Risk-based approach to auditing
In our article of 15 July 2019, we referred to several international scandals involving companies that have been audited by the Big Four (KPMG, Deloitte, Ernst & Young and PWC) and the possibility of these firms being blocked from undertaking future audit work in India. We also referred to the failure of the Big Four, Grant Thornton, BDO and Mazars in the UK to achieve the quality standards set by the Financial Reporting Council (FRC).
These scandals raise the important questions about the presence of the auditors; whether due care is exercised in conducting audits; and whether adequate risk assessments are carried out to provide reasonable assurance about the detection of transactions and events that pose significant risks to the operations of the entities involved and to the achievement of their objectives.
Today’s article discusses the risk-based approach to auditing. It concludes that external auditors should assess risks not only associated with the fair presentation of financial statements but also all risks that are likely to have an adverse effect on the operations of the organisation and the achievement of its objectives. In this way, the “expectation gap” can be bridged.
International Standards on Auditing
External auditors follow the International Standards on Auditing (ISAs) in conducting their audits. There are two standards that are relevant to risk-based approach to auditing: ISA 315 – Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment; and ISA 330 – Auditor’s Responses to Assessed Risks. These standards are, however, only concerned with risks that are relevant to the fair presentation of financial statements of the entity. They do not address other types of risks, such as those relating to governance; achievement of organizational objectives and strategies; conflicts of interest; ethical considerations; performance management and accountability; competence of personnel; economy, efficiency and effectiveness of operations; and the achievement of outputs, outcomes and impacts, including environmental impact. These are areas that are fundamental to the growth and development of organisations, indeed their very survival.
The external auditors’ core responsibility is to examine the financial statements presented to them by management; carry out whatever tests they consider necessary in conformity with the ISAs to enable them to express an opinion on the fair presentation of the financial statements; and report their opinion to the highest level of the organisation, in the case of a company, the annual general meeting of shareholders. Commentators have long pointed to the need to close “the expectation gap” between what the auditors are engaged to undertake on the one hand, and the expectation of key stakeholders that before anything goes wrong, the auditors should provide the necessary warning signals for early corrective action.
International Standards of Supreme Audit Institutions
The International Standards of Supreme Audit Institutions (ISSAIs) are auditing standards used by national audit offices in conducting audits of government programmes and activities. ISSAI 1315 - Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, provides detailed guidance on risk assessments. However, as in the case of ISAs, such guidance is financial statements-oriented. It relates to identifying and assessing the risks of material misstatement, whether due to fraud or error, ‘at
the financial statement and assertion levels, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement’.
Institute of Internal Auditors Standards
The Institute of Internal Auditors (IIA) provides for a more comprehensive approach to risk assessment, given the role internal audit plays within the organisation. The IIA defines internal audit as ‘an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes’ (emphasis added).
According to the IIA publication “Assessing the Risk Management Process”, risk management is a process to identify, assess, manage, and control potential events or situations to provide reasonable assurance regarding the achievement of the organization’s objectives. For large organisations, such as the United Nations, it is called Enterprise Risk Management and is a dedicated function within the organisation. In many jurisdictions, the board is responsible for overseeing that a risk management process is in place that effectively responds to the changing risk landscape.
On the other hand, internal audit provides independent assurance that the organization’s risk management processes are effective, as required by IIA Standards 2010 and 2120. Internal audit must establish risk-based audit plans to determine the priorities of the internal audit activity by (i) benchmarking the current state of the organization’s risk management against a maturity model; (ii) communicating the results with senior management and the board; and (iii) incorporating the results in planning and executing of the internal audit activities.
Determining the effectiveness of the risk management processes is a judgment resulting from the internal audit’s assessment of whether:
(a) Organizational objectives support and align with the organization’s mission;
(b) Significant risks are identified and assessed; (c) Appropriate risk responses are selected that align risks with the organization’s risk appetite; and
(d) Relevant risk information is captured and communicated in a timely manner across the organization, enabling staff, management, and the board to carry out their responsibilities.
The simplest form of documentation of risk management is an annual exercise to create an organizational risk register in what is usually referred to as a “strategic risk assessment”. This exercise requires senior management to develop and document a list of risks. On the other hand, organizations with the most robust, or mature, risk management process would consider risk factors, including those of a cultural or governance nature, across the organization in a systematic and structured way.
