Do internal audit and risk management connect or not? Responding to an article last year in StrategicRISK, Nicola Rimmer gives her opinion
The professional practice of internal audit is concerned with enabling management to make informed decisions about risk management, thereby creating a control environment which can be regulated. Speaking at the recent Institute of Internal Auditors’ conference, Professor Mervyn King commented, ‘No-one is better placed to understand the risks facing an organisation than internal audit’. He described internal audit as ‘the right arm of the board’.
These statements alone rebut John Abbot’s point about ‘the disconnect between risk and control management teams and a company’s internal auditors’ in his piece, Creating Value in the May 2008 issue of StrategicRISK.
Effective internal audit is a proactive and dynamic activity; at once adviser to, and agent of, senior management. It is not just about sweeping up problems once they surface. On the contrary, internal auditors work with managers to anticipate risk and create strategies to deal with most eventualities. This is the cornerstone of good corporate governance.
The Institute of Internal Auditors - UK and Ireland (IIA) has been educating internal auditors for 60 years. It is the primary body representing the interests of internal auditors and has been an influential force in shaping the profession and in guiding its development from a back room function to its current position as a beacon in the boardroom. Since the early ‘80s when a barrage of fraud and scandal scarred the corporate world, the IIA has redesigned its examination syllabuses and short training courses to prepare internal audit for a more strategic role in management. The IIA defines the role of internal audit thus:
‘Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.’
The main purpose of internal audit is to provide assurance to the audit committee, and ultimately to the board, on any of the processes in an organisation. Ultimately, the profession is addressing the risks that keep management awake at night. This involves reviewing the effectiveness of the risk management process through the audit methodology (known as risk based internal audit or RBIA), which is the basis for internal audit to provide value to the risk management process.
The risk management role
Variety and versatility are the essence of internal audit. It reaches into every part of an organisation. In essence, it:
Provides assurance on the overall risk management process
Gives assurance that risks are correctly evaluated
“Internal auditors work with managers to anticipate risk points and create strategies
Evaluates the risk management processes
Measures and assesses the reporting of key risks and their management.
The first process to undertake using the RBIA approach is an assessment of risk maturity, which enables the internal audit department to determine what overall work will be required. The different levels of risk maturity are detailed below.
The RBIA approach assumes that an organisation is risk mature. A more traditional internal audit approach is required if an organisation has not yet reached that level of maturity. ‘If the organisation's level of risk maturity is low,’ says Rob Benson, partner at Mazars, ‘then we would work to promote risk management within the business.’
Assuming the risk is mature – what would internal audit do?
1 It would confirm that the objectives within the organisation are aligned with the overall business objectives and that everyone understands them.
2 evaluate the risk identification and evaluation process – both to gauge and improve individual risk assessment and contribute to our aim of providing assurance on the risk management process in the round.
Effective internal audit ensures that all the business areas selected have identified, evaluated and prioritised all of their risks, and that risk appetite has been discussed and applied. It is most successful where there is a close working relationship between risk and internal audit.
Elaine Banks, compliance and risk officer for the Medical Defence Union agrees. ‘We work closely with the internal audit function to ensure that all risks to the business have been fully considered. Internal audit provides feedback and assurance that the risk controls are adequate and effective and highlights any deficiencies. This co-operation ensures that the resources of the risk management department are channelled effectively throughout the company.’
Synergy and opportunity
Internal audit can add considerable value to an organisation and its risk management. If contemporary internal audit practice were better understood, we could work together more closely, synergistically even, to boost performance. As John Abbot said in his article, ‘a little bit of risk equates to opportunity’. This is a good maxim, but only if risk management mechanisms are working well. That means that internal audit should be in the boardroom, where strategic decisions about risk are made.
Nicola Rimmer is a member of the IIA’s council of directors. She is a director with Mazars, specialising in governance, risk and internal audit.