of the business coping with the challenges of COVID-19 and whatever is on the audit can go on simultaneously.
The business owners and management would appreciate and find this to be of most value while business sustainability itself will benefit mostly from it. And we can all agree that the sustainability of the business is most paramount. Where there is no business, there’ll be no need for the audit practice.
Auditors need to works more closely with the 1st and 2nd line of defense: Until recent times, auditors have been so comfortable in the third line of defense and at being referred to as the last man who comes in ‘after the fact’. This comfort is further strengthened given that the audit practice enjoys a large degree of regulatory and board support. Auditors are quick to mention these supports when facing road blocks even when the audit entity is reasonably asking relevant questions that seem like a push-back. In plain terms, auditors have long ago dissociated themselves from the business itself, reveling in just coming along to check what everyone has done or is doing.
The 1st and 2nd line of defense which consist of the process owners and other assurance practices such as risk management and compliance are usually left by the audit team to put off fires and make the business look good while the auditors come in much later to ensure things have been done according to laid out processes and procedures. While this is not necessarily out of place as it the sheer nature of the audit practice, it is fast becoming old fashioned and is quickly being refined. To stay relevant, audit has had to also project itself has a business conscious practice. In other words, the audit practice has had to join the fire fighting too, albeit a bit differently, which is where risk based audit comes in.
Using COVID-19 as a case study again, the audit practice’s audit of the readiness of the business’ ability to cope with the challenges of the pandemic would have meant working with the risk management team (2nd line of defense) in identifying the key risks and assessing the business gaps. This would have involved the process owners too who are the 1st line of defense. This way, the audit practice enshrines itself into the business and process owners mind as a business enabler.
Auditing skills requirement changes: To put it bluntly, a professional skeptical mind will no longer be enough to be a great auditor. A great auditor will no longer be one who can just look at a set of processes and procedures and tick off if these processes and procedure are being adhered to. It wouldn’t even be enough to just be able to determine if a process and procedure is operating effectively. There will much more strategic thinking and business orientation needed to be a great auditor henceforth.
Firstly and perhaps most essentially, the best auditors will be those who familiarize themselves with the business they are auditing within. Such individuals would therefore be able to identify the risks around that business and the units that make up the business. Such individuals would be able to go beyond identifying these risks but would be able to analyze it and therefore make proper audit calls as to what to audit and also in making the right audit recommendations.
At the heart of designing a risk based audit practice is the ability to identify the business risks (both internal and external risks) that the business is faced with (both currently and future risks). Designing a risk based audit practice would therefore involve:
Conduct a risk assessment: This can be done in various forms depending on what is available and what is not. A risk assessment of a business commences with a process of identifying all risks associated with a business (both current and future risks) currently and in the future. These identified risks are then analyzed in the light of the current business realities to determine if they are still potent business risks and where they are, how seriously they would affect the business were they to occur.
Where there is already a certified risk register (a repository of all possible risks a business might encounter), the risk assessment can be done based off this risk register. Sometimes, the risk register already contains some level of assessment. Where this is the case, this assessment is simply analyzed against current realities. This serves as the background tool for an audit plan.
Design a flexible risk based audit plan: Following the risk assessment report, an audit plan is developed giving priority to the areas with the highest risks to the business as shown on the risk assessment report.
It is important to point out however that the audit plan must also remain flexible and be able to accommodate changes as the business realities evolve during the year.
A sample risk based audit plan template can be found widely on the internet.
Recruit audit staff with the right skills but most importantly the right mind-set: It’s important to note that this may ruin all the good work if not handled properly. Audit staff members who appreciate the new face of audit and have embraced it will be needed to run the risk based audit plan and make it successful towards enabling the business. Audit staff members with a risk mindset would be most desirable here.
From the fore-going, the benefits of risk based audit are derived thus:
The COVID-19 pandemic has further given credence to the importance of risk based auditing. This paper has chronicled why risk based auditing should however be the norm and has indeed come to stay.
The author of the lesson: Dami Osunro, Senior Consultant with Deloitte Canada