Blogs Christopher Kelly, DProf, FCA, PFIIA Jan 27, 2021
In this way, the work of internal audit can be joined up with risk management, insurance, and other assurance functions.
My most meaningful discussions at client audit committee meetings have been about what the Monte Carlo distribution is telling us. Why? Because the Monte Carlo mathematics help to overcome human biases that can emerge with purely qualitative approaches when analyzing risk.
With Monte Carlo, we get a one-page graphic that summarizes the best case, worst case, and most likely range of cases for the database of all known risks together with the cumulative confidence level matching the organization's risk appetite (see below). Underlying this graphic is a simple database of each risk, the likelihood of its occurrence, the range of possible outcomes after any insurance recoveries, and its mitigation plans, including internal audit reviews.
The underlying database of risks, ideally following ISO 31000 — Risk Management, brings together the knowledge of the organization's subject matter experts as to each risk's nature, probability, and impact. This will cover the known risks, while any unknown risk can also be included in the database as a black swan.
While these estimates are subjective, they are expert-based and their rigor can be improved with historical data such as the expected frequency of accidents, asset failures, and weather events. In this way, the occurrence rate of risks can be estimated as "one in five years," "one in 10 years," "one in 100 years," and so forth.
By taking, say, a five-year look ahead, those estimates are convertible into percentages. So a one-in-five-year risk would be a 5/5 = 100% certainty in a 5-year Monte Carlo look ahead. While a one in 100-year risk would be a 5/100 = 5% risk.
Since many of those risks will be at least partially offset by insurance, the database also should show the upper limits and deductibles that apply to each risk. The net uninsured risk drives the Monte Carlo simulation of future potential impacts, which should in turn direct management's mitigations, internal audit's assurance work, and periodic re-evaluation of insurance.
Monte Carlo does this by generating thousands of random scenarios in which the risks may or may not occur based on the experts' probability and impact estimates.
Sophisticated software is not needed. Monte Carlo can be done in Microsoft Excel and Google Sheets spreadsheets using the built-in random-number generation function RAND(). Each simulation will have at least two random components: 1) a random trigger as to whether the risk occurs or not based on its likelihood; and 2) a random cost within its estimated upper and lower range.
Running these calculations across all risks 10,000 times will create 10,000 versions of the future. This can then be aggregated into a probability distribution to provide a graphic picture of what the future might look like.
Monte Carlo creates several opportunities for internal audit:
In this way the risk database and Monte Carlo simulation model puts the CAE at the center of an expert-based predictive tool not only for demonstrating the relevance of internal audit's risk-based program, but also to bring focus to audit committee discussions about risk, assurance, and insurance. Even if audit committee members disagree with the expert estimates, those can be updated and recalculated in mere seconds.
For a fuller explanation about how internal auditors can use Monte Carlo, read "Prioritizing Risk for the Future."
Christopher Kelly, DProf, FCA, PFIIA, is a partner at internal audit consulting firm Kelly & Yang in Melbourne, Australia.