Posts Tagged ‘internal audit


Critical Thinking and Internal Audit: A KPMG Study

A recent research paper from KPMG, “Transforming Internal Audit Through Critical Thinking” caught my attention as I have been exploring about the relevance of analytical and critical thinking skills for internal auditors (for some time now). I recommend a read of the full report and have selected a few important points from the report for brief sharing here:


Critical thinking is defined as an open-minded approach to analyzing a situation or task for the development of supportable conclusions and conveying the assessed results in a logical manner.

 Organizations want internal audits that are insightful, forward looking, and go beyond preserving value to creating value on a departmental, divisional, or organization-wide level.

 Critical thinking as a core approach for internal audit establishes a strategic partner within the business, focused on achieving balance between risk management and business performance.

 Critical Thinking vs. Thinking Critically — In many instances, the term “critical” takes on negative connotations such as stubborn, judgmental, or opinionated; therefore, it is imperative that internal audit functions do not desire a critical “result”, but rather apply a critical “approach” to thinking that is holistic, skeptical, analytical, and evaluative to develop well-rounded conclusions.

 Critical thinking audit results must create measurable value to an organization, through highly effective data analytics, and cost-benefit considerations. The audits need to be geared toward identifying revenue opportunities, cost recovery, discovering cost avoidance opportunities, measuring hours of efficiency opportunity and direct redeployed monetary savings, quantified or untapped growth opportunity, or determinable risk reduction.

 In order to create value to the organization, internal audit must apply a critical thinking approach to internal audit, a level beyond operational auditing and this should result in opening more doors for internal audit to sit on steering committees, task forces, and other strategic initiatives.

 Some of the traits which serve as the basis for enabling critical thinking in audits – open mindedness; situational analysis; providing context; brainstorming; constructive questioning; detail orientation; being resourceful, agile, and able to quickly react in creative ways to develop a solution.

 Internal audit must develop deep organizational and business understanding to apply judgment, and challenge the business on a broad range of topics. In addition, internal audit must invest the time to understand the business strategy and transformational changes occurring throughout the organization.

 Internal audit must be characterized by a culture of challenge, probing, and continuous improvement. Internal auditors must remain solution focused; investigative in scenarios or solutions for issue resolution; and persistent in having a seat at the table for the key discussions.

 Key benefits to critical thinking in audits are –strategic alignment, critical thinking scope, and quantifying value drivers. With critical thinking being embedded in it, internal audit is viewed as a business advisor rather than the policy enforcer.

 A critical thinking audit should bear the hallmarks like (i) audit results will be set and measured in creating value for the organization; (ii) audit results will be limited to the key tangible findings that the business should address as a matter of priority; (iii) minor issues are reported outside of the final report to the business leaders; (iv) The business actually makes meaningful improvements due to internal audit findings.


The paper by KPMG is both exciting and practical. It shares valuable insights on the subject of ‘critical thinking’. Ahh! I feel it’s time for us to think to critically about developing ‘critical thinking skill’ in every member of our audit team.



 “Transforming Internal Audit Through Critical Thinking”, © KPMG LLP, 2014.


Risk-Based Integrated Auditing and the journey so far….

It has been almost one year since my country office started transitioning to ‘risk-based integrated auditing’ (RBIA) approach from the ‘traditional internal auditing’ approach focusing on finance. Similar to any other change process, this journey of transition was not a smooth or comfortable one for our function. (In a sense, it was a humpty-dumpty ride). However, out of this transition to RBIA approach, I have learnt some good lessons both personally and functionally (which I feel worth sharing with my readers):

On the individual front —

  • I have understood the importance of flexibility and creativity for producing the best value adding audit reports. (Structured approach alone does not suffice.)
  • As an internal auditor, most often, it is good to be direct with audit clients rather than being diplomatic. Being direct have helped me gain credibility in the eyes of my clients.
  • Being part of the internal audit profession, I have now learnt to experiment and take reasonable risks within professional boundaries (rather than always being over-defensive and extra-cautious).
  • I have learnt the art of collaboration and negotiation better now. Now, I can empathize with the challenges faced by my audit clients. This has led me to hold more constructive conversations with my stakeholders.

