Role of Internal

Audit in Risk
Management

Internal Audit
Independent
Objective
Assurance
Consulting Activity
Add Value
Improve Operations

Evaluate and improve the effectiveness of governance, risk management and

control processes.

Internal Control
This includes all the policies and
procedures adopted by the
management of an entity to assist in
achieving managements objective:
The orderly and efficient conduct of
business
Adherence to Management objectives
The safeguarding of Assets
Prevention of fraud and error
Accuracy and completeness of
Accounting records
Timely preparation of reliable financial
information

Internal Audit and Internal

Control
The Internal Audit function constitutes a
separate component of Internal control with
the objective of determining whether other
internal controls are well designed and
properly operated

Risk Management Process

Risk Management Process

Risk management is a key responsibility of management. To

achieve its business objectives, management should ensure that
sound risk management processes are in place and functioning

Each organization may choose a particular methodology to

implement its risk management process

information from the risk management process can be utilized by

the auditor to plan his audit.

Risk Management process

Risk management processes should be designed for the nature of an
organizations activities. Depending on the size and complexity of the organizations
business activities risk management processes can be:
formal or informal
quantitative or subjective
embedded in the business units or centralized at a corporate level.
Internal auditors should recognize that there could be significant variations in the
techniques used by various organizations for their risk management
practices.

Role of Internal Auditors

Obtain a document containing the enterprise risk management framework and

accordingly ascertain that the process is both comprehensive and suitable for the
nature of the organization.

Research and review reference materials and background information on risk

management methodologies as a basis to assess whether or not the process used
by the organization is appropriate and represents best practices for the industry

Determine whether the risk management procedures are clearly understood by all
key levels involved in the risk management process

Review corporate policies, board, and audit committee minutes to determine the
organizations business strategies, risk management philosophy and methodology,
appetite for risk, and acceptance of risks.

Role of Internal Auditors.

Review previous risk evaluation reports by management, internal auditors, external
auditors, and any other sources that may have issued such reports.
Assist in planning the procedures in risk management framework based on his
specialized knowledge of the business
Assist by examining, evaluating, reporting, and recommending improvements on the
adequacy and effectiveness of managements risk processes
Ensure that early warning mechanism of disaster exists
Audit the risk management process across the entire entity
Assess whether the risk management framework has to be updated and whether any
improvements in the ERM process are needed.

Role of Internal Auditors.

Assess how well the risks identified by the management have been managed
Conduct interviews with line and executive management to determine business unit
objectives, related risks, and managements risk mitigation and control monitoring
activities
Participate in the monitoring and reporting activities in the risk management process
Provide training to the risk management committee and facilitate risk based workshops
Assess the business continuity plan and ensure that a comprehensive disaster plan
exists.
Provide support in case of a negative impact on the business by assisting the
business to recover.

10

KEY ELEMENTS
OF
RISK
MANAGEMENT

11

Risk Identification
Risks may be due to internal or external factors.
Internal factors may include changes in information systems, controls,
and major projects and programs, employee turnover .etc
External factors may include changes in the political and business
environment and changes in markets and competitive conditions,
social and economic conditions, and technological conditions.

12

Internal Auditors role:

He should independently evaluate whether all
probable risks have been identified and
prioritized in the order of their significance.
He should ascertain whether even events with
a relatively low possibility of occurrence has
been identified and considered if the impact
of achieving an important objective is great.

13

Risk Assessment
Risks are to be assessed as to their potential severity of
loss and to the probability of occurrence

Qualitative techniques

Quantitative techniques

1)

Questionnaire

1) Probability based

2)

Surveys

2) Back testing

3)

Interviews

3) Sensitivity Analysis
4 Scenario Analysis

14

Internal auditors role:

He should ascertain that the

organization has adopted the

appropriate techniques to assess the
severity of the risks.
He should ascertain that the

management has used a combination

of qualitative and quantitative
techniques in risk assessment

15

Risk Treatment

Risk response or risk treatment refers to the measures adopted

to alter either the likelihood or impact of a particular negative
event.. The risk treatment should result in an effective and
efficient functioning of the organization.

