Draft Position Statement - The Role of Internal Audit in Enterprise-Wide Risk Management
Comments from ACCA
May 2004
The Association of Chartered Certified Accountants (ACCA) is pleased to have this opportunity to comment on the Institute of Internal Auditors ' draft Position Statement : the Role of Internal Audit in Enterprise-wide Risk Management . These comments have been prepared in consultation with members of ACCA's Internal Audit Sub-Committee, a group of experienced accountants working in internal audit.
We are pleased that the IIA ( UK and Ireland ) is addressing this topic as there is some confusion on the role of internal audit in risk management. We are rather surprised, however, at the timing of this draft position statement which may result in a final position statement being issued at around the same time that the COSO report on enterprise risk management is planned to be issued in June. We consider that it would be more appropriate to issue such a statement after the COSO report had been issued and so it could include comment on what promises to be a comprehensive and authoritative document. There would also be considerable merit if consistency between the two publications could be achieved wherever possible.
We believe that the draft position statement may encourage an over-extension in the scope of internal audit. Risk management is the identification and assessment by managers at all levels, of the risks they face in achieving their organisation's objectives. This should be followed by managers making decisions on the appropriate action to be taken in response to each significant risk which has been identified.
The nature of these responses can be classified as follows:
- Treat (COSO will term this �Reduction')
- Terminate (COSO will term this �Avoidance')
- Transfer (COSO will term this �Sharing')
or - Tolerate (COSO will term this �Acceptance')
Internal audit's particular expertise is usually in the treatment of risks, especially in the appropriate internal controls and governance processes which could be used to mitigate such risks. Internal audit may also advise management on many aspects of risk, including instances where they consider that risks have not been effectively managed, but it should not be within internal audit's role to decide (although it may recommend) whether, for example:
- particularly high risk aspects of the organisation's activities should be terminated
- risks should be transferred (at least to some extent) to another organisation, typically through taking out suitable insurance cover or by outsourcing
or - the organisation should tolerate particular risks to which it considers it inappropriate to respond in any other manner.
Questions for consultation
We consider that the definition of enterprise risk management included in the draft position statement captures all significant elements; however, it would be improved if it was made clear that reference to reporting is intended to be limited to internal reporting within the entity.
The approach adopted in identifying the appropriate role for internal audit within enterprise risk management is reasonable and the dial of activities in Figure 1 will be helpful for many internal auditors. Although the statement that internal audit should only perform �at least some of the [assurance] activities� appears somewhat limited.
We believe that the role of �operating the ERM framework� would be better included within roles which internal audit should not undertake. In addition, to indicate their possible involvement and so any loss of independence, internal audit should, when reporting on ERM indicate any of the consulting type activities it has undertaken.
We consider that the safeguards outlined in the statement for internal audit to adopt when extending its involvement in ERM are adequate. In addition, the mapping of the relative skills of internal audit and risk management appears useful and reasonably comprehensive.
Other issues
In the box outlining the benefits of ERM we consider that the fourth bullet point would be improved if the word �sharing� was replaced with �effective management�; the phrase �or crises� was added to the end of the sixth bullet point; and the seventh bullet point was deleted as being two general.
In the 'Glossary of terms', the definition of risk should also mention the chance of something not happening which would have had a positive impact on the organisation's objectives.
We hope that you find these comments helpful in finalising the position statement. Please do not hesitate to contact me if you wish to discuss our comments.