Understanding audit and risk
Updated from the original published on July 4, 2010
Everything we do creates risk. Crossing the street, climbing a mountain, even breathing or drinking a glass of water. It is exactly the same for organisations. All your operations create risk. Your financing creates risk. You operate within a risky external environment.
So when you say you make widgets, what you really mean is that you are part of a large unstable marco-economic system that contains a number of organisations like yours, none of which have any guarantee of survival (indeed, the others are out to get you). As part of this system, you put a lot of effort into trying to comply with it’s rules but you can never be completely sure that you are complying with everything. You borrow money from people, usually shareholders or banks, which you cannot guarantee you will be able to pay back. You buy materials from other companies to make your widgets, or dig them out of the ground. Either way, supply is uncertain and you often have to buy things in different currencies, which means the cost to you is constantly changing. You then have to make your widgets, without getting them wrong or accidentally killing anyone in the process. Even when you’ve made them, you have to store them, ship them all over the world, and sell them to people you don’t completely understand and whose desire to buy them also changes constantly. In doing so, you have to make sure you pay taxes and duties, market your product legally, and maintain your reputation and financial stability so your customers and suppliers have confidence in you. You also have to protect your staff, customer and business information from other people who would like to know all the things you need to know do do all this.
Most businesses traditionally focus on one risk in this process – the risk that you can’t sell your widgets for more than they cost you to make. This is the most critical risk whatever your industry. Financial Services business worry that they can’t change their borrowers more than they pay their lenders, allowing for the cost of doing business. Governments worry (at least in theory!) that they can’t cover the cost of the services they provide through the taxes they collect.
However, as we’ve illustrated here, manging this risk is not enough. It’s no good making a widget for £1 and selling it for £2, if the cost of cleaning up that oil-spill, decommissioning that nuclear power plant, paying-out for the employee killed using your machinery, or compensating people for the loss of their data amounts to £1.50 per widget. You’ve managed the financial risk whilst making a profit, but you’re exposure to other types of risk have turned that profit into a loss.
So all organisations need to manage their exposure to all the risks that impact on their business. Audit is a part of this process.
The first question is to ask “What risks do we need to manage?”. in order to answer that, the organisation needs to know what risks matter, and that means understanding the business and what it is trying to achieve. You then need to manage any risks that might reduce your ability to achieve those objectives. If you’re aim is to double your profit every 12 months (for example a young consumer brand), you will be very focused on financial risk. If you’re aim is to reduce the cost of your product by not be subject to changing exchange rates that affect your competitors (such as an airline or oil company), you’ll focus more on exchange rate and market risk. If you process a lot of information and rely on the confidence of your customers and regulators (for example a bank or credit reference agency) you’ll need to address operational, security and reputational risk.
Once you know this, the organisation needs effective structures in place to ensure risk is managed. This takes the form of a system internal control. This means establishing reliable, repeatable, transparent and affordable processes to operate the business that do not rely on trusting any one employee, or for that matter on nay one control. Examples are everywhere – from staff security passes to bank reconciliations and system audit trails – all of which need implementing, documenting, managing, monitoring, verifying, reporting and updating to respond to a business in constant change.
We can’t be sure any system or control will work perfectly all the time, so we also need an independent check that risk is managed properly. One that cannot be stamped on by management – one that provides assurance to shareholders and other stakeholder that risk are properly managed without their having to rely on. Senior management to be an effective control. For this reason, we have Audit.
A simple model – the ’3 lines of defence’ model – helps explain this. Management controls should be effective – that’s the first line of control. In case they are not, there should be monitoring and verification processes, for example risk management and compliance functions – that’s the second line. Management should be able to rely on first line controls and the board should be able to rely on second line controls as a check on management. Together these controls should manage business risk. To make sure they do this effectively and consistently, you have Internal Audit who operate independently of management and report findings to the board or audit committee. There are then external auditors, normally focussed on financial risk, who are accountable directly to shareholders or other external stakeholders and therefore also (semi)independent of the board. They will also review the work of internal audit. Auditors therefore form the third line of defence.
That’s why auditors must be as independent as possible – they must be willing to say things that management find uncomfortable. Yet they are part of the organisation and must be sensitive to it’s objectives. After all, auditors are there to help ensure these objectives can be achieved.
Where does your role fit in? Help others considering a career in IT audit and cyber security assurance by sharing in the comments below.
