Risk Management

The Internal Audit Approach

Phil Tarling,
BSc Econ, MSc, MIIA, FIIA

Background to the Speaker

International Projects Partner for RSM Bentley

Jennison
Vice Chair Professional Services - Global IIA
Management Board Member of the ECIIA
Past President of the IIA UK and Ireland (2005-06)
Provided Capacity building in Internal Audit & PIFC
since 1998
Worked in Estonia, Latvia. Lithuania, Poland, Hungary,
Czech Republic, Romania, Macedonia, Croatia, Serbia,

What is internal audit

THE IIA DEFINITION OF INTERNAL AUDITING

Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organisations operations.
It helps an organisation accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control and governance processes

Risk Management Standard (2110)

The

internal audit activity should assist the

organisation by

identifying and evaluating significant

exposures to risk, and
contributing to the improvement of risk
management and control systems

WHY? Because it is a key element of our role

Risk Management Standard (2110)

The internal audit activity should assist the
organisation by identifying and evaluating
significant exposures to risk ..
HOW might we do it?
As an independent task, to validate data, and see if all risks
are properly identified and correctly assessed (within the risk
management system if there is one)
Jointly with management, to help them
As part of audit planning and fieldwork processes

WHY should we do it?

To stay abreast in real-time of the organisations risks
In maintaining audits own risk register so we can focus on the
things that matter to the organisation

Risk Management Standard (2110)

The internal audit activity should assist the organisation by

contributing to the improvement of risk management and

control systems:
How might we do it?
- Through conventional audit assignments
Through less conventional methods, such as participation in
Control Self Assessment
By going further into consultancy work by (perhaps) organising
risk and control workshops and other proactive initiatives
WHY should we do it?

- To fulfil our primary objectives in providing assurance in relation

to the reliability and integrity of financial and operational
information, the effectiveness and efficiency of operations,
safeguarding of assets, compliance with laws, regulations and
contracts
- To assist our organisation in the management of risk so that it
might achieve its objectives

Advice From the Institute of Internal Auditors

Both assurance and consulting roles should be considered

Importance of objectivity and independence
No one right role for IA: will vary between organisations and over
time
IA involvement should stop short of responsibility for RM across
the organisation and of managing risks on managements behalf
But to add value, beneficial to give proactive advice or coach
management on embedding RM processes into business
activities
Must have necessary knowledge and skills
Not the auditors role to identify risks, but may report additional
risks
Supporting and educational role where formal RMS does not exist

Current Practices
Vary according to the organisation
Most Internal Audit functions want to be seen as:

Specialists in risk and control

Experts in control evaluation and assurance
Competent to provide advice on control improvement
Knowledgeable about risk management and risk
management systems
Capable of meeting the expectations of the Board
Offering a wide range of services
But are we sufficiently knowledgeable in risk management?
Do others know best?
Is a little knowledge a dangerous thing?
Can Internal Audit make a valuable contribution to the risk
management process?
Vital to be clear about our role and its limitations

Internal Audit Role in ERM (IIA UK)

Risk Management and Internal Audit

Internal Audit can..

Give assurance on the risk management process

Give assurance that risks are correctly evaluated
Evaluate risk management processes
Evaluate the reporting of key risks
Review the management of key risks

Risk Management and Internal Audit

With safeguards internal audit can also..

Facilitate identification and evaluation of risk

Coach management in responding to risks
Co-ordinate risk management activities
Provide consolidated reports on risks
Help maintain and develop the risk management
framework
Champion the establishment of risk management
Develop a risk management strategy for Board approval

Risk Management and Internal Audit cont..

BUT Internal audit should not..

Set the risk appetite for the organisation

Impose risk management processes
Provide a Management assurance of risks
Take decisions on risk responses
Implement risk responses on managements behalf
Have any accountability for risk management

These are line management functions. If Internal

Audit were to undertake these duties it would
seriously impair there independence and
objectivity. Moreover, it might find itself auditing
its own work.

What does All this Mean in Practice?

Internal Audits objective role is:
to analyse the risks facing the organisation and their
potential impact upon its internal control environment
with a view to establishing a programme of audit
based upon a sound assessment of risk and the
needs of the organisation

So what are the options??

Internal Audits role

Provide Assurance on:

Risk Management processes
Design
Effectiveness

Management of key risks

Effectiveness of the controls &
responses to them

Complete, accurate and appropriate

reporting on, and the classification
of, risk

Internal Audits role cont..

Establishing the evidence that .
Risks have been identified, assessed and
responded to taking into account the risk
appetite,
Risk response is effective,
If risks fall outside the risk appetite there is
action being taken to remedy this,
The risk management process is regularly
monitored by management
The classification of risk is consistent
throughout the organisation, is effective and is
reported

Organisations at Different Stages of Risk

Management
Risk management in the private sector has been driven
by corporate governance requirements (COSO, National
Codes of Governance, Sarbanes-Oxley, OECD Guidance,
Basel Committee on Banking Supervision, Stock
Exchange requirements etc.)
The public sector in the UK introduced risk management
progressively from 1999 (the National Health Service
was the first then Central Government and Local
Government from 2001) whilst the European
Commission now requires the introduction of risk
management in all of its 27 member states which it
sees as underpinning Public Internal Financial Control

Organisations at Different Stages of Risk

Management

If there is no specific regulatory requirement,

organisations may be reluctant to introduce risk
management unless they can see some financial benefit
Internal Audit has often found itself acting as a
persuader

Helping to Introduce Risk Management

A two-pronged audit attack

Bottom-up approach
Educating line managers and staff
Control Self Assessment options
Helping to establish the system
Top down approach
Educating board and senior management
Reporting on international developments
Providing assurance

Management of Risk
What if there is no formalised Risk Management
system?
Is risk the same to everyone

Management of Risk cont..

