Is Risk Based Internal Auditing (RBIA) the “Right” Term or should it be Consequence Based Internal Auditing (CBIA)?
Okay – maybe I am about to open a can of worms here – but I think that RBIA may be a misnomer.
Don’t get me wrong, I am a firm believer in the internal audit program being aligned to the risk management program – in fact neither will be as effective if they are not intrinsically linked.
My argument here is not that it is not valid – but that the focus should be on Consequence Based Internal Auditing (CBIA) instead.
The Charted Institute of Internal Auditors defines RBIA as:
“a methodology that links internal auditing to an organisation’s overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite”.
This is all very true – particularly for those risks that are outside the risk appetite of the organisation. But what about those risks that are within the appetite?
My proposition is this ….. regardless of the level of risk, internal controls linked to the risk events of highest consequence must be the focus of the internal audit program.
What is the purpose of an internal audit program? The internal audit program provides assurance that the controls that are currently in place are effective in order to reduce the likelihood that events will occur. Surely it follows then that the controls linked to the events with the highest level of consequence need to be the primary focus. Why? Well there is a direct correlation between the effectiveness of the control environment and the Likelihood that the risk will be realised so if these controls are not the focus then the chances of the risk eventuating becomes greater and nobody knows it is imminent!!!!
Is your organisation one where the primary focus of your internal audit program is around Cabcharge Cards or credit cards that have a limit of $2,000 on them or leave entitlements? I am not saying that these should not be done but they certainly should not be the priority for the program.
If we think about some major disasters such as the Longford Gas Explosion, the oil spill in the Gulf of Mexico, the Global Financial Crisis and many aircraft incidents the post event analysis that was conducted invariably shows that the breakdown of current internal controls was a significant contributory factor and that these controls were not being reviewed for effectiveness. If you are not familiar with the Swiss Cheese Model it is worth looking it up to understand how control failures lead to disaster.
So what is the take home point of this article? Regardless of the overall risk level of the risks within your organisation, the primary focus of the internal audit program must be around those controls that are in place to keep the Likelihood of events with Severe or Major Consequences as low as possible.