The various ways of responding to risk include

a)

risk transfer,

b)

risk avoidance,

c)

risk retention and

d)

risk acceptance

16

 Internal auditors role:

He should ascertain that any system of
risk treatment should be designed to
bring anticipated risk likelihood and
impact within tolerance level.
The risk response should ensure
effective internal controls and adhere
to applicable laws and regulations

17

Risk reporting

Information is required at all levels of the organization.

The Board of Directors should receive periodic reports that

the risk management process is running efficiently.

Similarly external parties including the regulators and

stakeholders need to be convinced of an efficient and
effective risk management process

18

 Internal auditors role:

He should ascertain that the
reporting is both timely and
effective.
He should ensure that significant
deficiencies discovered in the
risk management process are
clearly documented

19

Monitoring

There should be an ongoing monitoring activity to periodically

reassess risk and the controls exercised to manage risks.
The monitoring activity should determine whether the procedures
followed were appropriate and did not deviate from the intended
objectives

20

Internal auditors role:

He should be satisfied that appropriate
controls exist in the organization and
that monitoring activities are
progressing in an efficient manner.
He should be satisfied that separate
evaluations focus on the effectiveness
of the enterprise risk management.

21

Checklist
1)

Has the management established entity-wise and activity wise

objectives after considering associated risks and their implications?

2)

Has the management communicated the objectives to all the

employees?

3)

Has the risk management plan been drawn in consistent with the
objectives?

4)

Have the concerned personnel understood the policies and procedures

in risk management?

5)

Have the key personnel understood the level of responsibility and

accountability?

22

6) Is the mechanism adequate to identify risks from

external sources

internal sources

7) Does the management select technique that fit its risk management process
and does the entity develop risk identification capabilities
8) Is information gathered pertinent and assimilated in a proper form?
9) Are the risk analysis and evaluation techniques effective?
10) Does the management consider additional risk that might result from a
response selected to treat a risk?
11) In selecting a control technique does management consider how control
activities co-relate?
12) Is the communication activity across the organization adequate?
13) Is the information provided timely, efficient and sufficient?

23

14)

Is the follow-up action timely and appropriate?

15)

Have the training workshops/seminars been effective?

16)

Is the internal control system effective?

17)

Is importance given to documentation including policy manuals,

organization charts, operating instructions, documentation of
evaluation process etc?

18)

Is there a mechanism in place to identify changes that could affect

achievement of objectives?

19)

Are policies and procedures modified as and when necessary?

20)

Is the competence of the personnel commensurate with their

responsibilities?

24

Internal Audit should not include the roles of:

Making decisions on the risk responses

Setting the risk appetite

Imposing the risk management process

Accountability for risk management

25

 The new Competency Framework for Internal Auditing

(CFIA) study describes the same paradigm shift from controlbased to risk-based internal auditing.
Table 1 shows list of changes in IA processes as a result of the
paradigm shift from controls to risk.

26

Table 1: Changing the Internal Auditors Paradigm

Characteristic

Old Paradigm

New Paradigm

Internal Audit Focus

Internal Control

Business Risk

Internal Audit Response

Reactive, after-the-fact,
discontinuous, observers of
strategic planning initiatives

Coactive, real-time,
continuous monitoring,
participants in strategic plans

Risk Assessment

Risk Factors

Scenario Planning

Internal Audit Tests

Important Controls

Important Risks

Internal Audit Methods

Emphasis on the
Completeness of Detail
Controls Testing

Emphasis on the Significance

of Broad Business Risks
Covered

Internal Audit
Recommendations

Internal Control:

Risk Management:

Internal Audit Reports

Addressing the Functional

Controls

Addressing the Process Risks

Internal Audit Role in the

Organization

Independent Appraisal
Function

Integrated Risk Management

and Corporate Governance

Strengthened
Cost-Benefit
Efficient/Effective

Avoid/Diversify Risk
Share/Transfer Risk
Control/Accept Risk

27

The implications of this paradigm shift are

enormous:
It turns the focus of the audit away from the past and toward
the present and future.
From focusing on controls to focusing on risks.

28

There are different success factors in this

new environment.
Inadequate experience to stimulate the imagination to identify
all material risks.
Move from the accounting and finance bias to a general
management bias (with a thorough understanding of the
finance and accounting processes).

29