Even after reading the answer, I still didn’t get it. It wasn’t until my Mother explained the play on words that the penny finally dropped. Riddles have remained a source fascination ever since.
What fascinates me the most about riddles is how they play on people’s preconceptions. So I decided come up with my own; “When is an audit not an audit?”. Answer; “When it’s a risk assessment”.
The common view is that the audit is an investigative tool used by organisation to assess whether their processes, and those of third-parties, are operating satisfactorily.
Auditing starts with selecting a sample of process outputs i.e. products and activities. The sample is then analysed and a series of recommendations developed to address any identified anomalies or non-compliances.
The problem with the traditional approach to auditing is that most organisations don’t have a clear understanding of what is meant by “satisfactory”. Accordingly, nothing less than 100% compliance will suffice.
A situation which will often lead to a major proportion of their limited time and resources being directed at processes and non-compliances that pose little or no risk to their goals and objectives.
By focusing an organisation’s limited auditing resources on its highest risk processes, “risk-based auditing” has gone some way towards addressing this problem. But it doesn’t help organisations determine whether process non-compliances have exceeded acceptable risk limits, or risk appetite.
To solve the final part of part of the auditing conundrum, the audit has to transform itself into a risk assessment tool.
Current developments in computer assisted audit techniques (CAATs) and advanced data analytics are facilitating this transformation.
Now, for the first time CAAT solutions are making it possible to remove most of the subjectively from audits, including i) determining the level of audit rigor to be applied to each process ii) deciding whether process non-compliances have been exceeded defined risk limits and if so, iii) what actions are needed to mitigate or improve risk control performance.
More advanced CAAT solutions are now able to transform an organisation’s existing auditing processes into a powerful integrated risk assessment and control system.
I know my riddle isn’t in the same league as the “door ajar” riddle. But what I hope it does, is challenge your preconceptions about auditing and more importantly, what is possible.
Did you find this article informative? If so, you can find more information on how to transform your organisation’s auditing processes into a powerful integrated risk assessment and control system here.