It is no longer that audits are carried out based on conventional rules and procedures or on business units and divisions or audit based on risk assessment. The current coronavirus pandemic and recent events worldwide have validated that the audits should be based on both existing and future risks facing the entity being audited. Any audit practice must adopt this approach to its auditing practice to remain relevant.
It is no longer possible to conduct an audit as usual. Previously, auditors typically had an audit plan at the start of the year that included business processes and divisions or units. This audit plan, which the board of directors has approved, will be followed religiously throughout the year, regardless of what happens. It allows for little or no flexibility because the audit plan is considered law.
While having audit plans in place is still encouraged, such plans must allow for flexibility. It should be designed so that changes to these audit plans can be made at the drop of a hat, depending on the current state of affairs involving the business.
Using COVID-19 as an example, regardless of what audit plan was approved for a business for the year 2020, almost all businesses should have conducted an audit of their ability to deal with the challenges of COVID-19 to their business as soon as the pandemic was declared. This would be what was most important to the business at the time rather than whatever was on the audit plan. Alternatively, the audit of the business’s readiness to deal with the challenges of COVID-19 and whatever else is on the audit can take place concurrently.
Business owners and management would most appreciate and value this, while business sustainability would benefit the most. We can all agree that the business’s long-term viability is critical. There will be no need for auditing where there is no business.
Auditors need to work more closely with the first and second lines of defense. Until recently, auditors have been so comfortable in the third line of defense and being referred to as the last man who comes in ‘after the fact.’ This comfort is further strengthened since the audit practice enjoys a large degree of regulatory and board support.
Auditors are quick to mention these resources when confronted with roadblocks, even when the audited entity is reasonably asking pertinent questions that appear to be push-back. In plain terms, auditors have dissociated themselves from the business itself long ago, reveling in just coming along to check what everyone has done or is doing.
The audit team usually leaves the first and second lines of defense, which consist of the process owners and other assurance practices, such as risk management and compliance, to put off fires and make the business look good. At the same time, the auditors come in much later to ensure things have been done according to to laid out processes and procedures.
While this is not necessarily out of place, as it is the sheer nature of the audit practice, it is fast becoming old-fashioned and is quickly being refined. Auditing must also project itself as a business-conscious practice to remain relevant. In other words, the audit practice has had to join the fire-fighting, albeit slightly differently, which is where risk-based audit comes in.
A professional skeptical mind will no longer be enough to be a good auditor. A great auditor will no longer be one who can just look at a set of processes and procedures and tick off if these processes and procedures are being adhered to. It wouldn’t even be enough to just be able to determine if a process and procedure are operating effectively. Much more strategic thinking and business orientation will be required to be a great auditor.
The best auditors will be those who familiarize themselves with the business they are auditing within. As a result, such individuals would be able to identify the risks associated with that business and the units that comprise the business. Such individuals would be able to do more than just identify these risks; they would be able to analyze them and, as a result, make appropriate audit decisions about what to audit and make appropriate audit recommendations.
Audit Based on Risk Assessment: Designing a Risk-Based Audit Practice
At the heart of designing a risk-based audit practice is identifying internal and external business risks that the business faces at present or in the future.
Designing a risk-based audit practice would therefore involve:
- Conducting a risk assessment: This can be done in various forms depending on what is available and what is not. A risk assessment of a business commences with a process of identifying all risks associated with a business (both current and future risks) currently and in the future. These identified risks are then analyzed in light of the current business realities to determine if they are still potent business risks, where they are, and how seriously they would affect the business were they to occur.
Where there is already a certified risk register which is a repository of all possible risks a business might encounter, the risk assessment can be done based on this risk register. Sometimes, the risk register already contains some level of assessment. Where this is the case, this assessment is simply analyzed against current realities. This serves as the background tool for an audit plan.
- Designing a flexible risk-based audit plan: Following the risk assessment report, an audit plan is developed, prioritizing the areas with the highest risks to the business as shown in the risk assessment report. However, it is important to point out that the audit plan must also remain flexible and accommodate changes as the business realities evolve during the year.
- Recruiting audit staff with the right skills but, most importantly, the right mindset: It’s important to note that this may ruin all the good work if not handled properly. Audit staff members who understand and embrace the new face of an audit will be required to carry out the risk-based audit plan and ensure its success in enabling the business. Audit staff with a risk-taking mindset would be ideal for this position.
Benefits of Risk-Based Audit
The following are the benefits of a risk-based audit derived from the preceding:
- Risk-based auditing puts the audit practice in a position to assist the business with its most critical requirements at any point in time. Audits are conducted in areas with more business risks. Audit reviews will be extremely beneficial to the business’s ongoing operations.
- A risk-based audit gives stakeholders greater confidence that the business and its activities are being carried out correctly. Internal and external stakeholders can both sleep better at night knowing that audit reviews are being carried out per the risks that are most prevalent in the business at any given time.
- A risk-based audit ensures that the business is proactively prepared to tackle emerging risks even when it is yet to crystallize. With a risk-based approach, future or emerging risks are quickly identified, and control measures are set in place such that the business is either not impacted or experiences only little effect when those risks finally emerge.
- Proactively identifying opportunities. The risk-based audit allows for identifying areas for improvement and expansion for the business due to certain risks identified and the controls put in place to address them. Certain risks and controls can occasionally present the business with new opportunities.
Risk assessment is a critical component of audit planning. and evaluate the risks of material misstatement, whether due to error or fraud, at the financial statement and relevant assertion levels, which helps us design additional audit procedures. Using COVID-19 as a case study, the audit practice’s audit of the readiness of the business’s ability to cope with the challenges of the pandemic would have meant working with the risk management team in identifying the key risks and assessing the business gaps. This would have involved the process owners, the first line of defense. This way, the audit practice enshrines itself into the business and processes owners’ minds as business enablers.