SPE 135734 Difference Between Traditional and Risk Based Auditing

Danny Spadaccini, Weatherford International

Copyright 2010, Society of Petroleum Engineers This paper was prepared for presentation at the SPE Annual Technical Conference and Exhibition held in Florence, Italy, 1922 September 2010. This paper was selected for presentation by an SPE program committee following review of information contained in an abstract submitted by the author(s). Contents of the paper have not been reviewed by the Society of Petroleum Engineers and are subject to correction by the author(s). The material does not necessarily reflect any position of the Society of Petroleum Engineers, its officers, or members. Electronic reproduction, distribution, or storage of any part of this paper without the written consent of the Society of Petroleum Engineers is prohibited. Permission to reproduce in print is restricted to an abstract of not more than 300 words; illustrations may not be copied. The abstract must contain conspicuous acknowledgment of SPE copyright.

Abstract Auditors are trained to make detailed examinations of the internal control systems such as ISO 9001, ISO 29001, ISO 14001, OSHAS 18001, API, accounting systems and various legislative requirements and; focus their audit planning, testing, and reporting on internal controls in the business process. The Evaluation of controls without first examining the purpose of the business process and its risks provides no context for the results. How can the internal auditor know which control systems are most important, which are out of proportion to their risk, and which are missing? When controls are the central theme of the internal audit, audit reports and recommendations are generated for improving and strengthening internal controls. Over time, layer upon layer of controls are built up. These excessive layers of control slow down business processes, communication becomes more difficult, and people are employed in non-value-added work. Auditors are typically looking at control activities designed at some previous time to deal with issues that were relevant when systems were implemented. This means the internal auditor is examining activities that may or may not be relevant to current risks. The controls may be inappropriate because they monitor risks that are no longer important or even in existence. RBA changes the way internal auditors think and talk about risk. Instead of focusing on history, audit reports address the present and the organization's level of preparedness to deal with the future. Internal audit reports "complete the loop" between assurance of control in current operational plans and input to risk assessment for the strategic plan. RBA places an emphasis on risk-based internal audit reports rather than on traditional controls-based reports. What is RBA? RBA is an audit process that explains how risk concepts are integrated into the strategies and approaches used for management systems. RBA provides: A mechanism for understanding the specific risks which may influence the achievement of the company objectives; A description of existing measures and proposed strategies for managing specific risks; and A mechanism for monitoring, performing internal auditing, and reporting practices and procedures. What are the benefits of RBA? Risk-Based Auditing can effectively and efficiently assist an organization by: Improving understanding and communication of risk and related mitigation options; Strengthening accountability for achieving objectives; Facilitating achievement of company wide requirements for risk management; Providing a basis upon which to create contingency plans; and Enhancing information for informed decision-making. What roles should Risk Based Auditing NOT undertake? Setting the risk appetite; Imposing risk management processes; Providing management assurance on risks;