Salvation Army Customer Story
Compliancemarts 04, 2022

The Salvation Army’s path to risk-based auditing

Efter: Major Stephen M. Kelly, MBA
Several years ago, our organization’s International Headquarters in London issued a mandate that we begin “risk-based auditing,” without any definition of what exactly that meant.  I’m familiar, of course, with definitions from groups such as the IIA and my colleague Audit Secretaries (CAOs) in other corporations within our organization. Most take the view that “risk-based auditing” assesses the risk level of units to be audited, and then changes either the frequency of auditing or the tests to be performed, or both, for those locations based on the risk assessment.

We’ve taken a completely different approach.

Our audits are fixed frequency. Our testing procedures are uniform. But each test we perform (132 of them) generates a risk rating from 1 to 10. These are categorized using the five COSO categories of Compliance, Financial Condition, Financial Reporting, Operational Efficiency and Strategic Management. Composite risk ratings are totaled in each of these categories, and then an overall composite risk score is assembled for the unit as a whole.

Risks identified are then triaged – the items appear in the report from high risk to low. This tells management what they need to work on first as it is the most critical.

Senior management, in addition to getting the individual audit reports, also gets a composite report with a financial summary and risk numbers for each location on a monthly basis, summarized by mid-level management divisions (generally 1-3 states).

We’ve moved from Internal Audit saying, “here’s the policies that you violated” to “here’s the risks we’ve identified at your unit.” It’s no longer a confrontational “ding on your record” but more about helping the local management see the minefields before they blow up. It allows us to take a more encouraging tone while still being honest about what the auditors found.

As a Christian organization, we place a high value on scriptural teaching, and our department is guided by Ephesians 4:15: “…we will speak the truth in love…” 

  • Failing to speak the truth means we don’t give a thorough, honest assessment and gloss over issues; wishy-washy auditing is pointless.  Failing to speak the truth opens the door to audits that show favoritism or bias.  Failing to speak the truth is the death of objectivity.
  • Failing to speak in love means we are harsh and condemning; beating people up doesn’t move them toward change.  Failing to speak in love reduces audit to an unwelcome intrusion in the eyes of local management instead of something that could be valuable to them.  Most importantly, the “message” of the audit – what needs fixed – doesn’t get heard.
Both truth and love are necessary for us to do our job as internal auditors. Tell it like it is. Give hope and encouragement that it can be better.

Disclaimer: The views and opinions expressed within this article are those of the author and do not necessarily reflect the official policy or position of Wolters Kluwer TeamMate. Any content provided by the author is of their opinion and are not intended to malign any religion, ethnic group, club, organization, company, individual or anyone or anything.

Major Stephen M. Kelly, MBA
Territorial Audit Secretary, The Salvation Army
The Salvation Army is a global church and human services organization active in 130+ countries. In the U.S., it exists as four corporations. Major Kelly is the Audit Secretary (Chief Audit Officer) of the Atlanta-based Southern Territory.
Back To Top