Can Management see

the
Risk Coming?
Who provides that
independent
opinion?
Is it enough?

Differing Risk Maturities

Risk Naive

Risk Enabled

Risk Aware

What is the
organisations
risk maturity?

Risk Managed

Risk Defined

Differing Risk Maturity cont..

Risk Naive
Are even objectives defined?
There is no formal approach to risk management,
The organisation has no defined risk appetite,
There are no responsibilities defined for risks, their
identification or consistent approach to the problem,
Management does not report on Risk to the Board
There are no monitoring processes or reviews of risk

Differing Risk Maturity cont..

Risk Aware
Silo approach to Risk Management, some are
involved in a way, others are not, but RM doesnt
reflect the organisation, just some of it,
Objectives lack a consistent approach,
Management have no defined responsibility for risk,
There are no procedures for identifying and
classifying risks,
There is no organisational risk appetite, potentially
some departmental appetites,
There is some slight monitoring
No reporting to the Board

Differing Risk Maturity cont..

Risk Defined
The risk appetite has been defined,
There is a risk strategy and it has been communicated,
Objectives in the organisation have been defined,
Some responsibilities have been defined but not all,
Some Management have been trained but not all,
Management does not report on risk to the Board,
There is a consistent system for identifying and scoring
risks but this is not fully in place,
There is a monitoring process and an annual review

Differing Risk Maturity cont..

Risk Managed
Risk Management approach is Enterprise wide and
communicated to all,
Management have been trained and objectives are produced
throughout the organisation,
There is a scoring system for risk and the risk appetite if
reflected in this,
There is a consistent process for identifying risk, responding
to risk and monitoring the effectiveness of the management
systems,
Specific responsibilities for managing risk have been
assigned,
Some managers are providing assurance to the Board.

Differing Risk Maturity cont..

Risk Enabled
Risk Management and internal controls are fully embedded into
operations,
Objectives are defined and Management are fully trained in the
risk management system,
Responsibilities in respect of risk management are defined for
all staff as part of their job description/task definitions,
The Board receive a monthly report on Risk Management, and
risk forms part of the regular Board agenda,
There is a scoring system for risk and the risk appetite if
reflected in this,
There is a consistent process for identifying risk, responding to
risk and monitoring the effectiveness of the management
systems,

The Internal Audit approach

So the approach adopted by Internal

Audit will depend upon the risk
maturity of the organisation

The Internal Audit approach cont..

In the Risk Naive organisation..
The main role of internal audit will be to provide
assurance on the organisations operations, based
upon risk based audits of the organisations
operational systems including the financial ones,
providing an annual (or semi annual) assurance
report to management,
Some work should take place in promoting risk
management in the organisation and the adoption of
a risk management system.

The Internal Audit approach cont..

In the Risk Aware organisation..
The internal audit plan will have time allocated to
the promotion of Risk Management in the
organisation, using facilitated workshops, seminars
and more formal training, led by the internal audit
team,
The Internal Audit plan will also have time allocated
for the work necessary to provide assurance on the
internal control system, which will be concentrated
on risk based audits of the organisations operational
systems including the financial ones

The Internal Audit approach cont..

In the Risk Defined organisation..

Work on risk management concentrates on
facilitation of development of the risk management
system, this is a role that internal audit will need to
be a champion of,
The Internal Audit plan will be based upon the work
necessary to provide assurance on the internal
control system, which will be concentrated on risk
based audits of the organisations operational
systems including the financial ones

The Internal Audit approach cont..

In the Risk Managed organisation..
The risk register will be defined so that it can be used
for the IA Plan but there is a need for work to provide
the assurance that the Register is robust,
The internal audit plan will need to cover areas where
there is a lack of robust risk management process, with
full scale risk based audits,
Internal Audit will work to facilitate the full introduction
of the risk management system across the
organisation,
Internal Audit plan will be a mix of assurance to
Management re the risk management system and work
to provide assurance on the internal control system

The Internal Audit approach cont..

In the Risk Enabled organisation..
Plan should be based on the Risk Register, but care
needs to be taken that all risks have been identified,
So the internal audit plan will need to ensure that
there is assurance provided on the identification,
classification and scoring of risks,
The internal audit unit will be providing assurance on
the risk management processes in place,
So the plan reflects managements need for
assurance on the risks that the organisation has
identified that it faces.

Questions to ask yourself

No 1
Which internal audit roles do you think would yield the
greatest benefit to the organisation

No 2
If your organisation does not have a Risk Management
system, how would you try to persuade top management to
take action?

No 3
How would you satisfy the board that risk management
processes were firmly embedded in the day-to-day
management of the business