The role of internal audit in risk management

Background
The role of internal audit has developed considerably over the last ten years. In the UK, the publication of the Cadbury Report on corporate governance and the Turnbull Report on Internal Control have speeded this process. Internationally, similar codes, reports and frameworks have been issued by organisations such as the Canadian Institute of Chartered Accountants1 the Treadway Commission2, and the Organisation for Economic Co-operation and Development (OECD).

Students are not required to know the detailed provisions of any code. However, by way of example, Provisions D.2, D.2.1, and D.2.2 of the Combined Code on Corporate Governance recommend that boards of listed companies maintain a sound system of internal control, that the directors should annually review the effectiveness of internal controls, and that they should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk management. Companies which do not have an internal audit function should from time to time review the need for one.

Where companies have made a report to shareholders on internal control, external auditors are required to review the report. Again, for Paper 2.6, students are not required to deal with the implications of this but it is important for students to recognise the importance of these high level developments. Companies have been required to report on the risks facing their business for many years in prospectuses and an increasing number of companies are including sections on risk management as a key element of their annual reports.

Corporate governance
Students should be aware that codes of corporate governance deal with matters such as:

• the proper constitution of the board – including the presence of non-executive directors, and proper appointment mechanisms;
• proper arrangements for the remuneration of directors – including a remuneration committee;
• proper mechanisms for shareholder relations – both institutional and private;
• proper accountability and audit – covering financial reporting, internal control and audit committees.

A proper system of internal control in practice requires a proper system of risk management and organisational control. This article focuses on the risk management element of internal control and how internal audit can assist in this area. Risk management is now an important feature of management in both the public and private sectors, but students are not required to have a detailed knowledge of public sector requirements for this paper.

Risk management
It is important for students to appreciate that businesses do not classify risk in the way that external auditors do when they apply the audit risk model. Audit risk is not the same as business risk, despite the fact that some firms of auditors have recently indicated that they are adopting a 'business risk' approach in their audit methodologies – these new methodologies, which are not currently reflected in auditing standards, are not relevant to Paper 2.6

Risk management is not the responsibility of the internal audit function. Management may require internal audit to perform the function but this means the involvement of internal audit in the day-to-day running of the business which can impair auditor objectivity. Many large organisations have separate risk management functions. Internal audit’s job may be to assist that function or the board by:

• providing objective assurance on the adequacy and effectiveness of the risk management and internal control framework;
• helping improve the processes by which risks are identified and managed;
• helping strengthen and improve the risk management and internal control framework.

More specifically, internal audit can provide advice on the design, implementation and operation of control systems, identify opportunities to make control cost savings, and promote a risk and control culture within the organisation.

Internal auditors can also act as facilitators, guiding managers and staff through a self- assessment process, perhaps by leading workshops. Internal audit can also become a centre of expertise for managing risk by providing enterprise-wide risk management services (ERM).

In order to do all of this, internal audit needs to be aware of how risk management works.

Any system of risk management and internal control needs to be aligned with business objectives. Business objectives and risks relating to those objectives can be classified in many ways. One classification is as follows:

• effectiveness and efficiency of operations (including profitability customer service, and corporate responsibility, for example);
• reliability of internal and external reporting (i.e. internal financial control);
• compliance with internal and external regulations.

Another classification might be as follows:

• business risks (relating to the economy, technology and competition, for example);
• financial risks (relating to liquidity, interest rates, exchange rates and the misuse of financial resources, for example);
• compliance risks (such as a breach of stock exchange regulations, non-compliance with accounting standards or company law, and non-compliance with tax or environmental regulations, for example);
• operational risks (such as loss of assets, poor service levels, employee-related issues, or a shortage of raw materials, for example).

There are many business risk models available. Students are not required to be familiar with any particular model, but they should be able to come up with an appropriate classification, to identify the likely risks and to state how internal audit can assist in the risk management process for a simple business scenario. Risk management involves:

• identifying the risks relating to business objectives;
• assessing risk in terms of probability and timing, measuring the potential impact and thereby prioritising risks;
• deciding how to deal with the risks identified;
• monitoring.

Identifying risks
For a chemical manufacturing company, risks relating to business objectives might include: the risk to profitability from competitors; the risks to compliance relating to environmental regulations; the risks relating to inadequate reporting of environmental matters in the financial statements; and the risks to the company’s corporate reputation. Internal audit can advise on the process by which management identifies risk. For example, does the company use external consultants? Does it use recognised methods for risk identification? Does it perform the exercise on a regular basis?

Assessing risks
Risks are often placed on a grid as follows:

So, for the same chemical company, high impact, high likelihood risks would include risks related to environmental contamination. High impact, low likelihood risks might include the risk of catastrophic damage to production facilities as a result of earthquake (assuming facilities are not located in an area prone to earthquake). Low impact, high likelihood risks might include minor injuries to employees. Low impact, low likelihood risks are sometimes difficult to identify because they may not be regarded as real risks at all, but they might include the risk of a claim against the company for unfair dismissal by a junior employee, for example.

The assessment and classification of risk will be different for each company and internal audit can help management by commenting on the criteria used for classification, for example and on how the criteria have been applied.

Dealing with risks
Students should be familiar with the following list of risk management techniques:

• accept the risk (e.g. for low impact, low likelihood risks);
• reduce the risk (e.g. by implementing improved internal controls);
• avoid the risk (e.g. by not engaging in a particular activity);
• transfer the risk (e.g. by means of insurance, or by requiring third parties to sign indemnities).

Again, internal audit can advise on the criteria used in deciding how to deal with risks, and can suggest methods by which risk can be reduced, avoided or transferred. For our chemical company, internal audit might advise management that reducing the risk of environmental damage might be achieved by employing external consultants to advise on methods of improving operational controls, for example. Alternatively it might advise that the risk of claims against the company in respect of products might be reduced by inserting clauses in sales contracts limiting liability.

Students interested in this subject might find it useful to do a search on the ACCA’s website for articles and other publications on risk management at www.accaglobal.com

Articles on the role of internal audit can also be found at www.iia.org.uk

The following documents are not required reading but those with an interest in the subject may find them useful as background:
The Combined Code (Gee Publishing Ltd.)
Providing Assurance on the Effectiveness of Internal Control. Briefing Paper (Auditing Practices Board)
Implementing Turnbull. A Boardroom Briefing (Centre for Business Performance, ICAEW)
Internal control. Guidance for Directors on the Combined Code (ICAEW)
Financial Reporting of Risk. Proposals for a Statement of Business Risk (ICAEW)
No Surprises. The Case for Better Risk Reporting (ICAEW)

1. Reports issued by the Criteria of Control Board (COCO)
2. Reports issued by the Committee of Sponsoring Organisations (COSO)

Katharine Bagshaw is Examiner for Paper 2.6