As the internal audit function, some of our important learnings —

  • The success of the RBIA approach is primarily dependent on identifying the correct risks to review from the start.
  • It is important to ensure that both the senior management and the respective departments/ functions share the same view of risk. As a third line of defense, we ensured that they both are on same page when it comes to risk.
  • One of our initial tasks was to review our country office’s risk register and see if it is complete and accurate. Subsequently we also learnt to rank the risk by considering which of those risks would have the most serious impact. By doing so, internal audit’s prioritized areas of focus matched those posing greatest risk to the organization.
  • As skeptics, normally internal audit functions are good at pointing out what might go wrong. But under RBIA approach, (while proposing the corrective action to clients) we also learnt to imagine thinking what needs to go right so as to ensure management focus are aligned to achieve successful outcomes.
  • Our internal audit function has started emphasizing top-down risk-based planning consistent with the country office’s objectives. For this, we took into consideration the input of senior management and the Board.
  • We understood that it is important to induce the senior management to leverage on first and second line of defense when internal audit started moving towards RBIA approach.
  • We learnt that when internal audit aligns its focus with organization’s top high risks, the organizations will be deriving the maximum value.
  • Under the RBIA approach, our internal audit function has become intentional in learning about the business of our organization.
  • RBIA approach is assisting our function to understand the issue by seeing the larger picture in a holistic way rather than having a skewed perspective. As a result, our team is now able to have a more pragmatic view of materiality while stratifying the audit observation.
  • RBIA approach have underscored the importance of findings from internal audits to be commercial, strategic, cost-effective and making business sense.


Question: From your experience and expertise, do you think risk based integrated auditing is a better approach? Please share them by leaving a comment to this post. I welcome your thoughts.


Can Internal Auditors be ‘Outliers’?

Throughout my career in internal auditing, I have been repeatedly shot with a peculiar complaint from my audit clients of diverse sectors: “Internal auditors do not understand the business”. Being part of not-for-profit sector, now I hear “Internal Auditors do not understand what transformational development is all about”. The shift from traditional financial audit approach to integrated audit approach has added fuel to this fire. As a result, the buy-in for audit observations gets tough/ almost impossible.

In recent ‘Global Pulse of the Internal Audit Profession’ survey conducted by ‘The IIA’s Audit Executive Center’ in 2012, ‘business acumen’ is one of the five most sought-after internal auditor skills by global recruiters and CAEs. Peter Marriott, Chair of the Audit and Risk Committee in Australian Stock Exchange states, “Findings from internal audits should be commercial, strategic and make business sense. Good internal auditors can join the dots and express their intuition…….” Added to that, Keith Tandowsky, Vice President of Internal Audit in Clorox says, “It is critical that every audit observation is clear about the business impact. The difficulty, from a leadership standpoint, is to develop less experienced staff members’ business acumen.”

So, it is important that internal audit professionals understand the business. In other words, it is compulsory for the internal auditors to understand the fundamentals of the business of organizations and the industries in which they operate. The clause 2 of Standard on Internal Audit (SIA) 15 issued by the Institute of Chartered Accountants of India, “Knowledge of the entity and its environment” rightly stipulates that —

“In performing an internal audit engagement, the internal auditor should obtain knowledge of the economy, the entity’s business and its operating environment, including its regulatory environment and the industry in which it operates, sufficient to enable him to review the key risks and entity-wide processes, systems, procedures and controls………… Such knowledge is used by the internal auditor in reviewing the key operational, strategic and control risks”

In my view, this is easily said than done. Business acumen cannot be acquired overnight. On the other end, the renowned author, ‘Malcolm Gladwell’ in his book “Outliers” asserts that —

“The idea that excellence at performing a complex task requires a critical minimum level of practice surfaces again and again in studies of expertise. In fact, researchers have settled on what they believe is the magic number for true expertise: ten thousand hours. ‘The emerging picture from such studies is that ten thousand hours of practice is required to achieve the level of mastery associated with being a world-class expert—in anything…………… Ten thousand hours is the magic number of greatness.’ ”

But, it is obvious that we as internal audit professionals cannot afford 10,000 hours to develop business acumen or become audit specialists. So how does one develop his business acumen and increase his understanding of the business over which he audits? I do not have a comprehensive or direct answer to this. But let me give a try. I believe that we can develop business acumen through a multi-pronged approach:

  • Develop a passion for learning. In future, internal auditors will be agile, flexible, resilient, empathetic and diverse learners
  • Pursue formal training and development programs / certifications related to the business
  • Volunteer to be part of rotational assignments, stretch projects. Variety in assignments should welcomed and rightly used to learn new business operations/ processes
  • Indulge in self-guided learning
  • Essentially, be conversant with the business documents of the organization (like Strategic directives, business plan, Standard operating procedures (SOP), management policy manuals, procedure manuals, purchase policy, human resource policy, information technology manuals and procedures, media guidelines, marketing strategy, etc).
  • Be a voracious reader of books, reports, journals of your business and industry. It can be a plain ‘vanilla’ reading at times but we will gather a ‘treasure trove’ of information about the business and the emerging risks impending on the industry
  • Get to know the legislation and regulations that significantly affect the organization and its industry
  • If given a chance, take a short sabbatical/ secondment to be part of the operations or other functions in the organization. Such hands-on-experience will prove to be handy in understanding the business

