15 Pages
Downloading requires you to have access to the YouScribe library
Learn all about the services we offer


AUDIT INVOLVEMENT IN RISK MANAGEMENT by Keith Wade, Director CATS International and Director of Audit Studies, Henley Management College AUDIT INVOLVEMENT IN RISK MANAGEMENT The Nature of Involvement The earlier paper, Risk and Internal Audit , iden tified three components of Risk-based Auditing : 1 The use of risk analysis in audit planning 2 Independent risk identification and assessment as part of the audit process 3 Participation in risk management projects and proceses. This note examines the latter. ! Options for Involvement The range of options of internal audit participation can be seen as a continuum, from minimal interest, through active promotion and evaluation, to assuming responsibility for the whole thing. At some point, a line needs to be drawn representing the limit of legitimate audit involvement. As with all audit work, the audit role may be reactive or proactive. The auditor may have no choice. This note, however, assumes that internal auditors have some powers of self-determination and wish to contribute enthusiastically and effectively to the development, operation and review of successful risk management systems that meet business needs, not just external requiremets. The purists will have reservations about the nature, form and extent of involvement, and will fret about independence, objectivity and the practical consequences of involvement. The pragmatists will ...



Published by
Reads 19
Language English
Report a problem
        AUDIT INVOLVEMENT IN RISK MANAGEMENT  by  Keith Wade, Director CATS International and Director of Audit Studies, Henley Management College   
        AUDIT INVOLVEMENT IN RISK MANAGEMENT      The Nature of Involvement  The earlier paper, Risk and Internal Audit, identified three components of Risk-based Auditing:  1 The use of risk analysis in audit planning 2 Independent risk identification and assessment as part of the audit process 3 Participation in risk management projects and proceses.  This note examines the latter.  !  Options for Involvement  The range of options of internal audit participation can be seen as a continuum, from minimal interest, through active promotion and evaluation, to assuming responsibility for the whole thing. At some point, a line needs to be drawn representing the limit of legitimate audit involvement.  As with all audit work, the audit role may be reactive or proactive. The auditor may have no choice. This note, however, assumes that internal auditors have some powers of self-determination and wish to contribute enthusiastically and effectively to the development, operation and review of successful risk management systems that meet business needs, not just external requiremets.  The purists will have reservations about the nature, form and extent of involvement, and will fret about independence, objectivity and the practical consequences of involvement. The pragmatists will roll up their sleeves and get on with it, ensuring that a good job is done and not worrying too much that objectivity may be compromised, other audit work is neglected and they may be doing the job of others. The pragmatic purists will give the matter their full consideration and choose an appropriate course of action that is essentially principled in manner yet takes advantage of the opportunity presented for the benefit of all.  !  The Benefits of Internal Audit Involvement  The Audit Faculty of the Institute of Chartered Accountants in England and Wales gives strong support for an active part for internal audit in their June 2000 publication: Risk Management and the Value Added by Internal Audit. It stresses the role of internal audit as an objective, professional and multi-disciplinary support service to the board and senior management.
          AUDIT INVOLVEMENT IN RISK MANAGEMENT       The board needs to obtain assurance that the risk management policies that it has established are adequate and are operating effectively. When reviewing information and assurances provided to it, the board/board committee should:  consider and assess how the significant risks have been identified, evaluated and managed;  assess the effectiveness of the related system of control in managing the signficant risks, having regard in particular to any significant failings or weaknesses in control that have been reported;   consider whether necessary actions are being taken promptly to remedy any significant failings or weaknesses; and   consider whether the findings indicate a need for more extensive monitoring of the system of risk management and control.   Internal auditors can provide considerable assistance to the board and management on the above bullet points. They reflect the core skills that should be present in most internal audit functions today.  Internal audit provides an independent and objective assurance and advice service to the board and senior management to assist them in their responsibilities to comply with the Turnbull guidance. The assurance role of internal audit is to deliver assessments of the adequacy and effectivenesss of the processes by which risks are:  identified and prioritised; managed, controlled and mitigated; and reported         such that the residual risks are recognised by, and are clearly acceptable to, the board.  Boards, audit committees and senior management should recognise that what is of relevant value to their business is the internal auditors knowledge of the company, its systems and its processes, and their skills in:  systematically analysing their business processes; objectively assessing the effectiveness of processes;  independently reporting on their findings and making recommendations to improve the effectiveness of the processes; and using their knowledge to help spread good practices throughout the organisation.  Internal auditors are not there to judge the appropriateness of a companys objectives or the boards strategies to achieve those objectives. They examine the effectiveness of the processes by  
  © CATS International 2001 handauditinv.apl01                                                                                                                       .   
