Risk management and internal audit effectiveness

Today’s blog is written by Mr. Adnan Khan, Associate Audit and Assurance Services. This is a good effort by Mr. Adnan. Please read this blog and provide your comments.

Risk management and internal audit effectiveness

A quick glance at the daily news is likely to convince most people that risk management is a good idea. Yet many organisations are still wondering whether it’s worthwhile or are trying to figure out how to do it without committing too many resources.

It doesn’t come as any surprise then that senior managers often turn to internal audit for help, including designing and facilitating the process. If this is the case then it should be set out in the internal audit charter.

In many small organisations the internal auditor may be the only person with any sort of expertise and concept as how to organise risk management. In fact it makes perfect sense if the function has the knowledge, skills and experience to take on the task. Especially if it means risk management is taken seriously and the link between risk and assurance become clearer and more effective.

The Standards acknowledge the valuable role internal audit can make but go on to suggest that a few sensible safeguards can be put in place to protect internal audit’s perceived and actual independence (Standard 1112). For instance, get an external view every now and then on how well risk management is being developed. At the same we still expect and urge the head of internal audit to give an annual opinion upon the maturity of risk management, outline how well it is being applied and say whether or not risk management reporting is meaningful based on audit reviews. This will support the risk culture and sound systems of governance.

Internal audit has a role to play within organisations, but there are still significantly differing opinions about the effectiveness and particularly the return on investment of internal audit.

Internal audit helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”

But what makes an internal audit strategy effective, and what should key stakeholders primarily be aware of? Here are some key considerations.

1. Compliance: Many governing bodies/regulators are now considering whether internal audit should be a mandatory requirement as part of its governance arrangements.
2. Improvement: Internal audit can provide organisations with recommendations on where they can improve on their standard processes and controls. Often a fresh eye can give a different perspective on problem areas.
3. Insight:   If there has been a control failing or fraud, internal audit can investigate the root cause of the failing and provide recommendations for improvements. A follow up visit can test whether the recommendations suggested have been implemented and are working effectively.
4. Foresight:   Internal audit can ensure organisations keep up to date with the latest industry developments and identify upcoming issues which will affect organisations in the future.
5. Risk:   Internal audit can assist with risk management by identifying risks never previously considered, it can also help the organisation to define its risk appetite and risk maturity level.

Internal auditing is effective if it provides the audit committee and executive management with the assurance they need, namely that they can rely on the organisation’s processes and systems to manage risks to the achievement of the organisation’s objectives.

A quick glance at the daily news is likely to convince most people that risk management is a good idea. Yet many organisations are still wondering whether it’s worthwhile or are trying to figure out how to do it without committing too many resources.

It doesn’t come as any surprise then that senior managers often turn to internal audit for help, including designing and facilitating the process. If this is the case then it should be set out in the internal audit charter.

In many small organisations the internal auditor may be the only person with any sort of expertise and concept as how to organise risk management. In fact it makes perfect sense if the function has the knowledge, skills and experience to take on the task. Especially if it means risk management is taken seriously and the link between risk and assurance become clearer and more effective.

The Standards acknowledge the valuable role internal audit can make but go on to suggest that a few sensible safeguards can be put in place to protect internal audit’s perceived and actual independence (Standard 1112). For instance, get an external view every now and then on how well risk management is being developed. At the same we still expect and urge the head of internal audit to give an annual opinion upon the maturity of risk management, outline how well it is being applied and say whether or not risk management reporting is meaningful based on audit reviews. This will support the risk culture and sound systems of governance.

Internal audit has a role to play within organisations, but there are still significantly differing opinions about the effectiveness and particularly the return on investment of internal audit.

Internal audit helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”

But what makes an internal audit strategy effective, and what should key stakeholders primarily be aware of? Here are some key considerations.

1. Compliance: Many governing bodies/regulators are now considering whether internal audit should be a mandatory requirement as part of its governance arrangements.
2. Improvement: Internal audit can provide organisations with recommendations on where they can improve on their standard processes and controls. Often a fresh eye can give a different perspective on problem areas.
3. Insight:   If there has been a control failing or fraud, internal audit can investigate the root cause of the failing and provide recommendations for improvements. A follow up visit can test whether the recommendations suggested have been implemented and are working effectively.
4. Foresight:   Internal audit can ensure organisations keep up to date with the latest industry developments and identify upcoming issues which will affect organisations in the future.
5. Risk:   Internal audit can assist with risk management by identifying risks never previously considered, it can also help the organisation to define its risk appetite and risk maturity level.

Internal auditing is effective if it provides the audit committee and executive management with the assurance they need, namely that they can rely on the organisation’s processes and systems to manage risks to the achievement of the organisation’s objectives.

Adnan Khan