Success in life is all about being intentional and focused. The same will apply to the profession of internal audit too. Acquiring business acumen will not be either an overnight affair or a 10000 hour marathon. With our intentional commitment and dedication to learn, we can be on our path to mastery. We can acquire the organization and risk knowledge in the form of end-to-end process understanding. We can walk in the shoes of the business people we audit. We can be the real value adders. We can be the subject matter experts. We can be the insight generators. We can be the trusted advisers. We can be the ‘outliers’.

Question: Are there better ways of developing business acumen? Please share them by leaving a comment to this post. I welcome your thoughts.


 [1] Standard on Internal Audit (SIA) 15, “Knowledge of the entity and its environment”, The Institute of Chartered Accountants of India, 2009.

[2] “Outliers: The Story of Success” by ‘Malcolm Gladwell’, Little Brown and Company, 2008.

[3] “Succeeding as a 21st Century Internal Auditor: 7 Attributes of Highly Effective Internal Auditors” by ‘Richard Chambers’ and ‘Paul McDonald’, IIA and Robert Half, 2013.

[4] “Reaching greater heights: Are you prepared for the journey? – 2013 State of the internal audit profession study”, PricewaterhouseCoopers, 2013.


What matters the most to be successful in internal auditing — Brilliance or Consistency?

What matters the most to be successful in internal auditing — Brilliance or Consistency? Before we answer that, here is one more question to answer first.

“What is your 20 mile march?” You may be asking what the 20 mile march is. Let me tell you.

Some days back, I was reading about a real life story that happened in 1911. It was about the adventure Roald Amundsen and Robert Falcon Scott set out upon. The adventure was to be the first person to reach the South Pole. Both Amundsen and Scott set out at the same time. Both were ruthless hardworking never-say-die attitude adventurers. But, only one group of explorers returned. Scott failed while Amundsen succeeded. I was intrigued. I was perplexed. My curiosity was kindled. I wanted to know what made Amundsen accomplish the mission while Scott failed.

Subsequently, I learnt that Scott was said to have let the weather decide when they should move. Some days they would push great distances, others they would not move at all. In the end, it is believed that this is what caused the death of his whole expedition team.

Amundsen, on the other hand, had a focus. He had a game plan. He had a strategy. He planned to go 20 miles every day. No matter the weather or how the team felt, they were to go the 20 miles. Amundsen returned with all men in his expedition team alive.

“I may say that this is the greatest factor—the way in which the expedition is equipped—the way in which every difficulty is foreseen, and precautions taken for meeting or avoiding it. Victory awaits him who has everything in order — luck, people call it. Defeat is certain for him who has neglected to take the necessary precautions in time; this is called bad luck.” – from The South Pole”, by ‘Roald Amundsen’

This is where the principle of the 20 mile march germinates. Staying focused and being consistent every day. It would be interesting to note that the ‘20 mile march’ is a term first coined by Jim Collins in his latest book “Great by Choice”.

For you, the 20 mile march may not be literal. But, it could be symbolic. The 20 mile march will be an objective you have set for yourself.

Your 20 mile march could be:

  • Studying 30/45/60 minutes for C.I.A/C.I.S.A/ C.I.S.S.P examination everyday
  • Reading 20 pages of Fraud Examiners Manual everyday
  • Praying/Meditating 30/60 minutes every day
  • Reading at least one article about ‘Internal audit’ to learn something new everyday
  • And, anything on a daily basis!!!

Regardless of what your march is, it is important that you are consistent.

When your journey looks terrifying, go the 20 miles.

When you are worn-out, go the 20 miles.

When you want to give up, go the 20 miles.

Whether you are happy or sad, go the 20 miles.

Whether you are in cloud nine or in ground zero, go the 20 miles.

Come what may, just ……………… go the 20 miles.

When you break the consistency, you make the subsequent days more taxing. You have to catch-up things. You have to work harder than before. You have to beware of lagging further behind. To take your productivity to the next stage, you could experiment and put into action this principle.