          AUDIT INVOLVEMENT IN RISK MANAGEMENT     which the consequent risks are identified and prioritised, managed, controlled and mitigated, and reported.   Internal auditors also add value by the identification of opportunities to improve the cost-effective management of risk, thereby reducing the uncertainty of achieving the companys objectives, and ultimately benefiting shareholder return.   There may be other functions within the company that also provide assurance and advice covering pecialist areas such as health and safety, regulatory and legal compliance and environmental issues. This list could also include product quality and safety, security, insurance and loss prevention, and other risk management or assurance functions.   However, these valuable functions are not usually positioned in the organisation and reporting structure with the same overview and degree of independence as that enjoyed by internal audit, with its direct line into the audit committee.  It should be well within the capabilities of a progressive internal audit function to assess, as part of its remit, the effectiveness of these other review and compliance functions by examining matters such as the:  clarity of responsibilities for the related risks; adequacy of their resources to satisfactorily discharge their responsibilities; transparency and communication of policy and procedures for the management of these risks; effectiveness of the internal reviews of compliance with such policy and procedures; reliability of upward reporting of risk management issues; and appropriateness of levels and processes of related decision-making.   The Institute worries that some executives may not realise that standard audit attributes such as independence, objectivity, systematic approach and adding value can be applied by internal auditors as effectively beyond the traditional areas of financial risk management. It therefore urges boards not to overlook the opportunity to obtain greater business benefit from a skilled internal audit resource.  
  © CATS International 2001                                                                                                                       .   
          AUDIT INVOLVEMENT IN RISK MANAGEMENT     The report concludes that:    An effecitve and properly resourced internal audit function should have a key role in helping organisations respond to the challenges of the Turnbull report. It plays a significant part in the processes for the identification and mitigation of risk and thereby can contribute to the achievement of business objectives, and to the success and resilience of the organisation.  The principal value of internal audit is that it offers a significant and objective service to the board and management, assisting them to identify and evaluate risks, as well as the provision of advice on the management of risks. Internal audit also provides assurance that an adequate structure and process for the identification and management of risk is in place and operating effectively. Where this is not the case, internal audit can recommend solutions to help management build that assurance to an acceptable level.    !  So What can Internal Auditors Offer?  As we have seen, Internal auditors have always been concerned with risk, but perhaps too many have used it solely for their own purposes in helping to compile their strategic and operational plans. Good internal auditors work with managers in identifying risks and opportunities, discussing the level of control that is required in the circumstances. Modern internal audit is simple: it is an exploration of the inter-relationships between the objectives, risks, environment, and controls of an organization, its constituent systems and their inter-acting parts. The role of the auditor is to negotiate with management and other stakeholders to agree a level of acceptable residual risk.  For some auditors, implementation of Turnbull principles, whether in the private or public sectors, has brought a new lease of life. For those who have been seeking to provide a meaningful contribution to board-level activities and to address the issues that really matter, recognition of the role internal audit can play has been the realization of ambition.  The more successful internal audit units have been proactive, building on previous work and reputation to demonstrate how its organisation can develop and successfully implement effective governance arrangements and integrated risk management systems as a part of the overall control framework and within specific operational areas. For these auditors, it is not simply a matter of ensuring compliance with internal or external demands. Rather, the business need and benefits must be recognized in investing such time and effort. And the better auditors work with managers to help them to reconcile the apparently competing pressures of corporate governance and corporate performance.  As the recent Hermes Credit Services research showed (see Strategic Risk special report December 2000), in 44% of large companies, the internal audit manager is involved in the risk management process, and where there is such involvement, there is unlikely to be a group risk manager as well. Although involvement is to be welcomed, the latter point is worrying , as is the finding that occasionally (12% of cases) internal audit managers retain sole responsibility for risk management.   © CATS International 2001 handauditinv.apl01                                                                                                                       .   
