The Risk-Base Audit Plan (RBAP) is an important output of Internal Audit. Not only is it a requirement of the IIA standards, but it also focuses audit on the most significant risks affecting the organization. In addition, it gives the Chief Audit Executives (CAEs) everything they needed to determine which audits will be performed and when; and to identify the required audit resources.
However, developing a robust RBAP is not an easy task. The main stumbling block is ensuring that it addresses, and continues to address, the current risks to the achievement of organizational objectives. Without a well-defined RBAP process, audit will not be performing the ‘right’ audits at the right time, and/or won’t have the resources needed to perform the audits. Doing the wrong audits (those that do not address organizational risk); or at the wrong time (after-the-fact); or without the necessary resources will impact on audit’s ability to provide a truly value-added service.
As recently as 3-5 years ago, the RBAP was prepared every three years with yearly updates. Today the RBAP must be dynamic and the process needs to be supported by a continuous assessment of risk. IIA Practice Guidance points to an audit plan that focuses on the risks of today and tomorrow. The guidance conveys the notion that business risk changes frequently and dramatically, so the RBAP should reflect a current risk assessment – not one performed three years ago, or even last year. Further, that internal auditors have information and the ability to regularly assess the organization-wide risk assessment. In response to changes in the organization’s business, risks, operations, programs, systems, and/or controls, the IIA guidance states that the CAE should review the RBAP and adjust it accordingly.
The requirement for continuous risk assessment poses a problem for many auditors. “How do I keep my risk assessment (and RBAP) current?”. In many cases, the original RBAP process involved numerous interviews with senior management, a review of previous audits, and other labour intensive activities. These activities produce volumes of qualitative information from which auditors make a professional assessment of where the greatest risks are impacting the organization. As such, the RBAP process is time-consuming, relies on a qualitative/professional assessment, and cannot be performed on a continuous basis.
The answer to having a continuously updated RBAP lies in quantitative analysis. An efficient and effective, ongoing, risk assessment process uses key risk indicators (KRIs) that are data driven. To be effective, the data-driven indicators must react to changes in risk levels and support the assessment of risk for each organizational entity/activity. To be efficient, the data should be a by-product of operational systems (e.g. financial, HR, and operational systems).
These data-driven risk indicators serve two important functions. First, they supplement the qualitative information and auditor judgement, and provide additional rigor to the initial RBAP process. The data can help to focus discussions with senior managers and make them more productive than simply asking “what keeps you up at night?”. It provides insights that allow auditors to ask questions that focus on the areas of highest risk to the specific audit entity (e.g. “Why do you have twice the number of journal entries and reversals as other financial managers?” or “What are your plans to address both the high existing HR vacancy rate and the large number of employees who are eligible for retirement within two years?”). This can direct management’s attention to emerging risks that might not have been known previously – making the risk discussion more valuable to both parties.
Second, they allow auditors to identify changes in corporate risks on a more continuous basis, well in advance of breakdowns in internal controls. Quantitative indicators, such as percentage of duplicate invoices or invoices paid late/early, which are obtained from operational information systems are less intrusive, easier to capture and measure, and do not rely on subjective assessments. This means that the risk assessment can be evaluated throughout the year (e.g. monthly or quarterly) with minimal effort allowing the CAE to determine if the risk levels have changed for any of the activities or audit entities.
Data-driven indicators make the risk identification and assessment process easier to update, more responsive to changing levels of risk; and they support an analysis of the root causes of the risk. It will make the annual risk-based audit plan more defensible, easier to update. In addition, transactional-level quantitative indicators of risk can be viewed at any slice of the organization. Auditors can drill down into a corporate risk to assess and compare every region, plant, division, project, etc. and determine, for example, what is causing a higher level of financial or strategic risk.
Analytics can examine the risk in business processes such as Accounts Payable, Accounts Receivable, Payroll, Contracting, Financial Operations, Travel & Entertainment, and P-Card. It can also assess specific categories of risk such as operational, compliance, HR, IT, financial, and fraud risk. The analytic results can be used to compare one location or entity to another allowing he CAE to select not only which audits will be performed and why, but also where.
Application of Data Analytics to RBAP process
The use of analytics can support the development and continuous updating of the RBAP in several ways.
- Assessing existing / known risk – identifying and assess the risk changing risk level
- Identifying emerging / unknown risk – identifying and assessing new risks
- Verifying the completeness and accuracy of the Audit Universe – ensuring that the audit universe is up to date and reflects all auditable entities
- Selecting audits to be performed – determining which audits will be conducted, when, where, and identifying the audit objectives (based on the identified risks)
- Quantifying audit recommendations – providing quantitative measures to support audit findings and recommendations
- Assessing management mitigation activities – assessing the impact of management’s actions on audit recommendations and the impact on the associated risks
- Performing follow-up on audits – re-performing analytics on areas of highest risk to assess the risk level after the implementation of recommendations.
