Business risks are increasingly the prime focus of Internal Audit (1). Risk-based Audit (RBA) is the methodology which provides assurance that risks are being managed to a level considered acceptable by the board. This methodology covers the enterprise risk management (ERM) framework (2). Risk-based auditing is increasingly widening the coverage to support management decisions to achieve more objectives. By adding opportunities management to this process, the decision-making process will be improved. In this post, I would like to take a first step towards a definition for Opportunity-based Auditing.
Effective since 2006, the SASs No. 104-111 required that auditors should evaluate the design and implementation of internal control on all audits to properly identify and assess risks. The assessed risks need to be linked to the nature, timing, and extent of audit procedures performed in response to those risks. These new standards significantly altered the methodology that audits were performed over the past three decades. Risk-based audits focus on the areas of the highest risk to the business. These audits start from business objectives rather than controls. Their recommendations are then risk-evaluated to ensure highest benefits (3).
Auditors have the chance to look right across their companies and identify not only best practices but also business opportunities. So, internal auditors should be seen as business partners by directors. Directors (as well as investors) don’t like unexpected risks, but they are attracted to make profit of unexpected opportunities. They need systems to promptly identify both business risks and opportunities.
An ERM system aligns the risk involved in a process to the accepted risk appetite. The risk appetite depends on the profitability of a business. Business needs more profits to undertake greater risks. In order to adjust the risk level of a business, new opportunities should be identify. An ERM/EOM system should link the targeted profitability with its risks and opportunities.
An Opportunity-based Audit (OBA) refers to an examination of processes based on a previous assessment to indentify the most promising opportunities to increase profits for a given risk appetite. Its goal is to recommend a strategy to change existing processes to make them more efficient.
Traditional Auditing + Enterprise Risk Management = Risk-Based Auditing
Performance Auditing + Opportunity Risk Management = Opportunity-Based Auditing
The traditional role of internal audit was reviewing the internal controls for financial statements reporting. The RBA modified this role to review the ERM system to reduce risks to an acceptable level. The OBA adds the review of the opportunity management (EOM) system to recommend business strategies. Its areas to audit are Corporate Planning, IT Planning, Marketing, HR, Public Relations and Project Management.
Notes:
(1) According to the PWC surveys to CEOs, the role of internal audit gradually changed from being focused on financial and operations (2000) to risks (2007).
(2) ISO 31.000 defines risk as a deviation form the expected, both positive and negative (2.1.1). However, the described risk treatment options to avoid, transfer or mitigate can only be acceptable for dealing with threats (not opportunities). When defining risk as a threat, managing risk is managing controls.
At the time of publishing this post (August 2011), there are not references to a framework for "opportunity-based auditing". The process to identify and manage opportunities is generally overlooked by auditing.
(3) ISO 31.000 includes a chapter about risk monitoring and review (5.6). It encompasses the assurance that controls are effective and efficient. There is not a more detailed look to audit these controls when dealing with opportunities. Controls to deal with opportunities are done, for instance, by marketing, corporate planning and HR.
Get the latest in corporate governance, risk, and compliance on Twitter