Mobile Edition
Print
Get the Mag
Weekly UpdatesTHE AUDIT PROCESS
Although ERM framework audits resemble other audits in their basic process, they vary in content because of the unique nature of each framework. Auditors must assess whether their organization's framework meets its needs adequately.
SCOPE Although scoping is an important step in any audit, it is particularly critical with ERM frameworks because risk management activities form a pervasive function that is often not labeled as risk management. For example, an organization may have an operating procedure manual that serves to manage risk, but it isn't called a risk management manual. Each organization relies on different combinations of systems, people, and technology to identify and manage risk, all of which auditors must cover in their review. An ERM audit may need to include reviewing the operational training program if risk management is part of the training. Internal auditors can gain an understanding of the objectives, process, maturity, business conditions, and risk profile of an organization by examining key aspects that define the business, such as:
* The organization's purpose, mission, programs and services, objectives, and key results.
* Key stakeholders within and related to the organization, including resources, clients, and suppliers.
* Key work processes and control systems to deliver the organization's mission and objectives.
* Business cycles of the programs, services, and core activities and their interaction with other business cycles.
* Locations where the services and programs are delivered.
* Conditions under which the programs and services are delivered (e.g., economic, legislative, political, or legal).
* Trends or stability in the above factors.
It is crucial that the auditor understands the organization's exposure to risks and threats as well as its history in dealing with them. For example, in an audit of a large government department, Interis' auditors spent the first third of the assignment planning, scoping, understanding the environment, and gaining a sense of its philosophical approach to risk and the high-level risks that impacted its work. Once they had a grounding in the organization, they divided it into key areas, such as operational functions and human resources, and narrowed the audit to the three areas where risk management mattered most. Team members were assigned to each of these areas to learn as much as possible about the policies, processes, and tools that their area used in ERM, which provided the context for designing and conducting the audit program.
OBJECTIVES AND CRITERIA When reviewing an organization's ERM framework, the auditor aims to provide reasonable assurance that its business practices are sound and sustainable, informed by risk information that aids the organization in responding to risks effectively and efficiently. When developing the audit objectives and criteria, auditors should:
* Tailor the conceptual ERM framework model to match the organization's environment. For example, an organization that has just implemented a risk management program would not likely have results from a monitoring program.
* Align audit criteria with the four components of the ERM framework model. An audit of a new risk management program would likely specify monitoring criteria based on the existence of a monitoring strategy, rather than results from the monitoring program.
* Keep a broad perspective when prescribing the business practices they expect to find to ensure that the organization has the flexibility to adapt to its business conditions and that all practices designed to manage risk are considered.
In addition, auditors should obtain management buy-in for the audit criteria at the beginning of the audit. If management doesn't agree with the criteria against which the assessment is made, there will be resistance to the audit conclusions and recommendations.
EXECUTION Conducting interviews in an ERM framework audit requires experience and depth in general management practices, because ERM encompasses business practices that are associated with other fields such as finance, compliance, operations, and security. Although a variety of procedures can be used, most audits use interviews and document reviews. Determining who should be interviewed should be aligned with the organization's risk objectives. For example, if the ERM program is designed to be comprehensive, auditors should consider interviews with a broad list of representatives from across the organization. Auditors must adapt questions to tap into the interviewee's body of knowledge and to rephrase unfamiliar terminology. In judging the quality of the risk information in an organization, they should look for evidence that the uncertainty in decision-making is reduced because management has access to relevant and accurate facts about possible undesirable consequences from events that could affect the organization's objectives.
When conducting an ERM framework audit, auditors should:
* Listen to the clients. Auditors should take time to understand clients' business objectives, competitive environment, risk exposure, and risk tolerance. Auditing an ERM framework is not about comparing it to a checklist of features but ensuring that it will enable the organization to achieve its objectives. For example, Interis' auditors helped a software company's chief financial officer use ERM to ensure that she was notified as soon as any of the firm's project delivery schedules were delayed. When she received this risk information timely, she was able to take actions to offset the postponement of revenue from the client by foregoing expenditures or investigating whether other projects could be accelerated, allowing the company to meet quarterly revenue expectations.
* Recognize that ERM frameworks are works in progress. Frameworks change depending on the business context and the maturity of the organization. To determine relevant recommendations, it's important to understand where the organization was in the last audit period, where it is now, and where it's going. For example, a new government department had a high level of ERM maturity in operational areas that were core to the business but had very little maturity in corporate management areas. In making recommendations, Interis' auditors bore in mind that the department started with no ERM framework two years earlier; the important point to consider was how far the department had traveled on its path to a strong ERM framework and which recommendations would best enable it to accelerate progress in weaker areas.
* Acknowledge that ERM can look very different. Some organizations have ERM embedded in systems. For example, financial institutions typically have clear guidelines for staff regarding the benchmarks that must be achieved before a client qualifies for a particular product or service. Other organizations allow a great deal of leeway for managers to make judgment calls.
* Be on the lookout for hidden ERM practices. Risk management is not a new concept, but people within an organization may not label their risk management practices in those terms, especially in organizations where the ERM framework is in an ad-hoc or initial state. Experienced auditors examine policies, functional units such as human resources, and operational parameters for embedded ERM. If managers can answer the question, "How do you know when to ...?", then there is a policy or practice that supports ERM. In fact, risk management practices that are embedded in all aspects of an organization may even be a sign of an advanced ERM framework and capability, where ERM is so much a part of the work environment that employees don't consciously separate it based on risk terms.
When evaluating ERM frameworks, it is important for auditors to note that ERM should not be done for its own sake, as a simple compliance exercise. They should focus on ensuring that the true value of ERM--its ability to support enhanced decision-making across the organization--is realized.
REPORTING The most difficult task in an ERM framework audit is to reach conclusions and make recommendations. Once findings have been gathered and aggregated for each criterion, the auditor considers the extent to which the organization's ERM framework in that area meets its objectives. Audit recommendations should be reasonable and achievable, bearing in mind the organization's risk profile and objectives.
When drafting the audit report, auditors should explicitly and thoroughly describe what they found as the organization's context so that readers will have a foundation for interpreting the results. They should include a brief sketch of the relevant contextual information with each of the recommendations so that they are always tied back to the organization's risk profile and objectives. In this way, the report will serve as a benchmark of the current state of the organization's ERM framework, and provide a useful tool for implementing the recommendations.
FINDING THE BALANCE
A strong, audited ERM framework provides assurance that an organization is managing risk and can make the necessary and timely adjustments on the road to achieving its objectives. It can also provide a solid foundation for business decision-making. Because ERM audits must adapt to the different nature of ERM frameworks, a suite of best practices can be helpful for assessing ERM in action. Ultimately, the future of ERM is in integrating ERM frameworks into day-to-day functions. Along the way, auditors play a valuable role in helping their organization to evolve a framework that fits its needs.
To comment on this article, e-mail the author at alexandra.psica@theiia.org.
ALEXANDRA PSICA, CMC
MANAGING PRINCIPAL
FEED