          AUDIT INVOLVEMENT IN RISK MANAGEMENT      It is important that the roles of internal audit, and the resultant relationships with other involved parties, are carefully defined.  Internal audit can be involved, and often are, at both the operational and strategic levels.  At the operational  level, the development of risk-based audits, concentration on those concerns that really matter, recognition of the broad range of risk mitigation activities, fostering of fresh management attitudes such as control self-assessment, and introduction to management of new techniques such as risk profiling can all encourage greater risk awareness and a bottom-up approach to comprehensive risk management. Auditors are now beginning to share some of their secrets and skills with others to help them do a better job, and to accept that the front-line, although its outlook may be relatively narrow, does tend to have sound insights into what the real problems are and sensible ideas on how to tackle them, provided they are given the necessary support, encouragement and opportunity. Similarly many line and divisional managers are coming to appreciate that a positive, practically-minded auditor can be of useful service as a constructive risk adviser, acknowledged control expert, and impartial solution facilitator.  The research showed that corporate governance has had a significant impact on the roles of a number of decision-makers within companies, but the greatest impact has been on internal audit managers, whose role has broadened. An extract from the report is attached.  But internal auditors can also use their authority, access to the board and audit committee, and increasing confidence in evaluating strategic  systems to operate usefully at the corporate level. In one sense, governance structures, risk management processes and the projects devised to introduce or modify them are simply further examples of systems that would naturally fall within audits scope.  !  Sector-Specific Opportunities  Earlier papers have given examples of documents on corporate governance and risk management in which internal audit is given a prominent role, either as an integral part of such arrangements or in respect of its independent advisory and appraisal functions.  In the UK public sector, internal auditors are beginning to make significant contributions in the field of central government, health-care, education and, latterly, local government.  Whole forests have been consumed in the drafting of post-Turnbull guidance for internal auditors in quoted companies and other organisations.  In the banking sector, the Banking Committee on Banking Supervision has been particularly active in recent years. Its 1998 paper Operational Risk Management states that, in its research into current practices, the activities of internal auditors were also seen as an important element of operational risk management. In particular, the identification of potential problems, the independent validation of business managements self-assessments, and the tracking of problem situations with the progress toward resolving the problems, were cited by several banks as important in managing operational risk.   © CATS International 2001 handauditinv.apl01                                                                                                                       .   
          AUDIT INVOLVEMENT IN RISK MANAGEMENT      Annex A is an extract from the committees draft paper on Internal Audit in Banking Organisations which contains the Principles relating to the objectives and tasks of the internal audit function. They state the responsibilities of the board, senior management and internal audit in relation to risk management.  Annex B contains extracts from the UK Financial Services Authoritys consultation paper on Senior Management Arrangements, Systems and Controls.  !  Possible Roles  There are six possible roles, not all of them entirely compatible:  1. Advisory : providing briefings to the board, audit committee, senior managers and others on corporate governance developments, summarizing conference proceedings, advising on best practice in risk management systems, pointing out lessons from other organizations, producing objective interpretations of published codes, guidance, standards, etc. 2. Promotional : taking or sharing the lead in encouraging the creation of appropriate arrangements overall and throughout the risk management cycle, through audit proposals, recommendations, initiatives, guidance, training, design of pilot workshops etc. 3. Participative : where the auditor is prepared (or required) to have more active involvement in stimulating, developing, implementing and even operating risk management projects, systems and activities through team membership, joint exercises, help in systems design, drafting codes, workshop facilitation, coordinating assurance statements, etc. 4. Evaluative : the pure audit role: the completely independent appraisal of risk management projects and systems and their controls, both those in existence and those under development; such audits would include review, monitoring and assurance systems related to risk management. They would cover the four levels of risk management identified in an earlier paper and each stage of the risk management cycle. 5. Compliance and Verification : a traditional, narrow role applied in a new area: this includes reporting on compliance with Turnbull or similar, progress in introducing the necessary arrangements, adherence to internal policies, codes and procedures, and possibly the verification (or even certification) of statements and representations, internal or published. 6. Technical Support : e.g. contributing audit knowledge about levels of risk, and how best to control exposures; (in turn, the results of managements own risk assessments may be used to influence audit plans); passing on our risk analysis skills and techniques to others.  Such a substantive role could also include the independent confirmation of actual levels of risk (in a sense, we do this as part of our every-day work, but are auditors really qualified to pass such judgment in all areas?)  !  The Third Way  So where does that leave us? As we have seen, there are three types of auditor: the purist, pragmatist, and pragmatic purist.   © CATS International 2001 handauditinv.apl01                                                                                                                       .   
