Updated July 3, 2011
Auditing functions and processes - versus auditing just financial statements - has become a hot topic in many areas.
Enterprise risk management is one of those "many areas."
This raises three questions:
- Who audits the program - internal auditor or external auditor?
- How in-depth the audit?
- What qualifications should an auditor possess?
As with most things in the risk management world, there is more than one "correct" answer because "it depends."
Inside, Outside
Should the risk management audit be conduced by an internal auditor or should it be jobbed out to an outside person or firm?
If an in-house auditor is used, there must always be a suspicion that the auditor will be less than totally candid; after all , the auditor's job is on the line.
Will the internal auditor check with Very Senior Management to determine what the audit is expected to convey? Will the auditor "adjust" the report to present something in a better, of lesser, light than reality demands?
One other thing: An internal audit is easier for management to quash, brush under a convenient rug, than an outside auditor's report.
While an independent outside auditor may have less to fear from an upset client, the auditor will need to be privy to sensitive client information; information that could damage the client - or the client's clients - if it fell into the wrong hands.
Even with an iron-clad Non-Disclosure Agreement (NDA), with the right enticement, an external auditor might be convinced to share client information.
Of course that also holds true for an internal auditor, especially one who feels his or her work is in vain.
Drilling down
Just how deep should an auditor investigate?
Is the auditor expected to gloss over the organization at "20,000 feet," the altitude at which some managers expect their risk managers to operate? Or, should the auditor drill down to the process level? The real question is: what does management want from the audit?
Does management want the auditor to provide a cursory check-list comparison of plan vs. reality or does management want the auditor to delve into each of the plan's statements - maybe even call for, and observe, an exercise?
It was not so long ago that a financial auditing firm - one of the once "Big Five" - found itself spurned because it glossed over a client's weaknesses.
The thoroughness of an audit may be tempered by sensitivity of information or driven by regulation or "Generally Accepted Auditing Standards," a/k/a GAAS, as well as management's mandate to the practitioner. The effectiveness of the audit depends solely on management's commitment to, acceptance of, and implementation of audit recommendations.
Who should audit
Once what should be audited and at what depth is determined, the next logical question is: What should be the auditor's qualifications?
I have worked with auditors who knew the field in which they were working and I have worked with people who are innocents in the field they were asked to audit.
The former can be either like the risk management practitioner who is in love with that he or she does and approaches it enthusiastically or like the risk management practitioner who creates programs according to a checklist. (Check lists are valuable, but must only be a starting point to assure all bases are considered.)
The enthusiastic auditor approaches the job as an opportunity to help everyone improve the organization. The risk management practitioner's work is vetted by an outsider who may only know enough about risk management to ask questions: "What if . . . " and "Why was this recommended?"
My long-time mantra was, and continues to be, "No plan is perfect the first time out." If early exercises fail to turn up something to address, something is wrong with the exercise. Auditors could find a "got'cha" missed during an exercise just by challenging the pracitioner's notions.
Auditors thrown into audits of areas in which they have little or no knowledge need to have a network of people who can give them direction; suggest things to examine closely for each unique client.
It helps if the auditor, with or without knowledge of the audit subject, has good interview skills. An audit that is limited to document examination is, in most cases, an incomplete audit. If a document is the basis of the audit - as it normally would be with a risk management audit - the auditor needs to assure that what is documented can be accomplished and it being accomplished.
Change auditors
Parting shot: Change auditors frequently.
The same admonishment applies to risk management practitioners as well. (If the risk management is an in-house operation, consider hiring a consultant once every "n" years just to get a new perspective.)
Regardless of what is being audited, the auditor or auditing firm should be replaced, "rotated out," every few years - perhaps every three years, perhaps every five years.
Auditors have a vested interest in keeping the business, be it as a staff auditor or as a consultant. A less than totally honest auditor could "hide" a previous year's mistake year and year - or until a new auditor (from a different firm) is invited to perform a new, "from the ground up" audit.
Even a totally honest auditor may fail to see a situation that needs attention that was ignored in a previous audit.
Auditors are our friends
I am absolutely convinced that a good auditor can be a valuable asset to any risk management program; I welcome auditors who care about their work to critique my programs.
It's good for me.
It's good for my client.