This article looks at two specific items in the Paper P1 Study Guide: Section D1c, which is about describing and assessing the role of internal or external risk auditing; and Section E7d, concerning the nature of a social and environmental audit and the contribution it can make to the development of environmental accounting
We all have an intuitive idea of risk. A good working definition of risk is an unrealised future loss arising from a present action or inaction. If I risk $1 on a lottery ticket in the hope that I might win the jackpot of several million dollars, there is a high probability that a presently unrealised loss will materialise (ie, I won’t win the lottery). I will probably not win and therefore my $1 investment will be lost. Conversely, if I risk my $1 buying a share in a well-established large public company, there is less overall probability of losing my entire dollar (although I may lose a part of the value) but at the same time, the expected returns on the share purchase are likely to be much less than my maximum possible return on my lottery ticket.
Return is, on average, a function of risk. ‘Risky’ share funds are those with the largest number of possible outcomes but with the possibility of higher returns should the best scenario be played out (such as investing in SMEs and small, growing companies).
In Paper P1, we consider risk as a subject in itself but we also look at how risk is associated with internal activities. It is because of this that risk management is an important part of the management of internal controls, controls which are, in turn, a crucial part of corporate governance. As we have sadly seen on many occasions in the past, internal controls can fail to adequately control risks and it is for this reason that it is crucial that an organisation understands and can quantify the risks that it faces.
Risk audit and assessment is a systematic way of understanding the risks that an organisation faces. Because the range and types of risks are many and varied, risk assessment and audit can be a complicated and involved process. Some organisations, such as large financial services providers, employ teams of people whose job it is to continually monitor and internally report on the organisation’s risks. For others, the activity is only undertaken occasionally, perhaps as a part of the annual cycle of internal control management. Unlike financial auditing, risk audit is not a mandatory requirement for all organisations but, importantly, in some highly regulated industries (such as banking and financial services), a form of ongoing risk assessment and audit is compulsory in most jurisdictions. Some organisations employ internal risk specialists to carry out risk auditing ‘in house’, but in other cases, the role is undertaken by external consultants. There are pros and cons of both approaches.
Risk audit as an internal function has the advantage that those conducting the audit are likely to be highly familiar with the organisation, its systems, procedures, regulatory environment, and culture. By understanding how things ‘work’ (who does what, what regulations apply and where), and also understanding relevant technical matters, legal frameworks and control systems, an internal auditor should be able to carry out a highly context-specific risk audit. The audit is likely to contain assessments that are written and structured according to the expectations and norms of the organisation, perhaps using appropriate technical language and in a form specifically intended for that particular organisation’s management.
The disadvantages are the threats of impaired independence and overfamiliarity that are present in many internal audit situations. It is to avoid these that many organisations prefer to have risk audit and assessment carried out by external parties.
Having an external risk audit brings a number of advantages. First, it reduces or avoids the independence and familiarity threats. It is likely that external auditors will have no link to anybody inside the organisation being audited and so there will be fewer prior friendships and personal relationships to consider.
Second, the fact that these threats are avoided or reduced will create a higher degree of confidence for investors and, where applicable, regulators.
Third, any external auditor brings a fresh pair of eyes to the task, identifying issues that internal auditors may have overlooked because of familiarity. When internal employees audit a system or department, they may be so familiar with the organisation’s routines, procedures, culture, and norms that a key risk might be overlooked or wrongly assessed.
Fourth, best practice and current developments can be introduced if external consultants are aware of these. Given that consultants typically promote themselves on the currency of their skills, it is often more likely that their knowledge will be more up to date than that of internal staff, whose skills may be geared specifically to their organisation’s needs and expectations.
There are four stages in any risk audit (internal or external): identify, assess, review, and report. Together, these comprise an audit or review of the risk management of an organisation.
Given the range of potential unrealised losses that an organisation might face, it would be inexcusable for management to be ignorant of what the risks are, so identification of risks is the first part of any risk audit. Risks come and go with the changing nature of business activity, and with the continual change in any organisation’s environment. New risks emerge and old ones disappear. Identification is therefore particularly important for those organisations existing in turbulent environments. Uncertainty can come from any of the political, economic, natural, socio‑demographic or technological contexts in which the organisation operates.
Once identified, the next task is to assess the risk. Each identified risk needs to be measured against two variables: the probability (or likelihood) of the risk being realised; and the impact or hazard (what would happen if the risk was realised). These two intersecting continua can be used to create a probability/impact grid on to which individual risks can theoretically be plotted. I say ‘theoretically’ because it is sometimes not possible to gain enough information about a risk to gain an accurate picture of its impact and/or probability.
This assessment strategy is used in many situations, from share portfolio management to terrorism prevention, and to understand the effects of risks on internationalisation strategies. In anti‑terrorism planning, for example, governments assess certain potential ‘big ticket’ terrorist attacks as ‘high impact but low probability’ events, and other attacks as the opposite. If this were an article on risk management, I would now go on to discuss the risk strategies of ‘transfer’ (or share), ‘avoid’, ‘reduce’ and ‘accept’, but instead, in a risk audit, the auditor goes on to review the organisation’s responses to each identified and assessed risk.
