BarnOwl Info Sharing Insight: Empowering Insight, Enhancing Governance Mastering Risk and Control-Based Auditing Session 2 presented by Stephen Helberg and Scott Goddard, Directors, GRCReady

Introduction


Thank you very much Stephen and Scott for your most informative presentation on ‘Mastering Risk and Control-Based Auditing (part #2 on Audit Execution)’ at the BarnOwl info-sharing event held on 27th June 2024. Thank you too, to all those who attended the session.

Through practical examples and insightful discussions, Stephen showcases how a risk-based approach can transform your audits from mundane tasks to strategic drivers of organisational success.

Is your internal audit team grappling with audit fatigue? Are your audit stakeholders feeling disconnected or frustrated due to prolonged audit processes yielding minimal relevance?

Selecting the appropriate approach can elevate internal audit as a trusted advisor, championing good governance practices, fostering stakeholder engagement, and yielding more meaningful and actionable insights.

A risk-based audit methodology initiates with a comprehensive assessment of the risk landscape, serving as the foundation for the audit plan. In this approach, the primary objective is to address the organisation’s most critical risks.

While many audit departments claim to adopt a risk-based approach, often their audit plans are structured around departments, functions, or processes, primarily focusing on compliance with internal policies and external regulations.

A truly effective risk-based audit methodology commences with an evaluation of the organisation’s top risks and overarching business objectives. Subsequently, all audits within the plan should be tailored to mitigate these risks and provide valuable insights to senior management.

Risk-based audit plans hinge upon defining the organisation’s risk appetite, identifying inherent risks, and prioritising high-risk business processes. Alignment with the organisation’s risk profile, macro business processes, strategic objectives, and legal obligations is imperative. We delve deeper into understanding these essential “filters” during our discussion.

In our previous meeting, we discussed the annual (or rolling) internal audit plan to ensure the Board Audit and Risk Committee (BARC) feels confident that the right areas are being audited. In this session, we explore how a risk-based approach can elevate your audits from routine checks to strategic game-changers for your organisation:

  • Internal Audit Services that Companies Require: What are the key audit services that align with organisational needs?
  • Practical Examples and Case Studies: Discover how a risk-based approach, including end-to-end macro process audits and COSO framework design audits, can yield powerful results.
  • Quality Control in Audit Projects: Learn how to maintain high standards and consistency across audit projects.
  • BARC Reporting of Systemic Issues: Explore effective strategies for presenting audit findings to the Board Audit and Risk Committee.
  • Customer Feedback Examples: See how customer input can guide and improve audit processes.

Agenda


Evolution of the Profession


Pre 2020, the audit focus was on the core areas of financial and compliance with regulations such as SOX 404 and 302, King requirements and the ASX 7 and 4 requirements. Since early 2020, customer needs changed significantly to focus on strategic value; what does this mean and how do we make sure our audit plan is focusing on those risks and business initiatives that really matter?

Customer Survey and Board Audit and Risk Committee (BARC)


Some of the key take-outs from this feedback include:

  • At present there is too much overlap of assurance functions resulting in a strain on the business.
  • The scope of services is too narrow and should look at broader and strategic risks and facilitate best practice.
  • There is a lack of understanding of the CA’s role and scope.
  • Internal Audit need to demonstrate the value; how do we show IA is a good investment to the shareholders?

At one of the early Board Audit and Risk Committees of a large mining company a Director asked me:

  1. “How do we know that you are doing the right audits? and
  2. How do we know that every audit is executed properly?”

If we audit the wrong areas brilliantly with capable people or if we audit the right areas poorly, we are not providing the real value we could and should be.

Internal Audit role and position of Risk based auditing

In terms of the context on where risk-based auditing fits into the IA strategic plan, we take a look at the purpose of an IA function, and it is clear that the work we do is predicated on the organisation’s material business risks. This does not only imply that the audit program is only aligned to the risk profile, but there are a number of important “filters” if you like that should be applied to ensure you are planning to do the right audits.

There are nine (9) key performance areas which apply to any IA function. We have developed an extensive maturity assessment model which assesses all nine. The following is an example of a typical audit maturity assessment:

End to End Process Auditing


Everyone says they do ‘risk based’ internal audit work.

We recognised that we do risk based planning which we looked at in our last session, but once an area was identified for review we then applied a standard audit response.

In transforming our methodology at a large mining company, we decided we wanted to also apply a risk-based approach to our audit response to risk areas, and therefore co-developed with EY the client an Audit Response Continuum (ARC).

