Professional Documents
Culture Documents
various control frameworks (e.g., COSO, CoCo, and/or COBIT) or best practices in internal control. Afterwards, in consultation with the auditees, with the end view of obtaining their buy-in, the auditor considers alternative solutions to address significant risks noted and, if necessary, issues value-adding suggestions to further improve the process. It is important to note that the compliance-based approach is not totally eliminated or forgotten when we apply RBA. When appropriate and sound control policies and procedures have been put in place by management, performing a test of compliance (or Test of Operating Effectiveness) is integral to RBA. It is prudent though to always reassess the risks and revisit the appropriateness and soundness of the policies and procedures every audit, especially if the intervening period is at least a year and there have been recent changes in technology, organization, and system. What Hinders the Auditor from Implementing the RBA Approach? In my opinion, the two major hurdles to implementing RBA are: (1) inadequate or lack of understanding of the RBA concepts and (2) the auditors inertia or slowness to shift to a new paradigm or mindset of RBA planning and execution. It would seem that old habits are hard to break and sticking to traditional, police-type auditing is no exception. I hear people in the industry say that they employ RBA, but when you probe deeper, you find that many are still in transition, if not totally lost in the process. The antidote is a combination of educating all stakeholders on RBA and creating a new culture and perspective, whereby an open and humble attitude to change and a firm resolve to understand and implement RBA concepts that are not only mandated and monitored by the Audit Committee but also nurtured and encouraged. In my professional experience, auditors who have successfully implemented a RBA received positive responses from their senior management. Ive seen not a few quantum improvements in relationship because their auditees see real value in the auditors services and outputs. Nevertheless, I still encounter some traditional auditors being bad mouthed by their auditees simply because a non-RBA mindset still persists. How do we address this? The answer is to establish a quality assurance and improvement program within the internal audit department, which include both internal and external assessment of the internal audit activity. The external assessment shall be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization (ISPPIA: 1300 Quality Assurance and Improvement Program), which brings us to the next article Who audits the internal auditors?.
(Reginald C. Nery, CPA, CISA, CISSP, CIA, CCSA, CFSA, CISM. He is the Head & Partner of Performance and Technology Advisory Services of Manabat Sanagustin & Co., CPAs, a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. This article is of general information only and is not intended to be, nor is it a substitute for, informed professional advice. While due care was exercised to ensure the quality of the information contained in this article, readers should carefully evaluate its accuracy, completeness and relevance for their purposes, and should obtain any appropriate professional advice relevant to their particular circumstances. For comments or inquiries, please email manila@kpmg.com or rcnery@kpmg.com)