I believe each of us will be having a vision, a goal. We all want to accomplish it. But every time we start our journey, we get hit by a setback. We need to move forward but we do not know how.

The key is we need a 20 mile march in our life.

One example from my personal life. During my schooling, I was a student with average intelligence. When I enrolled myself for Chartered Accountancy course, (touted as one of the toughest examinations in my country with a meager pass percentage) many laughed at me. I was ridiculed for the ‘dumb’ step I had taken in my career. Making their hunch true, I was struggling initially. I was not able to clear my Intermediate examination in my first attempt. At that juncture, I felt that it is essential to change my strategy. I started reading my lessons regularly on a daily basis. I tried to be more consistent in my preparation. In the end, that approach yielded fruits. I succeeded. I realized that consistency pays off. As I was able to apply this principle and succeed, I believe so can you.

If you do not have a 20 mile march, today I encourage you to create one.

Now, I believe everyone will be able to answer the first question. Remember, as Amundsen puts it, “Victory awaits him who has everything in order”.

Question: Do you agree with me? Please share them by leaving a comment to this post. I welcome your thoughts.

(For further reading, you can refer to the following resource from the business journal of McKinsey & Company:

Dan O’Brien. “In the long run, consistency always wins out: An interview with Olympic decathlon champion.” McKinsey Quarterly, August 2012)


auditing informal controls

Happy New Year everyone!

To commemorate the new year, I decided to do some light reading on control self-assessments 🙂

In my research of control self- assessments (CSAs), I came across a paper titled ‘Control Self-Assessment: A tool for organizational improvement’ The authors of the paper imply that audits can only audit formal controls.

“Audits confirm the degree of compliance with formal controls and mandates. They (informal controls) are not tangible and, therefore, are not subject to the verification standards demanded by traditional audit.”

Another resource implied the same thing –

“CSA is an audit technique within the broad framework of internal audit that measures areas that traditional audit techniques are not designed to measure, such as trust, morale and corporate culture”

However, the paper notes (as is also true in my experience) that it is really informal controls that are more influential in an organization.

“One of COSO’s core conclusions was that “official policies” (formal controls) specify what management wishes to happen. However, the “culture of the organization” (informal controls) determines what actually happens – which rules are obeyed, ignored or bent. Without a clear assessment of informal internal controls, any organization runs the risk of the loss of opportunities and of potentially serious problems going undetected.”

Is it true that audits can only validate and measure formal controls? If informal controls are more effective than formal controls and audits are limited to validation of formal controls, does this call into question the effectiveness of auditing and imply that the value of auditing is limited to a validation of formal controls?

Widely accepted international standards have defined internal controls in the following ways:

  • A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories, (i) Effectiveness and efficiency of operations, (ii) Reliability of financial reporting, (iii) Compliance with applicable laws and regulations – COSO
  • Actions that foster the best result for an organization – COCO (Canada)
  • A company’s system of internal control has a key role in the management of risks that are significant to the fulfillment of its business objectives – Turnbull Committee (UK)
  • All major factors that, taken together, support people in the achievement of their own work objectives and those of the organization – USAID paper

See this related post for deciding on which internal control framework to implement.

Although the various internal control frameworks use very broad definitions, when most people think about internal controls in the traditional sense, they think primarily about financial reporting controls (e.g. Sarbanes Oxley requirements) and secondarily about other formal non-financial controls such as policies and procedures, authorizations and review processes.

The COSO model has the following components:


For an auditor, the control activities area is typically a primary area of focus to audit. The characteristics of control activities such as policies, authorizations and reconciliations are formal controls and are tangible and repeatable. These controls are typically part of transactions and processes. Monitoring activities are also another component that is typically audited. However, the other COSO components of control environment, information and communication, and risk assessment, are also controls but are typically known as informal controls and are either one-time or non-repetitive controls.

What is the role of an audit as it relates to informal controls – i.e. most of the COSO cube except for control activities? How does audit validate these ‘controls’?

A known method for audit validation is through sample testing of transactions. How do you validate an informal control when it is not directly related to a transaction and non-repetitive? Do you merely validate the existence, use of and importance of the informal control in the organization? Would an audit recommendation be within the realms of if the controls exists, is consistently used and known throughout the organization? The idea that informal controls are an audit issue if it is absent or if there is a very clear exception is supported by the following source:

“Soft   (informal) controls include ethics, commitment to competence, and management   operating style. Such controls have traditionally been overlooked in audits   because documented evidence of the audit condition is difficult to obtain and   test…..on the other hand, proper behavior is assumed for soft controls. An   unfavorable audit conclusion is reached only if improper behavior is   observed. A satisfactory rating wouldn’t be ruled out if the auditor finds no   direct evidence that the “soft controls” are in place. Only if instances of   unethical, incompetent, or improper management behavior are discovered should   the auditor consider an unsatisfactory rating. The level of assurance   provided by the auditor for soft controls is , therefore much less than normally   rendered. As techniques for testing soft controls improve, rating criteria   may be revised to render more positive assurance.”

