AUDIT INVOLVEMENT IN RISK MANAGEMENT by Keith Wade, Director CATS International and Director of Audit Studies, Henley Management College AUDIT INVOLVEMENT IN RISK MANAGEMENT The Nature of Involvement The earlier paper, Risk and Internal Audit , iden tified three components of Risk-based Auditing : 1 The use of risk analysis in audit planning 2 Independent risk identification and assessment as part of the audit process 3 Participation in risk management projects and proceses. This note examines the latter. ! Options for Involvement The range of options of internal audit participation can be seen as a continuum, from minimal interest, through active promotion and evaluation, to assuming responsibility for the whole thing. At some point, a line needs to be drawn representing the limit of legitimate audit involvement. As with all audit work, the audit role may be reactive or proactive. The auditor may have no choice. This note, however, assumes that internal auditors have some powers of self-determination and wish to contribute enthusiastically and effectively to the development, operation and review of successful risk management systems that meet business needs, not just external requiremets. The purists will have reservations about the nature, form and extent of involvement, and will fret about independence, objectivity and the practical consequences of involvement. The pragmatists will ...
AUDIT INVOLVEMENT IN RISK MANAGEMENT by Keith Wade, Director CATS International and Director of Audit Studies, Henley Management College
AUDIT INVOLVEMENT IN RISK MANAGEMENT The Nature of Involvement The earlier paper, Risk and Internal Audit, identified three components of Risk-based Auditing: 1 The use of risk analysis in audit planning 2 Independent risk identification and assessment as part of the audit process 3 Participation in risk management projects and proceses. This note examines the latter. ! Options for Involvement The range of options of internal audit participation can be seen as a continuum, from minimal interest, through active promotion and evaluation, to assuming responsibility for the whole thing. At some point, a line needs to be drawn representing the limit of legitimate audit involvement. As with all audit work, the audit role may be reactive or proactive. The auditor may have no choice. This note, however, assumes that internal auditors have some powers of self-determination and wish to contribute enthusiastically and effectively to the development, operation and review of successful risk management systems that meet business needs, not just external requiremets. The purists will have reservations about the nature, form and extent of involvement, and will fret about independence, objectivity and the practical consequences of involvement. The pragmatists will roll up their sleeves and get on with it, ensuring that a good job is done and not worrying too much that objectivity may be compromised, other audit work is neglected and they may be doing the job of others. The pragmatic purists will give the matter their full consideration and choose an appropriate course of action that is essentially principled in manner yet takes advantage of the opportunity presented for the benefit of all. ! The Benefits of Internal Audit Involvement The Audit Faculty of the Institute of Chartered Accountants in England and Wales gives strong support for an active part for internal audit in their June 2000 publication: Risk Management and the Value Added by Internal Audit. It stresses the role of internal audit as an objective, professional and multi-disciplinary support service to the board and senior management.
3
AUDIT INVOLVEMENT IN RISK MANAGEMENT The board needs to obtain assurance that the risk management policies that it has established are adequate and are operating effectively. When reviewing information and assurances provided to it, the board/board committee should: • consider and assess how the significant risks have been identified, evaluated and managed; • assess the effectiveness of the related system of control in managing the signficant risks, having regard in particular to any significant failings or weaknesses in control that have been reported; • consider whether necessary actions are being taken promptly to remedy any significant failings or weaknesses; and • consider whether the findings indicate a need for more extensive monitoring of the system of risk management and control. Internal auditors can provide considerable assistance to the board and management on the above bullet points. They reflect the core skills that should be present in most internal audit functions today. Internal audit provides an independent and objective assurance and advice service to the board and senior management to assist them in their responsibilities to comply with the Turnbull guidance. The assurance role of internal audit is to deliver assessments of the adequacy and effectivenesss of the processes by which risks are: • identified and prioritised; • managed, controlled and mitigated; and • reported such that the residual risks are recognised by, and are clearly acceptable to, the board. Boards, audit committees and senior management should recognise that what is of relevant value to their business is the internal auditors knowledge of the company, its systems and its processes, and their skills in: • systematically analysing their business processes; • objectively assessing the effectiveness of processes; • independently reporting on their findings and making recommendations to improve the effectiveness of the processes; and • using their knowledge to help spread good practices throughout the organisation. Internal auditors are not there to judge the appropriateness of a companys objectives or the boards strategies to achieve those objectives. They examine the effectiveness of the processes by
