Changing the Audit Paradigm
Moving from Risk Based Internal Auditing to Consequence Based Internal Auditing
I have written extensively on my approach to determining likelihood, as a function of control effectiveness rather than determining likelihood based on time, frequency and/or probability.
What’s important to note though, is that using this latter approach means that we also have to shift our paradigm in the development of audit and assurance programs. In essence, we need to move from risk-based auditing to consequence-based auditing.
What is risk-based auditing?
There are several definitions for risk-based auditing:
IIA defines risk based internal auditing (RBIA) as … a methodology that links internal auditing to an organisation’s overall risk management framework. RBIA allows the internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite. [ref: Institute of Internal Auditors (Global)].
According to Wikipedia: “RBIA is an internal methodology which is primarily focused on the inherent risk involved in the activities or system and provide assurance that risk is being managed by the management within the defined risk appetite level”.
In essence, risk-based internal auditing follows the following methodology:
- The risks assessed as being the highest-level risks to the organisation are identified;
- Controls against these risks are then audited to determine if they are adequately controlling the risk;
- Reports are then prepared for the Audit Committee and the Board with recommendations for improvement (this is sometimes accompanied by a further risk assessment).
Sounds all very reasonable, but there is a fundamental flaw in this approach.
The most significant flaw is that a likelihood for the risk and, therefore, a risk level, has already been determined prior to the determination of the highest-level risks. That is because this likelihood has been determined using time, frequency and probability rather than control effectiveness. So in essence, a Moderate consequence risk that has materialised multiple times in the previous period would probably show up as a higher level risk (purely because of its frequency) than one where there is a Severe consequence but where there have been no (or no known) instances of that risk materialising.
This exposes the Executive and the Board to incidents of significant consequence materialising whist they have been on the belief that controls were effective.
What is consequence-based auditing and why is it more appropriate?
The consequence-based auditing process is summarised below:
Using this methodology, we provide assurance that the controls associated with the highest consequence risks are effective, and, in doing so, we are providing the Executive and the Board demonstrable proof that these controls are effective, and a lower level of likelihood is justified.
Let’s take a case in point – Westpac Bank. For my overseas readers and those not familiar with the particular case, Australia’s financial intelligence agency, AUSTRAC, launched legal action against Westpac in late 2019 alleging the bank breached anti-money-laundering and counter-terrorism finance laws 23 million (yes – that is the number) times, including by allowing customers to transfer money to the Philippines in a manner consistent with child exploitation.
In fact, as Chris Vedelago and Sarah Danckert reported in the Sydney Morning Herald on 16th January 2020: Westpac has been linked to an international paedophilia case following the arrest of a notorious Australian sex offender who is suspected of using the bank’s transfer system to pay for live-streamed child abuse videos in south-east Asia.
I have reviewed risk registers for a number of financial institutions regulated by APRA and which are subject to the provisions of anti-money laundering laws. Almost all of them had a risk similar to this in their risk register:
Failure to comply with anti-money laundering laws.
In some cases, it was even broader:
Failure to comply with Legislation and Regulation.
In this case, even though the consequence would be high (which has proven likely to be the case when the penalty is handed down), however, the likelihood was probably assessed as rare because it was assumed that all controls were effective and this was probably backed up by the fact that no incidents had been recorded.
So, we are all good and nothing can go wrong – right?
Let’s look at this another way. For a start, let’s get the right risk in the risk register. Being non-compliant is not a risk it is a consequence. For every financial institution I have advised, the following is the risk I include in the risk register:
XYZ fails to identify and/or report suspicious transactions as defined in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.
This, to me (and it has proven to be the case with Westpac and the Commonwealth Bank which received a $700 million fine in 2017 for not reporting 53,506 reportable transactions), is one of the highest consequence risks to any financial institution of any size. So, this gets on my radar as a high consequence risk where I want assurance, backed by evidence, of the effectiveness of the controls.
For this risk, we can now identify some causes (there are more, no doubt, but these will suffice for demonstration purposes):
|XYZ fails to identify and/or report suspicious transactions as defined in the Anti-Money Laundering and Counter-Terrorism Financing Act 2006||Inappropriate training of staff in what constitutes anti-money laundering|
|IT systems do not have the required capability to identify all transactions that raise a ‘red flag’|
|Failure of IT systems|
|Corruption of data|
|Lack of/ineffective interface between XYZ’s IT system and the AUSTRAC system|
|Introduction of a new technology that does not incorporate the requirements under the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (this was the basis of the issues with the Commonwealth Bank when daily limits for deposits through their Intelligent Deposit Machines had not been applied).|
|Lack of/ineffective auditing of transactions|
Had Westpac taken a consequence-based approach to their auditing program and sought assurance of control effectiveness before determining a likelihood they may/should have found the following:
- Regulatory Obligation – IFTI Reports: Each time
money goes in or out of the country, the bank must lodge what’s called an IFTI
report (International Funds Transfer Instruction report) to AUSTRAC. These reports are due within 10 business days
and must include six key details about who sent and received the money, as well
as transaction dates, identification codes and information about what the
payment is for.
- Control – SWIFT system.
- A key standard for international funds transfers between banks is the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system – a messaging network used by banks worldwide to send information about money being sent between countries.
- Finding: When dealing with various foreign banks, Westpac considered the SWIFT system costly and slow, and opted for a cheaper and quicker approach.
- Strength of Control: Partially Effective (at best)
- Control – Data Management System that
Captures all Information Required by AUSTRAC.
- Finding: Westpac used a cheaper Data Management System called LitePay. This significantly reduced costs, however, it led to many of these breaches failing to provide sufficient ‘red flags’ that would have warranted further investigation.
- Strength of Control: Partially Effective (at best)
- Control – Creation of Suspicious
Transactions to Test whether the System Identifies it as Suspicious.
- Finding: Had Westpac done this, it would have identified that there was a technological error that apparently went undetected for years. This led to Westpac failing to report 19.5 million IFTIs to AUSTRAC.
- Strength of Control: Not Effective or Not Present
- Control – SWIFT system.
The point here is, that by taking the approach of assuming the controls were effective and providing an assessment of likelihood that was based on the number of instances previously identified, this risk may not have been at a level to warrant the level of auditing/assurance it should have.
Had a consequence-based auditing approach been used, it should/would have determined that many of the controls fundamental to reducing the likelihood of this risk were partially/ ineffective. This should have resulted in the Likelihood being raised to at least Likely, if not Almost Certain. That would have certainly got it onto the radar of management so that they could have taken proactive action many years before.
Don’t believe me?
LitePay was scrapped by Westpac, four days after AUSTRAC’s statement of claim was filed in the Federal Court.
In addition, I can guarantee the following:
- The new system that will be/has been installed will cost many millions of dollars;
- There will be a heightened emphasis on auditing – at a significant cost;
- More staff will be hired;
- The fine will exceed $1 Billion;
- More revelations will emerge around the people making the transactions;
- Lack of compliance with anti-money laundering will remain the risk in the risk register.
It is time for a new paradigm in auditing, otherwise we will continue to see incidents that have been assessed as having a low likelihood becoming issues, then finding out afterwards that the controls were non-existent and/or not effective. I have previously written about two of them that should further highlight my point: This is not a drill and Colonel, we have a problem.