Lessons from Winnie the Pooh on Risk Assessments

Here is information from a recent article I wrote for Compliance Week entitled: “Lessons from Winnie The Pooh on Risk Assessments — Using an integrated GRC approach to risk assessments and risk-based audit planning.”

Lessons from Winnie The Pooh on Risk Assessments
Using an integrated GRC approach to risk assessments and risk-based audit planning
by Jason Mefford
I have spent almost twenty years as an auditor; externally, internally or training auditors. When discussing the subject of risk assessments and annual audit plan development, I am reminded often of a quote from Winnie The Pooh.

“Here is Edward Bear, coming downstairs now, bump, bump, bump, on the back of his head, behind Christopher Robin. It is, as far as he knows, the only way of coming downstairs, but sometimes he feels that there really is another way, if only he could stop bumping for a moment and think of it.” A. A. Milne.

How much of the time do we feel we are hitting our heads when doing risk assessments and annual audit plans, realizing there is a better way, but not knowing how to change? We do the same things over, and over again, just like Winnie The Pooh coming down the stairs.

Internal auditors need to use a risk assessment to develop their annual audit plan. The Institute of Internal Auditors (IIA) standard 2010.A1 states “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually.”

I am, however; still amazed at how many internal audit activities believe the standard means they must be the one who performs the risk assessment. In fact, I have observed one of my clients where at least six different risk assessments are performed by different functions throughout the organization. This is not only confusing to everyone, but also a big waste of time and resources. If your organization already has a competent risk management function, consider using the risk assessment prepared by that group as the basis for your audit plan.

In order to have a truly integrated GRC capability it is necessary for internal auditors to work with other GRC professionals in their organization. They must align their annual audit plan with the organization’s objectives, strategies and initiatives of the other GRC professionals. They must collaborate, coordinate and align their audit activities with other GRC professionals to increase visibility, improve efficiency, accountability and collaboration.

Another common mistake is developing audit plans based on business units, processes or internal controls instead of plans focusing on the organization’s objectives. I see many auditors creating very similar audit plans year after year.

“The chief audit executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals” (IIA Standard 2010 – Planning). Auditors should identify the key actions and controls used by management to reduce the threats (and corresponding risks) to meeting organizational objectives. This is completely in line with the concept of Principled Performance and an integrated GRC approach. Auditors need to take this approach instead of doing the same things over and over again in a Winnie The Pooh fashion.

There are nuances to an integrated GRC capability that will require auditors to plan and perform audits with more input and coordination of others in the organization. Auditors can no longer “go it alone” in their assurance efforts. For this reason, it is beneficial for auditors to get an understanding of GRC concepts by becoming certified as GRC Professionals and understanding the nuances and tools available in auditing GRC activities by becoming certified as a GRC Auditor.

As Albert Einstein is famous for saying “Insanity is doing the same thing over and over again and expecting different results.” Its time to stop the insanity.

Deepen relationships with other GRC professionals in your organization. Start using the organizational risk assessment as the basis for developing your annual audit plan. Stop relying on a rotational audit approach that focuses on business units, processes and internal controls. Start developing a plan that truly considers organizational objectives and is integrated with your GRC capability. This is the only way we can stop the insanity, and avoid bumping our heads over and over again.

Pass the GRC Exam


Learn GRC Auditing at:


Leave a comment