Informal controls are also typically very people oriented and therefore potentially highly subjective. It is possible to use CSA-type tools such as surveys and questionnaires to provide data and observations of informal controls.

It does make sense that formal controls and the auditing of formal controls is important in industries and processes that have high compliance requirements such as financial reporting (adherence to GAAP or similar accounting standards), banking, oil and gas, investments, etc. However, for areas that are not highly regulated and that are more relational, formal controls are not always as evident or important. In the nonprofit industry, there are many activities that are relational and qualitative where informal controls hold much more sway than formal controls.

In my reading so far on CSAs, it appears that CSAs are the preferred tool to provide a more in-depth evaluation of informal controls. In a future post, I will explore the differences between traditional auditing and CSAs.

By nature of IIA’s adoption of the COSO internal control framework as a standard, it is our responsibility as auditors to not just validate formal controls, but also informal controls. It might not be very straightforward or intuitive to audit informal controls, but it is imperative. From my personal experience, the recommendations that have been most valuable to management and that have been part of much needed change in the organization most often relate to informal controls.

I welcome your comments and observations.


What makes the integrated auditing so interesting?

It’s time for change. Starting this month, we have moved to the approach of integrated auditing in my country office; and as internal audit professionals, we are at crossroads than ever before. Traditionally, our focus was on examining financial systems and the financial records of a program or process. But, now we are moving towards a holistic approach.

This new approach of integrated risk based internal audits is helping our function to broaden our perspective by focusing on the entire gamut of risks encountered by the organization. Through such integrated audits, our objective is to achieve a more effective and efficient audit engagement with all our audit clients.

Integrated auditing approach has thrown us with wide array of opportunities as well as challenges. Some of the challenges which I foresee in this journey of transitioning from financial auditing to integrated auditing are as follows:

  • Understanding the need for increase in knowledge of staff on non-financial areas and augmenting oneself with additional skill sets
  • Developing a reasonable level of knowledge in ERM, risk identification, risk assessment and risk classification (Dealing with the unfamiliar areas that have not been traditionally reviewed will be a litmus test for my team)
  • Enhancing the knowledge of multiple audit techniques
  • And, the resultant changes that are to be done in the composition of the internal audit team

Some of the measures that are helping us in this transition to integrated audit approach:

  • Using the available resources and personnel from various departments who are experts to supplement and augment our existing audit resource knowledge. (In simple words, learning about the process and operations from the process owners themselves )
  • Learning to modify our perspective and think beyond the traditional audit scope.
  • Exploring the option of modifying the existing audit staffing plan.

With the management expecting continuous monitoring of our various area development programs and projects, the internal audit function decided to adopt integrated auditing. In the due course, this comprehensive approach is believed to increase internal audit division’s credibility and provide greater value addition to management in addressing its risk.

Developing the risk based audit procedure checklists, scoping mechanisms, audit testing methodologies, designing the engagement duration are some of the prioritized tasks in my function right now.

There tends to be certain amount of confusion or chaos while treading uncharted waters. But, this uncertainty is the element which makes the integrated auditing so exciting and interesting to me.


External auditing vs. Internal auditing – What’s the difference?

I was asked in a meeting the other day about the difference between external auditing and internal auditing.  It reminded me of the time when I made the switch from external auditing to internal auditing. At the time, I had hoped there was a book I could read that would lay out the differences for me. I’m sure there is such a book out there, but I haven’t found it. Now having some years under my belt as an internal auditor (at this point in my career I actually have more internal audit experience than external audit experience), here is what I will say. I will give you the ‘PC’ answer! (just kidding for all my external auditor friends!).


Let’s start with the similarities. 

-Regardless of the type of audit, the starting point is always the objectives and goals of the organization.

-The next consideration is ‘What is the risk to achieving objectives?’

-The auditor (both internal and external) is going to plan the audit effort around the areas that pose the largest risk to achievement of objectives. 

-There are various organizational objectives but one of them will always be reliable financial reporting including financial statements. Other objectives fall in the categories of strategic, operations and compliance, which we will discuss in more detail below. 

