This article about advantages and disadvantages of risk based internal audit approach is written to answer a question asked by a reader of this accounting blog on my previous article on process of risk based audit.
Brief Explanation of Risk Based Internal Audit
I will not go into detailed explanation of what a risk based internal audit approach is but in a nutshell, risk based internal audit is a relatively newer approach to internal audit engagement where internal auditors start the auditing process from the premise of firstly understanding the business and its peculiarity, then develop their audit plans and programs from the perspective of what can possibly go wrong in a given business environment.
This process is commonly referred to as enterprise risk assessment. This is in sharp contrast with the traditional rule based where all that is required is to tick the boxes.
What are the advantages and benefits of risk based internal audit approach?
- Gives better understanding of business and its environment: the fundamental principle behind risk based internal audit is that it must start from the premise of understanding the unique business environment of the entity. This alone is a massive plus to Risk Based Auditing (RBA). I mean, how better could it get if you audit a business that you know well rather than coming with a predefined check boxes to tick out?
- Declutters decision making: there is no room for guess work when using risk based approach to your assurance and auditing services because you as an auditor have equipped yourself with the necessary understanding of the entity and its business model.
- Data driven: history has it that data driven organizations outperform businesses that rely on hunches for decision making. Same goes for internal auditing as the processes and results of risk based internal audit are by far better than the output of traditional systems approach to internal auditing where similar sets of rules are followed for all type and size of auditing engagement regardless of the peculiarities involved.
- Identifies more risks: one of the most important benefits of using a risk based audit is that it gives the auditor a broader scope in identifying risks that would ordinarily slipped through. This is to say that overall audit risk is reduced using this approach for your internal audit assignments.
- Stronger tone from the top support: the support from the top echelon is usually incredible as soon as the realized that the RBA is been adopted. I really cannot explain why this is so but this is what I have seen in many places during my accounting practice.
- Gives early warning (risk prevention tool): red flags or fraudulent activities have no hiding place when an internal auditor adopts a risk based approach. This acts as a control tool in the sense that preventative or mitigating actions are being thought out as soon as signs of anomalies are identified.
- More strategic and organization wide: value adding auditing comes from the benefits that organizations gets that will allow them still remain in business in the long run. Strategic thinking and actions are all geared towards ensuring that an organization beats competition to remain in business. In my other live as a business turnaround consultant, I have seen too many instances where an event that led to the financial difficulties would have been averted if auditors have been a little bit strategic in their thinking – I guess they didn’t use risk based approach.
- Opportunity to recommend stronger controls: internal auditors are in a better position to make useful recommendations when they see things from the angle of; what can go wrong here? This is not a dooms day prophesy as many see it but a better way to see things. After all, professional skepticism is highly encouraged by professional accountancy bodies like ACCA.
- Allows for swifter flexibility: because a risk based approach relies heavily on gaining understanding of the operations of a going concern and all that might inhibit achievement of organizational goal, it quickly responds proactively to any perceived or identified changes in business environment and quickly update the risk register appropriately.
- Provides timeous response: time is of a very high essence in any business related activity more especially in this new pervasive age that we now operate in. It may be too late for a company to respond to an identified risk minutes later. Take cybersecurity risks as an example. Risk based audit anticipates threats coming from certain areas of an organization’s operations and builds in mitigating actions that kicks in on auto pilot mode into the whole design and execution of the audit.
- Saves resources: there is no gain saying that time saved by nipping threats from the bud saves the business hugely.
- Eases off the audit planning stage: the information gathered on a company during risk assessment stage helps to ease off the amount of work needed while planning for audit engagement.
- Provides for a more robust audit follow up: the whole efforts put into internal audit exercise will amount to nearly nothing if recommendations are not followed up to ensure implementation. Risk based audit by its nature draws auditor attention to areas that have not been revisited for compliance.
What are the disadvantages and limitations of risk based internal audit approach?
- Risk of misapplication concept: one of the major disadvantages of risk based internal auditing is that a lot of people tend to misapply the concept. I have seen people do all sorts of thing all in the name of trying to follow the trend. When done properly, this is not a major concern
- Can be more complex- especially for newbies: newly qualified accountants always struggle to grapple with the whole idea of risk based internal audit thereby introducing unnecessary complexities and bottlenecks while trying so hard to impress.
- Allows too much room for use of professional judgment: just like the first disadvantage mentions here. A lot of decisions are taken based on sentiment rather than based on facts this is because there are no sets of rules telling people to do this, then do that. Again, this is where experience comes in.
There are many advantages for using a risk based audit approach. Regardless the above identified few disadvantages of risk based auditing, it is still the way forward for all kinds of auditing as its benefits greatly outweighs its disadvantages.
I always tell people one thing and I will repeat it here – make sure you study an organizations mission & vision statements in your quest to gain useful insights of what the business is set out to achieve and then start conjuring what could possibly truncate those objectives.