Article Preview
TopIntroduction
Audit is a part of internal control system of any large company today. Optimized usage of constrained audit resources can improve management control effectiveness and assure compliance with regulatory requirements. Therefore, risk-based audit should work on topics in most important areas (Griffiths, 2016; Pickett, 2013). However, in spite of development in the area of risk management and auditing techniques, there is no properly established connection between risk assessment and audit planning.
Audit function generally plans its activity for a certain time horizon, i.e. a year or more. The plan is based on aggregated enterprise risk assessment and independent audit risk assessment of the most important areas of business processes and internal functions. Some topics may be prescribed by regulators or shareholders and therefore have to be included in the plan. All other possible areas constitute a set of topics that needs prioritization with regard to risk such that audit adds most value to the organization. Current practices of dimensional attribute aggregation for prioritization of audit areas in risk based audit planning is evaluated below using three typical approaches to risk-based audit area prioritization.
While auditing manuals and books provide certain guidance on planning, it is generally based on ordinal subjective scores, e.g. using a scale [0, 1, 2, 3, 4, 5] with weighted average (WA) as the aggregation function (Davis et al. 2011; Griffiths, 2016; Pickett, 2013; Rehage et al., 2008). Application of this kind of scale lacks any theoretical background from mathematics (Thomas et al., 2013). Some guides do not address this topic at all, e.g. (Cannon, et al., 2016; Hall, 2011; Senft et al., 2012). This is unfortunate because audit should concentrate on the most relevant problems. Inability to identify and prioritize the most important problems is a control deficiency itself.
A decision maker in this context is an audit manager who is responsible for audit plan development. Which areas are the most critical and need frequent coverage and which are less critical and require less frequent testing? There is a necessity for optimal resource allocation with regard to criticality of different audit assignments. The issue has a broad set of problems, e.g. how to estimate risks and necessary resources for certain tasks, the duration of the audits, the effectiveness of the audit and others.
Current practice (Cannon et al., 2016; Davis, et al., 2011; Griffiths, 2016; Hall, 2011; Pickett, 2013; Rehage et al., 2008; Senft et al., 2012) works with subjective estimates based on past experience and level of required assurance. Unfortunately, there is no recognized general model how to perform ranking of possible audit areas methodologically. Addressing this gap can contribute to audit practice. Therefore, application of a new dimensional aggregation approach to the problem of choice of possible audit areas (alternatives) according to their estimated or measured properties (attributes) is a valuable contribution.
Griffiths (2016, pp. 73-95) and Rehage et al. (2008) introduce a scored risk analysis model for audit plan development based on subjective ordinal scores. Prioritization of the audit areas and the schedule are performed based on the overall risk score of the possible areas of audit. The Griffiths’ model (Griffiths, 2016) considers three large sets of key risk factors: size of the risk or exposure, controls in place and likelihood of audit effectiveness. First, audit activities from the audit universe are combined with information from risk register and matrix, and then with information about existing controls and respective assurance level. On that ground, subjective scores for risk subfactors of the three main factor sets above are produced. Risks are assessed on the scale from 1 (smallest) to 5 (largest). There are weights for each factor that constitute importance in the final formula. The weights only can take values 1, 2 or 3, and the three main factor sets are not weighted (i.e. have equal importance). Next, all the scores are aggregated using weighted sum to a final score (Griffiths, 2016, p. 85). The final risk score is then normalized by multiplying it by an arbitrary value of 200. The larger the result, the more important the area is for auditing. This final score value is then compared to predefined ranges to obtain the relative priority of the areas.