 8         AUDIT INVOLVEMENT IN RISK MANAGEMENT      The purist reflects the stance I have just taken. Principles are more important than profit. But such an attitude can be dangerous. The organization may believe the auditors are not maximizing their contribution, and unprincipled competitors (from within or without) may take advantage. The purist may not survive. And note that even the IIA have ceded some of their virtue.  The pragmatist is prepared to abandon principle in favour of value and gain. Independence gets in the way. Carpe diem is the watchword. Expediency is all. If thats what the boss wants, if it adds to our glory, heads off the competition, keeps others in their place, and produces a few conference papers, lets go for it. Well worry about whether we can do it later. Just like a true consultant.  The pragmatic purist invented the third way, refusing to jettison principles entirely but allowing for some compromise, recognizing that if audit work does not add demonstrable value to the organisation then whats the point? And saying No, or being inactive, is often not an option.  In my experience, most internal auditors who are involved in risk management projects are adopting the third approach. This means that there is a wide variety of practice. The maturer functions have been heavily involved in these matters for several years. They have been active in introducing risk management systems for genuine business reasons, have learnt from their own and others experience, experimented with control and risk self-assessment in its many guises, modified and improved their approach, and in many cases, started to disengage.  Unlike a successful consultant, a good and enlightened auditor talks him- or her-self out of a job. The aim is to transfer responsibilities and skills to directors, managers and staff, to teach them how to accept and successfully discharge their responsibilities for achieving objectives, managing risk and maintaining a cost-effective level of control. The auditor can then serve as a truly objective assessor and impartial adviser.  As levels of confidence fall, through high profile malpractice, business failure or other scandal, so the demand for assurance, reviews and independent appraisals increases. Auditors rub their hands with glee. But as standards improve (they must surely, with all this effort?), systems are strengthened, risks are contained, and levels of performance rise, then the need for additional comfort is reduced. We suffer from over-auditing at present. So this would be good news to many indeed.   !  A Multi-disciplinary Approach  For internal auditors, the days of introspection, narrow focus and low level activity are gone. For some organisations, this means that a new breed of auditor must be recruited. The modern audit unit is sociable, working in partnership with management and other specialists, including risk advisers, bringing benefit to the organisation at strategic and operational levels through the combination of various skills, experiences and perceptions. Todays audit functions need to be multi-disciplinary. (There have been far too many accountants amongst their number in the past). But this range of necessary disciplines must be complemented by the development of close working relationships with others who have a legitimate   © CATS International 2001 handauditinv.apl01                                                                                                                       .   
