Unlocking the Value of Audit Analytics: Risk Based Audits

Traditionally, Internal Audit has approached audits from a reactionary perspective and organized their resources based on what has happened rather than what is happening. However, over time, this approach has had to evolve. Consider the impending cold and flu season that is before us. There are generally two choices in preparing for the season. You have a choice to get your flu shot early and manage the risk of getting a cold (proactive) or you can wait for symptoms to occur and then try to treat them (reactionary). 


Much like a reactionary audit approach, the latter option is high risk, and in the context of a business, unlikely to be aligned with the company’s risk management strategy. Consequently, internal auditors have switched gears to be more proactive in getting ahead of risks by identifying them early and determining how they should be managed.


Seems entirely sensible, so why is this not always the practice?


The Role of Internal Audit


Richard Chambers, The IIA President, stated in this year’s IIA Pulse of the Profession Survey that, “traditionally, internal audit has been reactionary, but that approach is changing. Our value to an organization depends on furthering this change in course.”


The survey reports that not only is our approach to audits changing but what is expected from internal audit from senior management is also shifting and internal audit is expected to allocate time to areas such as business strategy, risk management effectiveness, and governance providing the opportunity to act as key players in management decision making.


Comparison of Audit Plan Coverage in 2014 vs 2013



Source: IIA Pulse of the Profession Survey


Why are some IA Departments not onboard?


I would like to think that the Internal Audit Departments that are not onboard is a temporary situation.  Owning and maintaining a system of sound internal controls is not the role of IA and so a risk based approach to audits has to be part of a risk management strategy for the entire business.  If the organization is not mature in how risk management is practiced then IA will have to implement their approach in a way that matches that maturity level.  Don’t despair; it also presents an opportunity for the Internal Audit to play a significant role in the maturity process.  So once again it is back to the Chief Audit Executive to market the concept and push for its adoption. 


Creating a Risk-Based Methodology


There are 3 areas that you can start with:


  1. Organizational maturity – Determine the maturity level within the business.  Is there a risk register?  Has the organization defined its risk appetite?  Has there been consensus on the assessment, management and monitoring of risks? This will shape how you go about implementing your risk-based approach.
  2. Audit planning – Many of you will do this annually and review quarterly.  Ensure that you are aware of the areas that the Board requires objective assurances.  Assurances regarding the risk management process, the recording and reporting of risks and the assessment and monitoring processes.
  3. Within audit assignments – During planning and execution the team’s activities should be focused based on the level of risk.  The audit report and assurances should be directly correlated to the risks.  In the next blog I will go into more details on this and also speak specifically how to approach it using data analytics. 


What’s in this for me?


Relevance.  You have a seat at the table because you are actively participating and adding value in a manner that the business can understand and appreciate.  Management owns the risk and IA provide assurances. 



About Andrew Simpson:

Andrew Simpson has close to two decades of experience in the information systems audit and security business; specifically data analytics, interrogation and forensics. He is a regular contributor to various auditing conferences and is acknowledged as an expert on continuous controls monitoring and revenue assurance.

Connect: @CW_Simpson          Andrew Simpson