Moving towards a risk-based audit

Following comments from Andrew Bailey, CEO of the Financial Conduct Authority, on the future of regulation, the focus on behaviour and outcomes when auditing has increased. Bailey said: “A significant part of this debate turns on the issue of outcomes versus rules. Rules are a crucial mechanism for delivering outcomes but can also be interpreted so rigidly as to become a box-ticking exercise. This is a lesson we want to see reflected in firm behaviour. Any organisation that prioritises being within the rules over doing the right thing, will not stand up to scrutiny for long.”

The challenges for auditors are:

• How does auditing change to meet this focus on the right outcomes?
• What will the audit evidence look like if there are no documented and predetermined rules to subsequently audit against?
• What does firm behaviour mean?
• What is the regulator expecting from organisations?

Regulators expect a reduction of the box ticking mentality from organisations. The box-ticking mentality often involves auditors asking a question and looking for the evidence that the pre-determined rules, procedures and processes have been followed. If they haven’t, then they raise a non-conformance.

This rule-based approach assumes that everything can be pre-determined. It assumes that people are robots and will always follow the rules, which they are not. In reality, people react to situations that cannot be fully predicted.

These enduring failings of existing approaches is what, I believe, Bailey is targeting. By firm behaviour he may mean an expectation of change or, at least, a re-positioning of the balance between what can and cannot be predetermined and then use the appropriate audit techniques.

How does this affect auditors?

As we know, international standards have changed to be more risk and outcome based. This strategic shift is putting pressure on the audit profession to change in order to meet business, certification and accreditation body expectations. The management accounting world already feels the pressure for change following the Carillion collapse and other well-publicised audit failures.

The following are offered as some thoughts to meet this change to focus on behaviour and outcomes:

• Is this change increasing the cost of compliance? If it is, then this may be an indicator for a review of audit and risk activity.
• Do auditors know the difference between a mechanistic system focused on outputs and social systems (reality) focused on outcomes and how to audit each effectively? 
• Do auditors use techniques to gather evidence of what people achieve, not just what they say they do or write down?
• Do auditors have the capability to consistently analyse behavioural indicators (the real evidence) so that audits report predictive risk against performance and compliance outcomes before it is too late?