End to End Process Auditing was a technique that we identified that covered all the customer needs and delivered real commercial value.

What is and end-to-end process audit?

  • An end-to-end process audit is a thorough review of a complete business process from start to finish.
  • It involves defining the process scope, mapping the process flow, collecting data, evaluating performance, assessing risks, and conducting a gap analysis.
  • The audit assesses the governance framework in place to manage the end-to-end macro process, identifies inefficiencies, risks, and compliance issues, providing actionable recommendations for improvement.
  • The findings are documented in a detailed report, and follow-up audits ensure that improvements are effective and sustained.
  • This comprehensive audit helps organisations optimize processes, enhance productivity, and ensure regulatory compliance.

Case Study: How to approach an end-to-end review

Steps:

  1. Select Process
  2. Scope & objectives (risk based)
  3. Execute Projects
  4. Collate and Analyse Results
  5. Process Level Conclusions
  6. Reporting

Step 1: Select process

A structured, logical and coordinated approach was been taken to identify potential end-to-end process reviews:

  • Start with the organisation value chain – we developed a tailored mining industry model, but you could use a generic model, for example by using the modules of SAP or your ERP system as a base.
  • Processes within the value chain were identified and defined to ensure consistent understanding during scoping. We identified 8 core mining activities and a further 13 support processes.
  • The next step was to evaluate and prioritise processes based on the process value and ease of execution. Each process was rated on a scale of 1-10 for these two factors and results plotted on a 2×2 matrix to determine a short list of projects. Ease of execution was considered an important factor as we wanted to ensure a successful outcome for the first ‘pilot’ project.
  • Shortlisted projects were analysed in more detail to develop a high-level proposed scope and objectives. An overall evaluation summary was prepared for the Group CEO and Group CFO which detailed the following factors for each process:
    • Process description
    • Value of the process to the business (narrative)
    • Process risks
    • High level scope

Step 2a: Select Scope & objectives (risk based)

Using the procure-to-pay process as an example, we workshopped (with relevant stakeholders), the end-to-end procure-to-pay sub processes across the business and identified who is accountable for them. This requires a lot of up-front time, but is critical to get right, the key stakeholders involved in the audit planning and throughout the audit delivery.

We used subject matter experts from their Business Advisory area working in conjunction with the internal audit specialists to analyse the process and apply their own benchmarking/leading practice knowledge to understanding the process.

We also made use of data analytics to understand the scale, complexity and sequence of the process.

Step 2b: Scoping – Risk Assessment

For each sub process, the risks and control practices were considered to apply an overall risk assessment to each sub process. This was used to derive the focus areas for detailed audit work across the end-to-end process.

Once this was completed, we considered which locations/business units we needed to engage with to undertake the testing. Where there was a range of locations which could be included we determined a clear strategy for selecting locations for inclusion and again obtained stakeholder input and buy in to the operations selected.

This is very different to the normal practice where we looked at a location and selected high priority activities, which meant we made local recommendations and were not able to draw overall conclusions at a group level.


Step 3: Execute projects

The audit approach was centrally planned to ensure consistency and then executed at each business unit/shared service in scope.

Internal audit reports were prepared for each location, which highlighted findings and sought management actions for any issues in their location.

However if you stop here you will not leverage the full value of the end-to-end approach.

Step 4: Collate and Analyse results

To develop this overall process view, the first step is to review all the findings and map issues across each of the business operations reviewed.

This generates a clear picture of where consistent issues are occurring in the Group. It then allows the auditors to identify common and potentially systemic issues in the process across the Group.

Root cause analysis of the issues is very important. Are the underlying reasons for these issues outside the control of local management and so all they can do is apply local mitigating controls rather than an efficient and effective solution?

This is one of the really powerful applications of end to end auditing as the interaction with other operations is clearly exposed and considered.

Whilst as auditors we naturally focus on the issues, we also realised the ‘blank’ squares indicating businesses which do not experience these common issues, were worth investigating to consider how they had avoided these issues and may be best practice that needs to be shared

This lead to us also capturing examples of leading practice in one operation (where the savings were measured and quantified as part of a six sigma improvement programme) and were able to share this across the Group as an example of what could be achieved if the process was redesigned.

Step 5: Process Level Conclusions

The next main areas to consider in your planning process are prior year/s follow up reviews of high rated audit findings and systemic or re-occurring issues.

We identified and analysed systemic issues further and in a few cases highlighted group level issues that exposed material deficiencies at a group level.