Key Steps in Implementing RBAP Analytics:
Analytics can be developed to support the initial development of the RBAP by adding a layer of quantitative assurance to the qualitative information that is collected. The following steps are required to make the RBAP update process simple and efficient and more continuous:
- Obtain access to data – ensure audit has ongoing access to all information, not just when an audit is being performed
- Develop and maintain queries to extract required data – safeguard and maintain the extract queries
- Develop and verify analytics – use the results of audits to validate the analytics and identify risks, control weakness, non-compliance, etc. that were identified by analytics.
- Identify and re-run analytics on a quarterly basis – use audit results to determine which analytics should be re-run to assess management action on audit recommendations and risk mitigation activities; and the analytics to assess existing risk and identify emerging risks
- Develop multi-year trend files which will be used to track changing risk levels and identify audit universe.
- Assess new/emerging risks and data sources – use audits and the RBAP process to continually update the risks and analytics to ensure that data sources, risk landscape and analytics reflect the current risk environment
Analytics within an Audit
During the RBAP process data analysis can identify and quantify the risks associated with an audit entity or area. Once an audit has been selected, the data and analytics should be used during the planning phase to drill down into the identified risks and determine the audit steps that will be taken during conduct to validate the analytics and develop recommendations.
Using the template below, the audit planning process can clearly state the audit objective and identify the associated risks and controls, analytics to test the controls, and the required data. The results are also linked back to the controls and risks, so the audit recommendations are focused on the root cause of the risk – not the symptoms.
By tracking the ‘risk-analytic’ relationship, the audit can identify which analytics were successful and should be run on a periodic basis to provide a continuous risk assessment and ensure that the RBAP is current. These analytics can be used for follow-up on management action plans and incorporated into the RBAP continuous assessment process.
The identification and assessment of data-driven key risk indicators can be accomplished easily and with minimal investment. A data-focused approach will allow internal audit to identify issues, target risks and allocate resources more effectively. The risk indicators can also be used to update corporate risk profiles and assess the effectiveness of risk mitigation strategies and the risk associated with new strategic initiatives – providing valuable advice to senior management on all categories of risk. Audit functions that leverage a quantitative, data-driven approach to identifying and assessing risk, are more relevant to the business and can provide more efficient and improved risk coverage to senior management and the Board.
RiverAA has hundreds of analytics that can support continuous monitoring and keep your RBAP current. We can assist you in determining the data and analytics required to address your specific risks. Further, we offer a range of services from ‘do it yourself’ where you use our analytics; to ‘white glove’ where we run the analytics for you on a periodic basis and provide you with a report outlining the most critical risks and suggested action and a dynamic dash board that allows you to drill down into the detailed transactions.
Examples of Data-Drive Risk Indicator
Financial data-driven risk indicators can measure things such as the number, timing and dollar amount of Journal Entries, and the timing of payments and receivable. Examining data by period and by comparing to previous years can identify unusual trends or emerging risks. Looking a transactional data can highlight issues related to separation of duties; and identify anomalies and outliers indicating a fraud risk.
These will allow audit to track the accuracy, timeliness, efficiency and effectiveness of the financial operations process. Example financial indicators are:
- Journal Entry – to prior period
- Journal Entry – expense to/from revenue accounts
- Late or Early payments
- Amount of Losses, write-offs, strike-offs
- Percentage of expenditures in Period 12, 13+
- Amount and number of suspense account transactions
- Aging of A/P transactions
- Aging of A/R transactions
- Activities performed by User
The risks in HR revolve around the organization ability to attract, retain, and employ the qualified and experienced HR resources. The current risk can examine your current workforce; and emerging risk can look at turnover and retirement forecasts. Retention is affected by employee health and well-being which can be measured by indicators such as sick leave, vacations, grievances, etc.
The data to develop HR risk indicators can be obtained from the HR system and used to track risks over time and across locations. Example HR risk indicators are:
- Percentage of managers that can retire within two years
- Percentage of vacant positions
- Percentage of employees in acting positions
- Average length of time (turnover)
- Vacation and sick leave levels
- Number of grievances
- Breakdown of resource types: full time, part time, casual, seasonal, contract, etc.
- Number of unions by location
- Production downtime
- Defects and returns
- Special orders
The environmental risk indicators can track the magnitude and frequency of non-compliance as well as the extent of activities that may increase the environmental risk. Simple examples are:
- Number and amount of fines
- Production levels at plants where there are environmental concerns
Accounts Payable example:
Data analytics can also be used to examine a business process such as accounts payable, accounts receivable, payroll, contracting etc. The following identifies some of the risks that may affect the efficiency, effectiveness and accuracy of the accounts payable process and possible data-driven indicators:
- Fraud risk – Same user created vendor and entered invoice
- Revenue loss – duplicate invoices, paying invoices early
- Non-compliance – large invoices don’t reference at Purchase Order
- Efficiency – large percentage of small dollar invoices where purchase should be done with corporate P-Card
- IT Controls – data entry controls on critical fields, failure to ensure adequate separate of duties
The analytics can be integrated with a dashboard that is dynamic and supports drill down into the data.
Running the analytics every month provide comparative assessments to highlight changing or emerging risk.
Dave Coderre www.caats.ca