At the review stage, the auditor analyses the controls that the organisation has in the event of the risk materialising. For example, this could involve looking at insurance cover where appropriate, the extent to which the risk portfolio is diversified, and any other controls appropriate to the risk. In the case of accepted risks, a review is undertaken of the effectiveness of planning for measures such as evacuation, clean-up and so on, should the unavoidable risk materialise. Review can represent a substantial task, as the response to each assessed risk is a part of the review and there may be many risks to consider.
Finally, a report on the review is produced and submitted to the principal which, in most cases, is the Board of the organisation that commissioned the audit. Management will probably want to know about the extent of the key risks (those with high probability, high impact, and especially both high impact and high probability); the quality of existing assessment; and the effectiveness of controls currently in place. Clearly, any ineffective controls will be a key component of the report and they would be the subject of urgent management attention.
One area of audit activity that has grown in recent years is that of social and environmental audit. The social and environmental accounting ‘movement’ began in the mid-1980s, when it was first coherently argued that there was a moral case for businesses, in addition to reporting on their use of shareholders’ funds, to account for their impact on social and natural environments. While accounting instruments already existed for reporting financial performance, there weren’t any for accounting for non-costable impacts, and it was this that gave rise to modern social and environmental accounting.
If, for example, a meat processor buys in beef and processes it for onward sale (eg as burgers), then the cost of the beef includes all of the identifiable costs incurred by the supply chain up to that point (plus profit margins, of course). So for beef, those costs will include elements of farming, land costs, logistical costs, abattoir costs, and so on. However, the farmer who produced the beef may have reared the cattle on land bought as a result of forest clearance. He may have paid a market price for the land upon which to graze his cattle, but the initial deforestation has implications that could not have been factored into the price he paid for the land. How, for example, could you attribute a cost to the loss of species habitat or the loss of greenhouse gas processing capacity? It is because of the difficulties in allocating the costs of these externalities that, environmental activists say, the price of that beef does not reflect the true – or full – cost, which should include the cost to the environment. The same would apply to almost any product of course, not just beef. In the case of oil and gas, for example, the environmental footprint includes the extraction of a non-renewable energy source and the release of greenhouse gases (carbon and sulphur-based gases) into the environment.
What has all this got to do with audit? It is important because, increasingly, many investors and other stakeholders want to know about an organisation’s environmental footprint in addition to its economic performance. Typically, there are three sources of pressure for this:
An environmental audit, and the production of an environmental report, enables an organisation to demonstrate its responsiveness to all the sources of concern outlined above. Except in some highly regulated situations (such as water), the production of an environmental audit is voluntary. The production of such a report, however, ensures that an organisation has systems in place for the collection of data that can also be used in its environmental reporting.
An environmental audit typically contains three elements: agreed metrics (what should be measured and how), performance measured against those metrics, and reporting on the levels of compliance or variance. The problem, however, and the subject of most debate, is what to measure and how to measure it. As an environmental audit isn’t compulsory, there are no mandatory audit standards and no compulsory auditable activities. So an organisation can engage with a social and environmental audit at any level it chooses (excepting those in regulated industries for which it is mandatory). Frameworks do exist, such as the data-gathering tools for the Global Reporting Initiative (GRI), AA1000, and the ISO 14000 collection of standards, but essentially there is no underpinning compulsion to any of it.
This does not mean that it is entirely voluntary, however, as stakeholder pressure demands it in some situations. Most large organisations in developed countries collect a great deal of environmental data, many have environmental audit systems in place, and almost all produce an annual environmental report. Some organisations audit internally and others employ external auditors, partly to increase the credibility of the audit and partly because of a lack of internal competence.
In practice, the metrics used in an environmental audit tend to be context specific and somewhat contested. Typical measures, however, include measures of emissions (eg pollution, waste and greenhouse gases) and consumption (eg of energy, water, non-renewable feedstocks). Together, these comprise the organisation’s environmental footprint. Some organisations have a very large footprint, producing substantial emissions and consuming high levels of energy and feedstocks, while others have a lower footprint. One of the assumptions of environmental management is that the reduction of footprint is desirable, or possibly of ‘unit footprint’: the footprint attributable to each unit of output. If a target is set for each of these then clearly a variance can be calculated against the target. Some organisations report this data – others do not. It is this ability to pick and choose that makes voluntary adoption so controversial in some circles.
A recent trend, however, is to adopt a more quantitative approach to the social and environmental audit. The data gathered from the audit enables metrics to be reported against target or trend (or both). It is generally agreed that this level of detail in the report helps readers better understand the environmental performance of organisations.
Audit and assurance is a concept that extends beyond statutory financial audit. In addition to the widespread use of internal audit, risk auditing and social and environmental auditing are widely adopted and are increasingly being employed by organisations to increase investor confidence and respond to other stakeholder demands. In some cases, these are an integral part of internal control, but in other situations, they are standalone activities. In both cases, the reports are based on the assessments produced by the auditors. In the case of social and environmental auditing, in addition to providing management information, the data might also be used to provide content for external environmental reporting.
Unlike financial audit and assurance, a lack of mandatory standards means that the value of these audits is disputed, but it is generally agreed that more knowledge and information on any aspect of governance is better than less.
Written by a member of the Paper P1 examining team