Accounting, Audit or Risk Management?

My first-ever interviewer: "So, you chose accounting? Why?"

Me: "I... don't know..." but not before I felt tears well up in my eyes.

I'm reluctant to admit that it was my mum who chose accounting as my undergraduate university studies. She thought an accounting career was stable, low in stress and didn't require years on years of study (somewhat true I guess).

And why did I let her?

Because I had no idea what I wanted. And who really does at 18...

Fortunately, the discipline grew on me, and I am now a proud audit and risk nerd. Still, I can't say I light up many faces of the opposite sex when I introduce myself as an accountant (ha-ha).

Anyhow, I can now finally answer that interviewer's question with belief in myself.

Are you an accounting student or recent graduate thinking where to from here? Are you doubting whether it's the career for you?

Welcome! I write this for you.

June here – a Chartered Accountant and self-confessed audit nerd. I started my accounting career as a financial auditor, then I fell in love with internal audit because, put simply, I, personally, enjoy my 'ABCs' more than my '123s'.

If there's one message I want you to get from this article, it's that opportunities in accounting are vast.

Personally, I can't wait for you to explore the career options available. I hope you sample the buffet of choices and find your place in a sector or industry that aligns with your personal values because, to me, the work is all very similar, and knowledge in one sector is highly transferable to another.

To help you along, let’s break down some common career paths for accountants in simple, general terms. I also have that table up there if this part is TL; DR ('Too Long; Didn't Read').

Accounting is the recording and reporting of financial information. For example, your business spends money and there is a cash outflow - do you record this as an expense or an asset? In Australia, we follow the AASBs (Australian Accounting Standards) which largely align with IFRS (International Accounting Standards).

The primary outputs of this function are the financial statements (profit or loss, balance sheet, etc.) including management reports on actuals vs budget and actuals vs forecasts. Here, you are looking backward and forward at the same time.

Financial audit (a.k.a. external audit) involves checking the recording and reporting of financial information for material misstatements, as well as recommending improvements to the financial recording and reporting process. In Australia, we follow the ASAs (Accounting Auditing Standards) set by the AUASB (Auditing and Assurance Standards Board).

The primary outputs of this function are an audit opinion accompanying the financial statements in the annual report (if published) and an MLP ('Management Letter Point'). You are primarily focused on historical financial information.

Internal audit is where it gets interesting, as you could be reviewing any business process. You might be checking compliance with laws and regulations or adherence to internal policies and procedures on any topic. These may be 'audit', 'assurance' or 'review' engagements or even 'related services' performed by an assurance practitioner. Depending on the engagement type, the standard the engagement needs to follow will differ. In Australia, these may be ones set by the AUASB (as mentioned above) or the IIA's (The Institute of Internal Auditors') new Global Internal Audit Standards.

The review could be across any of the transaction cycles: revenue to receivables, purchases to payables, payroll, inventory conversion, cash and treasury, fixed assets, etc. The financial recording and reporting of all these cycles is itself a process that could also be reviewed by internal audit. This is just one example of some overlap with financial audit, and financial auditors will often review or rely on internal audit findings.

Internal audits can also cover domains with no direct links to financials e.g. information and communciation technology (ICT) and cybersecurity, procurement and contract management, health and safety, environmental compliance, fraud and anti-corruption, project and change management, customer experience, operational efficiency, etc.

The variety of topics you cover and the breadth of knowledge you gain are a recipe for challenge and reward.

But what exactly do you review?

Most processes follow a framework (the rules) which provide a guide of what internal audit should check. Other than this compliance risk, risks, by definition, result in loss to organisation data, assets or resources, and it is this loss that is prevented or mitigated by people, processes, and technology, which we collectively term controls. These internal controls are what internal audit scrutinise.

The primary output here is the internal audit report which could contain financial or non-financial information and will cover a historical period and report on findings for that period with some insight into current management response plans.

Risk management is, theoretically, similar to internal audit, where both functions will record and report risks. However, the reporting objectives differ in that risk management reports are slightly more future focused while internal audit reports prioritise insights from a historical period.

Think of internal audit as reviewing last season’s highlights, while risk management is predicting what next season’s plot twists might be.

Risk management reports allow Executives, Audit and Risk Committee and Board oversight of how risks (potential events that have not yet happened) are tracking, how they're being managed, including insight into the organisation's current adherence to risk appetite or risk exposure in progressing its strategy.

Risk management is traditionally known as the second line of defence while internal audit is known as the third line. This is in terms of taking action to prevent a risk event from eventuating or to mitigate realising the full impact. (Additionally, management is the first line, while an external regulator may be the fourth and final line.) Being on the second line means you are supporting day to day management decisions that affect the direction of the organisation - 'Do we need to spend more $ on this control'? Do we cut back on this control because this risk is no longer relevant?'.

An appropriate governance structure will have risk management reporting via Executives including CEO, and internal audit reporting directly to Audit and Risk Committee (a sub-committee of the Board) rather than through Executives. This, itself, is a specific example of an internal control known as segregation of duties, which helps ensure audit findings can be made about Executives, independent of their influence within the organisation.

Like auditors, risk managers also provide advice and make recommendations, but management, as the risk owners, have complete autonomy to accept or reject these without it reflecting poorly on them due to the governance structure in place. This is different to internal audit findings, where if rejected (which, technically, management can) can reflect poorly on management.

In support of a conceptual understanding of each role, I also want to define:

Data vs Information - what's the difference? Data is the raw, unorganised and unstructured constituents of facts and circumstances that you are recording. Information is organised and structured data that is useful for decision makers.

This distinction is important to understand, because all four roles involve recording data and reporting information. All produce information for decision makers, who are the audiences of the respective reports. The understanding that information must be useful for decision makers is fundamental to all accountants.

The primary audience of each report differ for each role. For example, external audiences such as a public company's shareholders, its regulators and banks rely on independent financial auditor opinions that the company's financial statements are not misstated.

I believe this is also why financial auditors are also known as 'external auditors' - not because they are external to the auditee. Similarly, internal auditors are internally focused, reporting to Audit and Risk Committee. The internal auditors could be an internal department or an external provider as part of outsourced or co-sourced arrangements.

For your interest, I've illustrated the primary audience for each role in the above table.

On that note, I hope this article has been useful for your own decision making as a student, graduate or newbie to accounting.

If you are a seasoned professional or expert in this field, I hope you enjoyed the read and if you have thoughts, please share them with me. I welcome all opinions and feedback :)

Yours truly,

June