|New website, new perspective: www.WorkingInUncertainty.co.uk - Related articles - All articles - The author - Services|
Auditors and risk management
by Matthew Leitch; first appeared on www.irmi.com in July 2003
Introduces the external and internal auditor.
Explains strengths, weaknesses, and favourite techniques of auditors.
If you are an external or internal auditor please don’t read on. I’m about to give away our secrets to the rest of the world.
If you are not an auditor – for example if your background is mostly in insurance – and you want to understand what auditors believe, how they work, where their weaknesses are, and what they contribute, then read on. It’s time to meet the auditors.
External auditors tend to be qualified financial accountants assisted by their trainees. In the big firms there are also specialists who are not accountants, such as computer security and project management experts, though they are slightly less common now that people increasingly believe external auditors should not provide other services to their audit clients.
Internal auditors tend to be former external auditors mixed with people from just about any background conceivable. Some internal auditors go on to take up management roles in the companies they audit, but others move from management into internal audit.
The training for auditors, especially external auditors, emphasises doing things in compliance with regulations and official standards of work. The regulations on financial accounting are complicated and require careful interpretation. There are also extensive written standards for internal and external auditing. As a result, auditors have tended to focus on compliance with standards and written procedures.
Auditors are good at going to see for themselves. They are usually sceptical and good at digging up dirt and revealing the things managers would prefer to keep hidden.
Despite sometimes having a reputation as dangerous to meet, they are usually people people, and help spread good ideas. They network across their organisation and with their friends at other organisations. They attend conferences to learn what is happening. When they find good ideas in their company they tend to spread them. They also bring new ideas from other places into their companies.
Auditors will review almost anything important to their organisation – not just financial matters.
Internal and external auditors fight for their independence and take ethics very seriously. That doesn’t mean that all auditors are ethical and independent, but it does mean that most are much more aware of the issues than people in other roles.
External auditors often rely on work done by internal auditors and, when they do, they check that the internal auditors have sufficient standing and independence within their organisation to speak the truth without fear.
Professional institutes for auditors and accountants usually provide personal help for members with ethical issues and lots of guidance. Trainee public accountants, for example, are encouraged to think of themselves as accountants first and employees second. Whatever their boss wants, they have certain duties to their profession.
Auditors spend most of their time looking at internally arising risks and their countermeasures. Auditors soon learn how and why people make mistakes and behave dishonestly. In these areas of operational risk their knowledge is often excellent.
Like all specialists, auditors believe that the things they are concerned with are broader and more important than the rest of the world realises. Auditors are concerned with “internal controls” and what they call “risk management”.
Auditing is yet another profession that has come to see itself as all about risk management. This happened mainly during the 1990s.
They see a “risk” as anything that could impact on an organisation achieving its objectives, and things done to cope with risks are “internal controls”. Originally, “internal controls” meant checks like bank reconciliations and double entry, but now the term is much wider and its boundaries are indistinct.
Auditors tend to focus heavily on internally arising risks, especially risks arising from incompetence or dishonesty. When something goes wrong they tend to say it was because of failure to follow internal control procedures while other people are more likely to point to externally arising problems.
The trend in internal and external auditing during the 1990s and more recently has been towards more risk assessment and more flexible and focused reviews.
For example, over the last three years PricewaterhouseCoopers (the world’s largest audit firm) has introduced an audit approach called “Towards Performance Auditing” which has taken the firm far beyond the accounts department and directly financial risks. They now interview managers across a business to find areas under pressure, for it is here that the risks of financial mis-statement are highest even if the means of mis-statement is not immediately clear.
In a similar spirit, internal auditors have begun to develop their work plans by starting with their organisation’s corporate risk register (which they often helped to produce) and doing reviews to provide assurance on the key perceived risks.
This has pushed them into new areas and a wider range of reviews than ever before, which sometimes creates difficulties.
Internal audit departments vary in how helpful they are to the people they audit. The old fashioned style was for internal audit to be a police force, conducting reviews, issuing reports, and making recommendations for improvements that had to be acted on. This sometimes led to confrontations. The modern style is typically to be more facilitative. Although internal auditors still issue reports they often get some of their evidence by asking auditees to assess their own risks and controls, and some auditors no longer make recommendations themselves, though they will facilitate auditees devising improvements and later track progress.
The risk analysis done by, or facilitated by, auditors tends to be much less sophisticated than risk analysis by people in insurance, safety, policy analysis, and medicine, for example. Quantification, where it is attempted, tends to be guesswork and undermined by basic technical errors.
Another weak area for many auditors is lack of design ability. Auditors do a good job of spreading ideas but they tend to have far less creative ability than typical engineers, system builders, and architects, for example. Auditors check work done by other people, often against standards laid down by someone else, and this does not develop their design and problem solving skills.
Consequently, although auditors often make suggestions or recommendations they tend to be obvious and lack detail, too often amounting to a call for more documentation.
Auditing is getting more attention than ever thanks to Enron, Worldcom, and the outrage that they stirred up. The Sarbanes-Oxley Act includes a requirement for internal controls over financial reporting to be assessed annually with the conclusions of the assessment published and attested to by external auditors. This has increased the pressure dramatically.
At the same time, many internal auditors are changing the way they work, away from routine examination of internal controls and towards a more flexible audit of all types of risk appearing on the corporate risk register. Although auditors feel this is a good direction it is somewhat experimental and does create some difficulties.
One trend that may become more important is for organisations to set up a team of internal control specialists whose role is to help managers design, develop, and implement good control systems. They may do reviews, but the objective is very different from internal audit.
This allows internal auditors to concentrate on what they do best, which is independent assessment, rather than getting stuck into design.
The new rules announced by the SEC on 27 May 2003 may accelerate this trend. The rules say that companies cannot describe their controls as effective if there is even one “material weakness”. Many companies will use the extra time they have been given to try to eliminate as many weaknesses as possible and publish a clean report. While auditors can help with this, ultimately, you cannot audit your way to corporate health. Someone has to have the creative solutions to problems that have often lingered for years.
|If you found any of these points relevant to you or your organisation please feel free to contact me to talk about them, pass links or extracts on to colleagues, or just let me know what you think. I can sometimes respond immediately, but usually respond within a few days. Contact details|
About the author: Matthew Leitch is a tutor, researcher, author, and independent consultant who helps people to a better understanding and use of integral management of risk within core management activities, such as planning and design. He is also the author of the new website, www.WorkingInUncertainty.co.uk, and has written two breakthrough books. Intelligent internal control and risk management is a powerful and original approach including 60 controls that most organizations should use more. A pocket guide to risk mathematics: Key concepts every auditor should know is the first to provide a strong conceptual understanding of mathematics to auditors who are not mathematicians, without the need to wade through mathematical symbols. Matthew is a Chartered Accountant with a degree in psychology whose past career includes software development, marketing, auditing, accounting, and consulting. He spent 7 years as a controls specialist with PricewaterhouseCoopers, where he pioneered new methods for designing internal control systems for large scale business and financial processes, through projects for internationally known clients. Today he is well known as an expert in uncertainty and how to deal with it, and an increasingly sought after tutor (i.e. one-to-one teacher). more
Please share: Tweet