-The different types of risk typically correspond to the objective categories: strategic risk, operational risk, compliance risk and financial statement risk. We will also discuss these in more detail below.


The overall audit thought process for both types of auditors is similar. 

-Once risk is identified, these are first viewed as being inherent risks or risks that would exist in an uncontrolled environment.

-Then controls that would help mitigate the risk are identified and tested. 

-Once controls are identified and tested, auditors assess if the existing controls are sufficient and effective to mitigate the risk. 

-The risks that still exist in a controlled environment are known as residual risk. The auditors responsibility is to make a judgment on the significance of these residual risks and to communicate this to management. 

– Ultimately it is management who decides on whether to accept the residual risks. There can be situations when the auditors and the board do not agree on the significance of the residual risks. 


Let’s now talk about differences. 

I guess the first most obvious difference is in the name – external vs. internal. External auditors are ‘external’ to the organization – not employees. Internal auditors are typically internal to – employees – of the organization. However, there is such a thing as outsourced internal audit services whereby the types of services typical of an internal audit department are performed by third parties. 

The types of work performed by external vs. internal auditors differ. The differences are primarily in the type of objective and the type of risk assessed by the auditors. 

-The type of risk that is addressed by external auditors is financial statement risk. As noted in the generally accepted auditing standards (GAAS), the external financial statement audit is performed to obtain reasonable assurance about whether the financial statements are free of material misstatement. 

-The external auditor is primarily interested in the objective of reliable financial reporting specific to external financial statements. The objectives of the financial statements are typically in the following categories: existence, completeness, presentation and disclosure, rights and obligations and valuation. In the US, the standard for financial statement reporting is generally accepted accounting principles (GAAP).

-The risk specific to financial statements is that financial statement balances are materially misstated (i.e. balance does not exist, is not complete, is not properly valued or the organization is not the owner) or financial statement disclosures are not complete or accurate. 


The role of the internal auditor is different. Although we do look at financial statement risk, we also consider many other things. 

-The Institute of Internal Auditors (IIA) International Professional Practices Framework (or known as the ‘Red Book’) in its Standards states the following: 

2130 –  The internal audit activity must assist the organization in maintaining effective controls by evaluating their effectiveness and efficiency and by promoting continuous improvement.

2130.A1 – The internal audit activity must evaluate the adequacy and effectiveness of controls in responding to risks within the organization’s governance, operations, and information systems regarding the:

  • Reliability and integrity of financial and operational information
  • Effectiveness and efficiency of operations
  • Safeguarding of assets, and
  • Compliance with laws, regulations and contracts

2130.A2 – Internal auditors should ascertain the extent to which operating and program goals and objectives have been established and conform to those of the organization

2130.A3 – Internal auditors should review operations and programs to ascertain the extent to which results are consistent with established goals and objectives to determine whether operations and programs are being implemented or performed as intended.


From an internal auditing viewpoint, the objectives and goals vary. The COSO ERM framework describes an organization’s objectives in the following four categories: 

     -Strategic – high level goals, aligned with and supporting its mission

     -Operations – effective and efficient use of its resources

     -Reporting – reliability of reporting

     -Compliance – compliance with applicable laws and regulations

If you were in a company where the primary objective is preservation and enhancement of the bottom line, the objectives and the way to maximize shareholder value are pretty straightforward. However, in a nonprofit organization, there are multiple bottom lines, with profit or revenue being only one of the objectives (despite the misnomer of ‘non-profit’) amidst other mission-centric objectives such as how to bring the greatest good to the ultimate beneficiaries, which in World Vision’s case, we consider to be both the children we serve and the donors who help us in that mission. 


Once the stated objectives and goals are thought through, it is helpful to think through the many different buckets of risk. Here are some typical buckets of risk:


     -Financial (e.g. liquidity concerns, etc)


     -Operational (people, process, technology)


As stated above in the audit thought process, once risks are identified, controls specific to these risks are assessed, with audit effort planned around the high risks. There are various quantitative and qualitative methods for assessing risk. From a financial statement risk standpoint, the risk is typically assessed based on a materiality (significance) threshold using a certain basis (e.g. revenue, assets). For other types of risk such as operational, compliance or strategic, the method for assessing level of risk can be somewhat qualitative and judgmental. We will explore risk analysis and risk assessment in further detail in a future blog post. 


That’s a brief overview of the differences for now. Anyone else want to offer their input?


Merry Christmas everyone!


July 2018
« May    



Online Accounting Degree blog feature