Risk Versus Process
Our profession is a risk-based profession. We are taught to start with the inherent risks in what we are auditing and to proceed from there. Yet is that really what you do? Let me start by asking you as a question.
What is the first key step you take in your audit? Do you start by asking your auditees about their processes? Or do you start by asking them about their perceptions of the risks their activity exposes the business to? How many of you have convinced yourselves that the correct approach is to understand the business and its processes and then to derive your own independent understanding of the risks by analysing these processes.
I must confess to the latter. One of the first audits I ever conducted was in the beautiful city of Geneva. My boss gave me a chance to practice my French (will teach me not to show off) and go and document the process for recording bond coupon payables. I did what I was asked to do in a very diligent manner. In fact, I went back to the poor operations supervisor five times before my boss was satisfied with the flowchart I had built. A true work of art!
I then sat down with my supervisor, and we brainstormed the risks we saw in that flowchart.
Slight problem.
Six months after we had published our audit report, we were informed of a fraud in the Coupons Processing Unit. It transpired that the coupons process I had audited was indeed effectively designed to manage a form of coupon. The coupon the operations supervisor wanted to discuss and show off! What I had not done is discuss the variations on the coupons that could be processed. I only documented what was presented to me and in front of my eyes. Needless to say, the fraud was related to a variation, and I had not asked about the controls that detected variations.
This is the risk – we audit what is in front of us or what the auditee wants us to audit. We do not look for control processes with the actual risks in the business.
A more monumental example, in my arena, is the manipulation of financial benchmarks. This practice costs banks millions of dollars in fines. If you had sought to audit the process designed to control this risk, you would have been disappointed. There were none! Which is exactly the trap most audit functions fell into. They derived risk from what was presented to them in terms of processes. They did not start with a blank sheet of paper and ask what risks exist.
I have one hypothesis as to why this may be the case. As a profession we frequently lack confidence. To call out a business risk that has no mitigating control processes takes courage. Frequently we are ridiculed by our auditees when we attempt to do this.
Let us start to search for this courage confident that some of the most extreme business losses have occurred where control processes did not exist at all.
Glad to hear your reflections.