An effective way internal audit performs, and documents risk assessment is to create a risk matrix, listing the relevant risks in rows after taking into account the controls in place to mitigate such risks. For each residual risk, the likelihood of occurrence and the related impact are identified in columns in terms of high, moderate or low. Where the impact is high or moderate regardless of the likelihood of occurrence, internal audit considers this an area of high risk. On the other hand, where the impact is low regardless of the level of occurrence, the risk is not considered significant.
The culmination of a risk assessment exercise is the inclusion in the internal audit’s workpapers any or all of the following:
(a) Process maps;
(b) Risk registers;
(c) Summary of interviews and surveys;
(d) Rationale for decisions regarding the organization’s risk management maturity level; and (e) Criteria that will be used to assess the risk management process.
The evaluation of internal controls is fundamental to auditing, whether internal or external. IIA Standard 2130 requires internal audit to assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement. It does so by evaluating the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding:
(a) Achievement of the organisation’s strategic objectives;
Reliability and integrity of financial and oper ational information;
Effectiveness and efficiency of operations and programmess;
Safeguarding of assets; and Compliance with laws, regulations, policies, pro cedures, and contracts.
Following a series of corporate failures and scandals, such as those relating to Enron and WorldCom, the United States passed the Sarbanes-Oxley (SOX) Act of 2002. Non-compliance with SOX Section 404 requirements is a major risk that internal audit must consider. That section requires management to develop and monitor procedures and controls for making their required assertion about the adequacy of internal controls over financial reporting, as well as the required attestation by an external auditor of management’s assertion. Section 302 also requires management’s quarterly certification of not only financial reporting controls, but also disclosure controls and procedures.
A useful tool to evaluate internal control is the COSO Internal Control - Integrated Framework. Originally developed in 1992 by the Committee of Sponsoring Organisations of the Treadway Commission, the Framework defines internal control as a process effected by the entity’s board, management and other personnel designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance. There are five components of the Framework: control environment; risk assessment; control activities; information and communication; and monitoring activities. Each of these components is broken down into three areas, namely objectives, reporting and compliance. The framework also operates throughout the organisation - entity level, operating unit and function. It is depicted in the familiar cube-like structure.
The control environment relates to the attitude and actions of the board and management regarding the importance of control within the organization. It provides the discipline and structure for the achievement of the primary objectives of the system of internal control and includes the following: (b) (c)
(d) (e)
(a) Integrity and ethical values;
(b) Management’s philosophy and operating style; (c) Organizational structure;
(d) Assignment of authority and responsibility; (e) Human resource policies and practices; and (f) Competence of personnel.
In 2013, the COSO Framework was revised in the light of significant developments over the last 20 years, mainly in relation to technology, governance, reporting, antifraud considerations. A total of 17 principles have been included in support of five components of the Framework. These are:
Control Environment
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Risk Assessment
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
Control Activities
10 The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.
Information and Communication
13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
Monitoring activities
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
For each principle, there are focus points. In total, there are 77 focus points.
Conclusion
Given the corporate failures and scandals that have occurred over the years without any warning signals from the auditors, the time has come for the accounting/auditing profession to reassess the role of external auditors. In view of stakeholders’ high dependence on the work of external auditors, especially in relation to business and investment decisions, and in order to bridge the “expectation gap” referred to above, it would appear necessary for their terms of reference to be revised to ensure that external auditors’ risk assessment goes beyond the evaluation of risks of material misstatements to financial statements. In this regard, the board and management should ensure that such terms of reference include the evaluation of the various risks to which the organisation is exposed that may have an adverse effect on its operations and in the achievement of its objectives.
In addition to the expression of opinion on the fair presentation of the financial statements of an organisation, external auditors should provide a report to shareholders on the results of their evaluation of the organisation’s risk management processes in place as well as those conducted by internal audit. It may also be useful for a condensed version of the external auditors’ management letter in support of their opinion to be included.
In a subsequent article, we will seek to address the question of whether an organisation’s balance sheet gives a true reflection of its value, considering, among others, that employees are its greatest assets.