 9         AUDIT INVOLVEMENT IN RISK MANAGEMENT     interest in the area and a useful role to play. This partnership approach will not necessarily compromise audit independence or objectivity.  Such relationships must be based on mutual trust, respect and understanding. This is not always the case. All must therefore work hard to recognize each others roles, strengths, interests and limits, avoiding unnecessary overlap and duplication whilst providing a cohesive and valuable service.  No one has the monopoly on risk. It must be clear that directors and their managers have the primary responsibility to evaluate risk exposures. Others  risk managers, compliance staff, internal auditors and other specialists  have roles to play but these must be carefully defined and cost-effectively discharged in practice.  One option is for auditors to rely on the work of others. They may even audit it, if they believe other review functions (including external consultants) are a key element of the overall risk management process.  But internal auditors themselves can bring to the table a disciplined and systematic approach with a tried and tested methodology, access to all parts and levels of the organisation, a broad perspective, and wide experience of dealing with all manner of issues and activities throughout the business. The internal auditors perspective is holistic, and should assist management in addressing all risks, not just those related to finance or tangible assets. And they may be cheaper (and better) than outside consultants!  Many auditors have taken the lead because of the reluctance or inability of others to do so. A few seek arrogantly to defend their patch. But in my experience most recognize that the best way forward, both professionally and within the organisation itself, is to join with others to enable robust but sensible systems to be integrated into the business, regularly monitored, and improved where necessary through effective teamwork.  There is still much to be done in clarifying responsibilities, developing trust, agreeing a common language, understanding risk as a generic concept, and in some cases convincing the board that risk management is not just a matter of compliance at minimum cost. On their own, they may struggle. But jointly, risk managers and internal auditors should be able to persuade senior management of the business case and give practical and consistent advice on developing the risk strategy and deploying, maintaining and refining intelligent risk management systems that are linked to the achievement of corporate objectives and circumstances, and so provide far more value than a set of bureaucratic procedures, designed to satisfy external requirements.  So auditors do still count, after all. But not in the way most people think.   PS Further guidance can be obtained from the new IIA Practice Advisories, published (the first batch in April 2001) to provide interpretations of particular aspects of the new Standards.   The following are the most relevant:   © CATS International 2001                                                                                                                       .   
2100-3 Internal Audits Role in the Risk Management Process 2100-4 Internal Audits Role in Organisations Without a Risk Management Process 2110-1 Assessing the Adequacy of Risk Management Processes (Written as if the authors had seen my own papers!)  Others refer to risk aspects of audit planning:  2010-2 Linking the Audit Plan to Risk and Exposures 2210.A1-1 Risk Assessment in Engagement Planning.  Finally, 2600-1 gives further guidance on Managements Acceptance of Risks.  In addition, of course, the COSO report provides detailed guidance on the evaluation of risk management processes, and there is no shortage of guidance (as other CATS papers explain) on risk management itself.
  © CATS International 2001                                                                                                                       .   
       !  Principle 1  The banks board of directors has the ultimate responsibility for ensuring that senior management establishes and maintains an adequate and effective system of internal controls, a measurement system for assessing the various risks of the banks activities, a system for relating risks to the banks capital level, and appropriate methods for monitoring compliance with laws, regulations, and supervisory and internal policies.  9 The board of directors should regularly verify whether the bank has established an adequate system of internal controls to ensure a well-ordered and prudent conduct of business (with reference to clearly defined objectives). The board should also regularly verify whether the bank has developed a system for relating risks to the banks capital level. Finally, the board should ensure that the bank has processes for identifying and adequately controlling the risks incurred in pursuing its business objectives; for testing the integrity, reliability and timeliness of financial information and management information; and for monitoring compliance with laws and regulations, supervisory policies, and internal plans, policies, and procedures.  !  Principle 2  The banks senior management is responsible for developing processes that identify, measure, monitor and control risks incurred by the bank .  10 Senior management should maintain an organisational structure that clearly assigns responsibility, authority and reporting relationships and ensures that delegated responsibilities are effectively carried out. Senior management is also responsible for developing management processes that identify, measure, monitor and control risks. Finally, senior management sets appropriate internal control policies and monitors the adequacy and effectiveness of the internal control system.  ! Principle 3  The internal audit function is part of the ongoing monitoring of the system of internal controls and of the banks internal capital assessment procedure, because it provides an independent assessment of the adequacy of, and compliance with, the banks established policies and procedures. As such,
  © CATS International 2001 handauditinv.apl01                                                                                                                       .