This article describes risk-based auditing--a type of audit that considers departmental objectives, risk, and adequate controls as interdependent concepts that must function together for success--and advocates its widespread adoption in the public sector.
By conducting audits to safeguard public assets, the internal auditing function in local government exists on the notion of accountability. This premise has allowed the internal auditing function to maintain its traditional focus of internal control, while also protecting the function from having to justify itself. Many organizations in the private sector already have embraced the philosophy that all departmental activities must validate their existence by illustrating the relationship between work performed and company objectives. In a recent survey of major financial institutions, it was shown that a fully integrated audit operation embraces risk as a means to maximize profit.  The internal auditing function in local government should be approached in a similar fashion, requiring a linkage between the audits conducted and the inherent risks of pursuing the organizational objectives.
The formal term of the paradigm shift from auditing controls to auditing risk is known as risk-based auditing.  Traditional audits in local government have focused primarily on internal controls, providing recommendations on top of recommendations with an alarming disconnect between audit objectives and the needs of front-line managers. Risk-based auditing begins by approaching departmental objectives, risk, and adequate controls as interdependent concepts that must function together for success.
If these concepts are approached from an independent standpoint, then control recommendations will dominate the audit report and minimize its usefulness. For example, a traditional audit of the concentration account would audit the historical work papers of monthly bank reconciliation reports. This type of audit often provides numerous recommendations of control procedures that ensure accountability. A risk-based audit would begin with an examination of the objectives of the accounting function, highlighting the areas that contain the greatest amount of risk. This type of effort may reveal that the investment function contains the most risk. Therefore, audit recommendations would focus on staff organization to ensure that the general ledger, the investment portfolio, and bank reconciliation are properly integrated to mitigate future risk.
The city of Greenville, South Carolina, embraced the traditional internal audit function until constant turnover in the position of internal auditor threatened the existence of even control focused audits. This article describes how Greenville's finance director used turnover to create opportunity. An inventory of the skills and abilities of finance personnel revealed that many of the compliance audits could be handled by staff accountants, and co-sourcing with a local accounting firm was used to expand the audit function to include performance audits. The real change, however, emanated from the new mission of the internal auditing function. No longer would it focus on internal controls, but instead, it would focus on risk assessment that is derived from risk-based auditing. This article concludes with a discussion of how the internal auditing function can play a key role in performance measurement and benchmarking once the paradigm shift to risk-based auditing is realized.
When the finance director was hired by the city of Greenville, South Carolina, in November 1995, the department embraced two forms of audits: the annual financial audit conducted by an outside auditing firm and compliance audits conducted by the internal auditor. The internal auditor reported administratively to the finance director and reported directly to the city manager on audit-related matters. A review of the previous audits revealed limited compliance audits with the primary recommendations being based on the establishment of internal controls. …