Joint risk assessment and single audit, sitting in a tree …

Loss of added value

Internal audit and external audit both present their findings during the same audit committee meeting. It turns out that both structures independently audited the same entity which is part of the wider organisation. A lot of their findings align. They actually turn out to be comparable to some of the issues raised by the production quality people which were discussed during the last meeting between management and the directors of the organisation. Is that really adding value? I think not.

Different manifestations, same root cause

These type of occurrences are more common than we believe. Talking to members of boards and audit committees, we learn that different stakeholders across and even outside organisational often identify “problems” at around the same time period. These problems appear, at first sight, to be very different. The different stakeholders then each ask their “audit capability” (their quality person, their internal auditor, their external auditor, their process consultant …) to look at the problem. After investigation it turns out there is just one or at the most a very limited number of underlying causes.

Either no one notices, except for the auditees who wonder why everyone is asking them about the same problem, independently. Sometimes, it even turns ugly, with different audit entities fighting over ‘jurisdiction’ of this problem. Visibility and internal political power will likely take precedence over competence.

Wasting oversight resources

What a waste of time and resources. It is highly frustrating for the audit committee members who, in a reality of constrained resources, look at optimizing their available means or even using means beyond their direct control. However, confronted with the trump card of independence of for example the external auditor, their ability to plan to the advantage of their own organization, the organization that is ultimately paying for these services, gets severely hampered.

Overlapping areas of responsibility

Few supervising structures are willing to let go of or share assessment responsibility of areas they believe to be in their area of responsibility. The problem becomes markedly complex when the areas of responsibility overlap. Given the number of roles currently playing on the GRC (the governance, risk and compliance) field, the risks for suboptimalisation of oversight become very clear.

Just today, Marie-Hélène Laimay, senior Vice President, audit and internal control assessment for Sanofi shared an interesting example during the yearly European Commission IAS conference. Quality problems in pharmaceuticals production will have impacts on quality, revenue and the patients. They will touch quality auditors, internal and external auditors and the clients, the patients. But who takes charge of analyzing the issue?

Single audit, multiple areas of expertise

Only a single audit approach with at least a shared and ideally a common risk assessment can optimize the use of the available oversight resources within an organisation. It makes little to no sense to have multiple oversight structures reviewing the same underlying problem. However, we need to recognize the differing needs of external auditors, internal auditors, quality auditors and the like.

A single audit solely managed and executed by one of the oversight structures is therefore likely not to provide an adequate answer to each of these problem stakeholders. Single audits are not necessarily executed by an audit team coming from one single source. Ideally, for those relevant risks which appear in the audit programs of all oversight structures, joint teams would be brought together to allow a response to all relevant questions asked.

Risk assessment and audit, sitting in a tree …

The reality of limited resources available to audit committees require some time of joint risk assessment and, where overlaps exist, a single audit approach executed by a mixed audit team.