Perhaps one of the largest dilemmas auditors face is being able to give stakeholders of any business they audit a level of confidence that they have captured and assessed 'all' material risks that threaten the company. A thumbs up if you prefer after an audit has taken place that the audit went well and the results are sound.
If risk is the effect of uncertainty on objectives, as the ISO 31000 global risk standard states it to be, it follows that senior managers often expect auditors to report on their coverage during a risk assessment exercise. They may also be keen to know what additional uncertainty may remain once the audit report has been published.
In this blog posting we are going to describe the auditor's dilemma and in future blog postings we will untangle this paradox.
If risk is the effect of uncertainty on objectives, as the ISO 31000 global risk standard states it to be, it follows that senior managers often expect auditors to report on their coverage during a risk assessment exercise. They may also be keen to know what additional uncertainty may remain once the audit report has been published.
In this blog posting we are going to describe the auditor's dilemma and in future blog postings we will untangle this paradox.
How certain are you?
Some people would see the requirement to state clarity or perhaps fidelity of an assessment about uncertainty as being a totally bizarre and unacceptable thing to demand from any, even an auditor.
'Uncertainty on uncertainty' if you prefer, and while expressing a position of quality in such matters seems a completely unreasonable thing to ask of anyone, it often plays out in management situations that are laden with painful dialogues that go along the following kind of lines.
'Uncertainty on uncertainty' if you prefer, and while expressing a position of quality in such matters seems a completely unreasonable thing to ask of anyone, it often plays out in management situations that are laden with painful dialogues that go along the following kind of lines.
"You assessed various risks in our department and found that we have a said X% chance of a loss greater than $50,000 but how confident do you feel that there aren't errors in your assessment?
Do you know the types of errors you experience when you, as the auditor, assess randomness in any of our business process and how large could this uncertainty or your exposure to business reality become?
As an auditor, do you feel comfortable that you have covered everything and what is good coverage for us anyway?
Risk Based Auditor's view of the business
It is amazing that auditors attempt to press through with an audit when such a wide scope is open but many of them do. Nonetheless, several constructive outcomes or second tiers of investigation and importantly realization should be spawned on from the simple dialogue we express above. I have listed this 'investigative realization' below and auditors should avoid entertaining it in defensive manner.
[1] COVERAGE
Firstly, is it possible that we can audit every single aspect of any business process taking in every transaction, count every bean, observe perpetually the operation of each control and accurately capture all anomalies that may have occurred? Is that even feasible to ask of an auditor, this probably isn't possible to achieve but more importantly if it was possible, is it a good use of an auditor's resources when we are paying for the auditor's time?
Let's assume that this hundred percent coverage fantasy was possible, perhaps then the auditor should double check their assessments and for every single item. Why not triple check the audit samples just to confirm that what they have observed the first time round is accurate. Surely we need to be comfortable that we don't have any significant material errors in the audit results as an outcome of the auditor's work.
[2] SIGNIFICANT
On the subject of significance, what is materially significant to begin with and what is the level of accepted accuracy?
Where do these two thresholds begin to become important to our stakeholders?
[3] RELEVANCE
Finally, is absence of evidence truly evidence of absence in our audits?
That is, if the auditor was unable to discover material control weaknesses or evidence that such things have occurred during an audit, how can we truly know reliably that what we have in an audit result isn't just some kind of informal fallacy [LINK].
The Audit Paradox
We can address each of these three axioms of the auditor's dilemma in an elegant and individual manner by approaching an audit exercise through a Risk Based Framework. However, simply entertaining a typical 'untargeted' assessment of uncertainty in a business unit being audited, as so often happens with audit activities, will generally leave the auditor exposed to the types of quality issues we have described.
All faring well I will publish a paper on such a Risk Based Audit Framework in the near future that addresses these dilemmas.
All faring well I will publish a paper on such a Risk Based Audit Framework in the near future that addresses these dilemmas.
Understanding the industry and the business might be key to reduce risk and perform meaningful analytical checks
ReplyDelete