January 16, 2020
In a recent article1, I stated that internal auditors have traditionally seen their role as helping senior management to address weaknesses and threats, or downside risks, to the achievement of organizational objectives. I argued that this role should evolve and expand to include providing assurance about organizational strengths and opportunities, or upside risks. I named this concept positive auditing.
In this article2, I go further and argue that positive auditing could also be applied to the fraud examination profession and could open up new areas of mutual collaboration between internal auditors and fraud examiners. Such collaboration, based on broader risk-based plans that examine strengths and opportunities, would provide more comprehensive assurance to public and private sector organizations.
Broadening the scope of examinations
Since its inception, internal audit has focused its value mainly in areas deemed to have significant deficiencies that are expected to need formal correction. Internal audits tend to report on material risks and shortcomings to achieving organizational objectives.
In the traditional SWOT analytical framework (Figure 1), weaknesses and threats represent only half of the key elements that can influence an organization’s achievement of its strategic objectives. I refer to weaknesses and threats as downside risks. I argue that little attention has been paid by internal auditors to the positive determinants of an organization’s success, namely internal strengths and external opportunities, which I call upside risks.
Figure 1 – SWOT—Strengths, Weaknesses, Opportunities, and Threats
About the Author
Basil Orsini retired in 2017, after more than 35 years working in large federal organizations, mainly in the field of internal audit.
Drawing from his experience, he is able to bring forward national lessons learned in the areas of health, employment training, taxation, acquisition and real estate, Aboriginal programs, and housing.
Basil has also worked in a large auditing firm and has held volunteer positions with The Institute of Internal Auditors and the Association of Certified Fraud Examiners, for which he has published articles and made presentations at national and regional conferences on a variety of subjects. He remains active in the areas of internal audit and fraud investigation.
Contact the author at:
Similarly, fraud investigations tend to focus on financial frauds and their associated risks and rarely examine non-financial fraud risks: the risks of deliberate misrepresentation on important matters, not directly involving finance, in order to secure benefits for people or the organization. Non-financial fraud is rarely examined even though it can eventually result in significant financial losses and hinder an organization’s strengths and opportunities.
Internal audit and fraud examination are both important, well-established, and valuable organizational functions that must continue to play their role in order to meet professional and stakeholder expectations. Nonetheless, I believe that both professions could do more to better serve their organizations and the public interest.
Specifically, I believe internal auditors should expand their examinations to include areas deemed to be positive and critical to organizational success (upside risks). The services of fraud examiners should be called upon when the positive auditing of upside risks reveals indicators of deliberate non-financial misrepresentation on matters important for organizational success.
Internal audit and fraud examination can both help organizations to manage the risks to their success and sustainability. Expanding examination scopes could contribute to this aim while opening up new areas for mutual collaboration that would produce additional value for an organization’s investments in internal oversight.
Risks and benefits of the proposed scope expansion
In auditing, as in other professions, innovation poses risks that must be addressed. The proposed scope expansion will be adopted only if it can provide tangible benefits for public and private sector organizations without creating significant risks for auditors.
For auditors, the main risks would be to conduct expanded audit engagements that:
- are not aligned with management priorities,
- do not conform with professional standards, and
- do not provide additional value.
In the remainder of this article, I argue that positive auditing avoids these risks and can be a valuable approach for both auditors and management.
Alignment with management priorities
Senior management in both the public and private sectors is rewarded when it achieves organizational goals and objectives. Goals and objectives focus mainly on sustaining or enhancing organizational strengths and pursuing new opportunities. Managers at all levels are mainly preoccupied with making decisions that address upside risks. Relatively less attention is paid to organizational weaknesses and external threats, although they are acknowledged to be important.
Similarly, organizations and their stakeholders continuously make decisions that are dependent on the integrity of organizational reporting. Stakeholders include taxpayers and other government agencies in the public sector, as well as regulators, shareholders, and clients in the private sector.
Positive auditing would be aligned with management priorities because expanding oversight into upside risks and increasing the integrity of non-financial reporting expands the levels of assurance and confidence upon which strategic and operational decisions are made.
Auditing upside risks would be beneficial for management for three main reasons:
- It would provide independent assurance that would validate organizational strengths and opportunities being sought.
- In some instances, positive auditing would reveal unexpected serious shortcomings, some of which may have been deliberately hidden for organizational or personal gain.
- Including some engagements designed to validate and reinforce strengths and opportunities would create better balance in the annual audit plan.
This added balance would demonstrate a greater understanding of business operations by internal auditors and motivate managers by recognizing where their efforts are showing results. This may in turn encourage managers to more readily address recommendations for improvement.
1 Orsini, B., “The Upside of Risk: Internal Auditors Can Provide Greater Value by Also Focusing on the Positive”, Internal Auditor, April 2019.
2 The information contained in this article expands upon a presentation made by the author at the Canadian Conference of the Association of Certified Fraud Examiners (ACFE), held in Montreal on 21 October 2019. It is published here with the permission of the ACFE.
Page 1 of 2