Читать книгу Beyond Audit - Robert L. Mainardi - Страница 26

The three pillars of risk, control, and oversight form the basic structure of any effective risk-based audit methodology. It is critical that all internal audit team members have a clear and consistent understanding and the ability to define them to a client in nonaudit terms. So, let's briefly discuss each one, starting with risk.

Risk is the probability that an event or action will adversely impact the organization or business unit. Now that may seem like a good explanation of risk to an auditor, but business personnel do not speak in these terms. This definition seems too formal and comes off as the auditor lecturing the business partner, creating an environment equal to a teacher and a student. The key to any introduction or interaction with a client should feel like two people discussing a process – more importantly, the business process being examined. The auditor should try to turn every meeting with the client into a conversation about the business process and focus on developing a relationship that does not feel so much like an examination of what the business does not do well but an interaction between two people where the business representative is the process expert and the other person is there to learn how the process works from start to finish. Trying to communicate with this objective in mind will promote a healthy relationship foundation and that encourages the exchange of process-based knowledge instead of a judgment examination of the business process. As the business process knowledge sharing meeting continues, the auditor can work with the client to discuss risks without giving the formal definition to explain it. Any time the topic of risk comes up with a business partner, one of the first things the business partner will say is “losing money is a big risk for us.” While that may sound valuable to an auditor, losing money is not actually a risk. It is an impact of a risk happening in the business process. Think of it like this: A particular business risk was realized, and it cost the company money. So, remember, losing money may sound like a process risk but it is an impact of a risk and not a risk itself. Auditors must educate their business partner on risk being a barrier to the business team being able to accomplish their day-to-day activities to meet their business objectives. Risks do not represent impacts to the business process but impediments to doing their jobs.

When it comes to control, no business team is sitting in their offices looking for ways to add new controls to their process to strengthen the environment of their business operations. Most business units are wondering how they can do what they do faster so they can get more business and process more transactions. And in the business effort to go faster and process more transactions, it creates an environment that is ultimately not well controlled. As the auditor introduces the control concept, it should be linked to the idea of removing any barriers that could impede the business process from being completed in the most effective and efficient manner.

The control concept is then easily linked to the business oversight concept. Business oversight focuses on the information the business leadership team receives indicating that all business process components are operating as intended. As stated previously, there will be a deep dive on the three audit concepts of risk, control, and oversight in Chapter 5.

Once the auditor has cleared the first hurdle of explaining the key concepts of what audit does, it is important to clarify why audit does it. Most business teams can say they understand what the audit is trying to accomplish but will follow that up with “the business process works fine without any help from audit.” This is where the auditor must be able to articulate the two potential outcomes of an audit that, in the end, are designed to benefit their business partner. One of the outcomes of an audit is that the audit results will show the business process has been effectively designed, built, implemented, executed, and accurately reported. These five factors of the business process, when done correctly, will produce the expected results. Keep in mind, every process will deliver a result. The key, which must be verified through data examination and effective reporting, is whether the business process achieves the intended result. The examination of the data and reporting should be done on an ongoing basis by the business unit and is the same information the audit team will examine during their review. The other outcome of an audit is that after a detailed review of the data and validation with the business partner, the audit reveals a breakdown(s) in the business process that does not produce the intended results. This breakdown is going to be directly linked to one of the five factors from design to reporting, and it is the job of the auditors, in partnership with their business partner, to identify the root cause (to be discussed in Chapter 7) of where the process breakdown occurred. It is always critical to ensure the business partner is involved in all aspects of the audit process. Once the business partner has obtained a clear understanding of what audit does, along with the two potential outcomes explaining the audit objective, the auditor can now detail what the business partner can expect in an audit from start to finish.