AUDIT INVOLVEMENT IN RISK MANAGEMENT which the consequent risks are identified and prioritised, managed, controlled and mitigated, and reported. Internal auditors also add value by the identification of opportunities to improve the cost-effective management of risk, thereby reducing the uncertainty of achieving the companys objectives, and ultimately benefiting shareholder return. There may be other functions within the company that also provide assurance and advice covering pecialist areas such as health and safety, regulatory and legal compliance and environmental issues. This list could also include product quality and safety, security, insurance and loss prevention, and other risk management or assurance functions. However, these valuable functions are not usually positioned in the organisation and reporting structure with the same overview and degree of independence as that enjoyed by internal audit, with its direct line into the audit committee. It should be well within the capabilities of a progressive internal audit function to assess, as part of its remit, the effectiveness of these other review and compliance functions by examining matters such as the: • clarity of responsibilities for the related risks; • adequacy of their resources to satisfactorily discharge their responsibilities; • transparency and communication of policy and procedures for the management of these risks; • effectiveness of the internal reviews of compliance with such policy and procedures; • reliability of upward reporting of risk management issues; and • appropriateness of levels and processes of related decision-making. The Institute worries that some executives may not realise that standard audit attributes such as independence, objectivity, systematicapproach and adding value can be applied by internal auditors as effectively beyond the traditional areas of financial risk management. It therefore urges boards not to overlook the opportunity to obtain greater business benefit from a skilled internal audit resource.
2100-3 Internal Audits Role in the Risk Management Process 2100-4 Internal Audits Role in Organisations Without a Risk Management Process 2110-1 Assessing the Adequacy of Risk Management Processes (Written as if the authors had seen my own papers!) Others refer to risk aspects of audit planning: 2010-2 Linking the Audit Plan to Risk and Exposures 2210.A1-1 Risk Assessment in Engagement Planning. Finally, 2600-1 gives further guidance on Managements Acceptance of Risks. In addition, of course, the COSO report provides detailed guidance on the evaluation of risk management processes, and there is no shortage of guidance (as other CATS papers explain) on risk management itself.
BASEL COMMITTEE ON BANKING SUPERVISION INTERNAL AUDIT IN BANKING ORGANISATIONS OBJECTIVES AND TASKS OF THE INTERNAL AUDIT FUNCTION
ANNEX A
! Principle 1 The banks board of directors has the ultimate responsibility for ensuring that senior management establishes and maintains an adequate and effective system of internal controls, a measurement system for assessing the various risks of the banks activities, a system for relating risks to the banks capital level, and appropriate methods for monitoring compliance with laws, regulations, and supervisory and internal policies. 9 Theboard of directors should regularly verify whether the bank has established an adequate system of internal controls to ensure a well-ordered and prudent conduct of business (with reference to clearly defined objectives). The board should also regularly verify whether the bank has developed a system for relating risks to the banks capital level. Finally, the board should ensure that the bank has processes for identifying and adequately controlling the risks incurred in pursuing its business objectives; for testing the integrity, reliability and timeliness of financial information and management information; and for monitoring compliance with laws and regulations, supervisory policies, and internal plans, policies, and procedures. ! Principle 2 The banks senior management is responsible for developing processes that identify, measure, monitor and control risks incurred by the bank . 10 Senior management should maintain an organisational structure that clearly assigns responsibility, authority and reporting relationships and ensures that delegated responsibilities are effectively carried out. Senior management is also responsible for developing management processes that identify, measure, monitor and control risks. Finally, senior management sets appropriate internal control policies and monitors the adequacy and effectiveness of the internal control system. ! Principle 3 The internal audit function is part of the ongoing monitoring of the system of internal controls and of the banks internal capital assessment procedure, because it provides an independent assessment of the adequacy of, and compliance with, the banks established policies and procedures. As such,