Checklists to strategic insight

When I was the group head of internal audit at ASA International Group, which operated across 13 countries in Asia and Africa, I led a major evolution: the shift in the internal audit function from conventional compliance testing to a risk-based audit (RBA) that was more proactive.

This was not just a technical improvement; it was a cultural shift that added genuine value to the business and progressed audit’s position from rule enforcer to strategic adviser by direct line of communication to the audit committee chairman to ensure objectivity.

Compliance testing limitations

When I first assumed the role, internal audit was heavily focused on determining adherence to the internal manual, ie standard operating procedures (SOPs) where cash handling forms were signed, loan registers maintained or posted appropriately.

While important, this transaction-based audit model often neglects:

• emerging fraud risks
• inefficiencies in operations
• control weaknesses from digital transformation
• strategic risks such as market growth or climate exposure.

The word from business leaders was straightforward: audits were reactive, duplicative and disconnected from real-time risk. Moreover, frontline staff saw auditors as checkers, not partners, further minimising collaboration and learning.

Why risk-based auditing?

Risk-based auditing (RBA) is more than an audit planning tool; it is an assurance philosophy; a matter of focusing on resources where the risk is highest and assurance is most valuable.

Our reasons for implementing the change to RBA included:

• Scalability: with 13 subsidiaries, a checklist approach was not viable or insightful, despite the fact that we used a checklist for branch audits but asked auditors not to limit the risks lens into the checklist during testing.
• Responsiveness: the pace of change in risk environments was outstripping the ability of audit cycles to keep up.
• Business relevance: the board and management needed insights that informed strategic decisions, not just policy adherence.

RBA framework

In developing the RBA framework at ASA International, we employed a four-step process to build it around the risk universe, audit plan, audit tools and training.

Step 1: Defining the risk universe

We started by mapping a broad risk universe, drawing input from:

• country risk reviews
• incident reports
• strategic programmes (eg digital launch, ESG priority areas)
• management interviews
• external regulatory pronouncements.

We rated each risk according to a heat map approach, evaluating likelihood, impact and control maturity by professional judgement (wherever required).

Step 2: Redefining the audit plan

We shifted from static cycle-based audit plans to a risk-based annual audit plan that is dynamic. For example, the high portfolio at risk (PAR) branches were audited more frequently than less risky branches, and disaster preparedness was assessed in the Philippines’ climate-vulnerable locations.

Step 3: Reengineering the audit tools

Audit programmes were redesigned to include control effectiveness testing, fraud vulnerability testing, root cause analysis, and ESG and reputational risk indicators.

We also digitised audit working papers to enable central monitoring and analytics across countries by creating in-house audit software as part of the group’s overall digitalisation exercise.

Step 4: Training the audit teams

Attitude change was essential. We initiated extensive training in risk assessment, root cause analysis, and stakeholder engagement at onboarding and ongoing employment stages. Teams were encouraged to ask ‘why’ and ‘what if’, not just ‘was the form signed?’

Audit staff began to engage more constructively with operational leaders, offering forward-looking advice and participating on risk committees.

Tangible value added

The shift to RBA brought measurable improvements across ASA International, including:

Risk coverage improved: Audit activities were no longer equally distributed; they were strategically concentrated. We discovered control weaknesses in recently computerised collection processes in a few countries of operation in both Asia and Africa that had been unnoticed under checklist audits.

Fraud detection improved: By focusing on risk indicators such as unusual patterns of loan disbursement or portfolio growth that is too high, several instances of fraud were detected and prevented, including unauthorised overrides in loan management systems in our fraud risk management and IT audits.

Increased board confidence: Audit reports began to include risk trend analysis, dashboard summaries and audit assurance ratings. This gave the board’s audit committee a clearer picture of where risks emerged and how effectively they were addressed.

Operational improvements: In certain Asian and African subsidiaries, our risk-based audits led to the redesign of branch-level cash reconciliation controls, which reduced daily variances by over 70% within a quarter. In an African subsidiary, ESG-themed audits by branch audits prompted improvement in the management of customer complaints — compliance and customer satisfaction ratings increased.

Overcoming challenges

The transition to risk-based auditing was not challenge-free. Key challenges and how we resolved them included:

• Challenge resolution: we overcame resistance to change by incumbent auditors by conducting participatory workshops and peer-learning sessions; involved staff in redesigning the RBA tools.
• Unable to get consistent risk data: we collaborated with all the internal stakeholders to develop risk dashboards and added audit logs in the audit systems.
• Fear of ‘audit interference’ by management: we built trust by positioning audit as a business partner, not a watchdog; emphasising shared risk mitigation.

Lessons learned

• Start with culture, not just tools. The audit team’s culture must evolve before the methodology does.
• Use audit committees as catalysts. Our board audit committee led this evolution, demanding more than compliance knowledge.
• Correlate audit findings to business KPIs. Demonstrating how audits reduce loss, enhance controls or improve client experience makes organisational buy-in more persuasive.
• Don’t leave compliance behind – embed it. Compliance is a must, but must be set within a broader risk context. RBA enabled us to question compliance where it mattered.

Auditor to adviser

At ASA International, a move towards a risk-based audit model allowed the internal audit activity to emerge as a value-adding strategic partner. We moved from ticking boxes to unveiling risks that mattered, from documenting procedures to influencing decisions.

This journey underscored a fundamental truth: in a socially conscious and operationally complex field as microfinance, the role of internal audit cannot be restricted to compliance enforcement. It must be risk anticipation, ethical stewardship and strategic advisory, all in the pursuit of financial inclusion.