If you report individual audits you will not be able to see systemic issues or trends. These may indicate a larger issue at a group level, which should be audited.

All the process design issues were grouped and extrapolated to form a view of the total potential value leakage across the process. This value leakage can be both real cost (control effectiveness) and opportunity cost (process efficiency). Across an end-to-end process we expect to find:

  • areas where improvements can be made to mitigate key risks (first and second bars on chart)
  • areas where there is potential ‘value leakage’ (third bar on chart)

Whilst any extrapolation process has its limitations, it does provide some quantification of the potential ‘size of the prize’ available if management review the overall process design.

Step 6: Reporting

This shows the complete suite of reporting with overall process recommendations.

This allows internal audit to stand back from the detailed findings and consider the overall process environment in terms of control design, effectiveness and operational efficiency.

Example of reporting:

Identify systemic issues – analyse further and highlighted group level issues.
Reported individual audits – not able to see systemic issues or trends.

Quality Control of audit projects

The following measures were built into the audit execution methodology:

  1. Peer input into audit scope and objectives.
  2. A structured ORCA process and workflow.
  3. A structured approach to testing.
  4. Business rules for pre-issuance reviews.
  5. An audit completion checklist for each audit.
  6. EAMs are to supervise all audits and ensure that their team has appropriate skills, knowledge, clear instructions, and complete workpapers that support audit results.
  7. Supervision and review
  8. EAMs are to coordinate and diarise a peer review for all final draft audit reports.
  9. EAMs are to coordinate a pre-issuance peer review of the report and ORCA for audits that are high risk in the audit plan and have one or more objectives with a control rating of “Priority 3”.

EAMs are to keep the EGM IA informed of high sensitivity audits.

Value to customers

Identifying systemic issues gives the opportunity to achieve efficient solution to control issues and/or savings through avoiding value leakage.

Findings are presented to those who have the authority to effect high-level change to process design.

Issues which lie across boundaries of operational responsibility can be addressed rather than being ‘out of scope’ of a traditional audit planned by operational silo.

This is facilitated by root cause analysis of findings, as the root cause of an issue in one area maybe be a processing practice in another area.

This also leads to stakeholders having a greater appreciation of how their area interacts with and impacts other areas.

It is also a powerful mechanism to identify and share leading practices, which can avoid ‘reinventing the wheel’, duplication of costs in developing multiple control solutions and also greater consistency in controls across the process.

Finally, by quantifying the potential value leakage identified by the internal audit process, internal audit is re-positioned as a great investment in operational diagnostic work rather than a financial/compliance cost to the business.

In our case, the CEO and CFO insisted that we now schedule one end-to-end review each year. The potential value leakage identified in our first project will pay for the internal audit function for many years.

Wrap Up

Internal Audit:

  • a way of fully delivering our mandate as defined by the IIA – value adding consulting activities which focus on the organisation achieving its objectives.
  • is not just about managing risks, it also encompasses adding value to and improving an organisations operations.

Benefits are:

  • Opportunity to address key strategic risks.
  • Mechanism to bring together a large range of findings to form an overall view of a process.
  • Transform how internal audit is viewed, from a financial/compliance focus to a commercial value add.

Conclusion

This methodology demonstrates a structured, logical and coordinated approach to ensure that we do the right audits and that every audit is executed properly. This approach provides confidence to your stakeholders that Internal Audit is a good investment and contributes actively to the value creation of the company.

Presentation and video links

Please see attached presentation here, and the info sharing recording here.

Related links

https://barnowl.co.za/knowledge-centre/integrated-grc-insights-blog/6-ways-risk-based-auditing-adds-value-to-your-organisation/
https://barnowl.co.za/knowledge-centre/integrated-grc-insights-blog/4-ways-auditors-can-add-value-to-your-organisation/
https://barnowl.co.za/knowledge-centre/

Contact us

Cheryl Keller | BarnOwl | cheryl@barnowl.co.za
Stephen Helberg| Director | GRCReady | Stephen@grcready.com
Scott Goddard | Director | GRCReady |Scott@grcready.com

Thank you

Once again, thank you Stephen and Scott for your time and for your informative presentation and thank you to all those who attended our info sharing session. We look forward to seeing you at our next info sharing session. Please keep a look out for our upcoming events at:
http://www.barnowl.co.za/events/

Kind regards
Jonathan Crisp
Director – BarnOwl GRC and Audit software

About BarnOwl:

BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 150 organisations locally and internationally. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.
Please see www.barnowl.co.za for more information.

About our guest speakers

arrow up