Working In Uncertainty

Risk management versus internal control: Reflections on risk based internal audit

by Matthew Leitch, first appeared on in July 2004.


When internal auditors abandon their traditional audit plans and programmes and start planning their work around the content of the corporate risk register, what happens?

One organisation that has been quite open about this, presenting their story repeatedly at professional conferences for example, is BAA plc, which runs Britain's airports.

Their overall audit plan and the content of each review changed dramatically as a result of basing them on the corporate risk register. All this was very exciting and the general feeling was that they were turning their attention towards things of greater importance to the business and interest to senior management.

One side effect was that traditional core audit topics got less attention. Did this mean they had been over-auditing those areas in the past and the intellectual rigour of the new approach had revealed this habitual waste? Probably not.

What goes into risk registers?

The content of risk registers varies greatly depending on why the exercise is being done, but if you just get some senior executives or business managers in a room and ask them to think of risks you can expect to see the following:

Lots of risks concerning ...But not many concerning ...
New business initiativesBusiness as usual
Competitive strategiesHealth and safety (except in industries where the omission would be a scandal)
Business resultsReliable accounting
ProjectsCompliance with existing legislation and regulations
Things that need to be improvedThings that don't need to improve

It is human nature to mention objectives that relate to new initiatives. For example, if someone asked you on 1st January what your personal goals for the year were would you list all the things you will have to do that are just continuation of what you have been doing in the past? Of course not. You might say, if true, that you aim to learn to play the guitar, or get fit (finally), or spend more time with your family.

On top of that, senior executives have a rather unusual perspective as they spend a lot of their time on change.

Consequently, an audit programme based on the contents of a typical corporate risk register will be in danger of skimping on the boring compliance matters that have traditionally been the bedrock of auditing.

Why is this a surprise?

It shouldn't be a surprise, but if we base our expectations of risk registers on the COSO framework for internal control and documents inspired by it we will be.

The COSO framework for internal control describes an internal control system in abstract terms and puts something it calls ‘risk management’ at the top of a pyramid, with the job of monitoring risks and revising the control system to meet them.

So far so good, with nothing there that narrows down what sort of risk is to be considered or what constitutes a control.

However, turn to the implementation guide, which provides detailed risk-control tables, and the main target of the COSO framework is clear. The analysis grinds through accounting cycles suggesting controls that would help to keep the accounts correct and avoid obviously bad or fraudulent deals or loss of valuable assets.

The framework was written by accountants, and perhaps it seemed to them that anyone faced with populating a risk register would focus on the same risks they had.

Risk management versus internal control

In principle there is no difference between a risk management system and an internal control system. You may feel differently and there are many views on this, but the scope of each phrase seems to be getting wider and they are converging.

However, there are big differences in emphasis, with many practical implications.

Risk management favouritesInternal control favourites
What could happen
Running the business
Business as usual
Processes (accounting cycles)
What could go wrong
Maintaining the control system

Practical implications

There are a number of things that auditors need to adapt to if they want to start working from the corporate risk register.


I've already mentioned the change in coverage that results and hinted that some of this is not desirable. Some kind of adjustment needs to be made to ensure that ‘boring’ objectives not mentioned by senior executives nevertheless appear alongside the exciting ones when the audit managers start working on their annual plans.


The kind of control recommendations auditors like to make should change as the nature of the audits changes.

Coming from a background of commenting on improvements to clerical procedures it is normal to concentrate on procedural matters, documents, control checks, sign offs, and the form of work rather than its content (because usually the content is very simple).

However, improving the management of business risks means that more often the content is complex and needs attention. It is often better to plan to reduce inherent risk rather than add control checks to catch it if it occurred. The conversations people have are often more important than the documents that eventually get signed off.

This tendency to add control checks can be seen in the style of risk management that accountants/auditors promote, which is little more than control self assessment i.e. a review of controls/risk responses against risks intended primarily to show, retrospectively, that all is well.

Upside and downside

Looking at operational and accounting procedures there is no real need to think about things that might go unexpectedly well. All risks are bad.

However, many of the items in a typical corporate risk register can have upsides too. For example, ‘loss of market share’ could and should have ‘gain of market share’ joined to it because the full picture is that we have uncertainty about future market share.

This perspective takes some getting used to, which may be why, although nearly all risk management standards include upside risks in their scope, very few include any technical adjustments to accommodate upside risks.


Something else that doesn't come up often when you only look at operational and accounting risks is a need for quantification. In traditional audit work saying that a risk is ‘high’, ‘medium’, or ‘low’ seems quite sophisticated. For some other areas of risk, including those that often feature prominently in corporate risk registers, it is woefully inadequate.

For example, understanding the impact of changes to project structures requires a more sophisticated understanding of quantitive modelling. What happens if you increase the time between useful deliveries to end users? What happens if you decrease the number of dependencies in a plan?

Modelling choices

Likewise, thinking through the risks of an accounting process tends to involve few decisions about how to structure the model. It is easy to get the impression that the risks are a natural product of the process itself and alternative analyses are not possible, or are likely to be extremely similar.

Yet in looking more widely at business risks there are many choices of how to divide the universe of risk and different approaches yield radically different sets of risks.


If auditors want to adopt the corporate risk register as the basis of their audit planning they need to adapt their approach in several ways. The risks that appear on corporate risk registers are not the sort of risks that auditors are used to addressing and do not resemble the risks envisaged by the COSO framework on internal controls, except in principle.

Auditors have a huge role in embedding risk management, but it's going to require some new skills.

Made in England


Words © 2004 Matthew Leitch.