Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

Position Statement

advertisement 
Position
Statement
The Institute of Internal Auditors – UK and Ireland
Risk Based Internal Auditing
Introduction
The focus of internal audit work has shifted dramatically over the last
decade. There has been a move from systems based auditing to
process based auditing and the current emphasis is on Risk Based
Internal Auditing (RBIA).
RBIA is a much used and much misunderstood term. This paper aims
to set out the Institute’s position with regard to RBIA and to offer some
high level guidance on how to approach it.
Internal auditors might say that they have always focused their efforts
on the riskier areas of the organisation. However, this approach has
historically been directed by internal audit’s own assessment of risk.
The key distinction with RBIA is that the focus should be to understand
and analyse management’s assessment of risk and to base audit efforts
around that process.
What is Risk Based Internal Auditing?
The objective of RBIA is to provide independent assurance to the
board that:
Context
The current definition of internal auditing is that it is:
“An independent, objective assurance and consulting activity designed to
add value and improve an organisation’s operations. It helps an
organisation accomplish its objectives by bringing a systematic, disciplined
approach to evaluate and improve the effectiveness of risk management,
control and governance processes”
RBIA is an approach that can help to meet these requirements. The
Standards for the Professional Practice of Internal Auditing and the
associated Practice Advisories emphasise adopting a risk-based
approach to internal auditing.
This approach is also consistent with the Turnbull guidance Internal
Control: Guidance for Directors on the Combined Code, which requires
directors to adopt “a risk-based approach to establishing a sound
system of internal control and reviewing its effectiveness”, and to embed
risk management and internal control into the culture of the
organisation.
Internal auditors need to adopt a risk-based approach compatible with
that adopted by their organisation. There are many approaches which
could be adopted by internal audit depending on the extent to which
internal audit is able to rely on the risk management processes across
the organisation. This enables the auditor to avoid duplicating
processes already carried out by management, and allows him or her to
question management’s processes or conclusions.
The risk management processes which management has put in
place within the organisation (covering all risk management
processes at corporate, divisional, business unit, business process
level, etc.) are operating as intended.
These risk management processes are of sound design.
The responses which management has made to risks which they
wish to treat are both adequate and effective in reducing those risks
to a level acceptable to the board.
And a sound framework of controls is in place to sufficiently
mitigate those risks which management wishes to treat.
RBIA starts with the business objectives and then focuses on those
risks that have been identified by management that may hinder their
achievement.
The role of internal audit is to assess the extent to which a robust risk
management approach is adopted and applied, as planned, by
management across the organisation to reduce risks to a level that is
acceptable to the board (the risk appetite).
While internal audit’s main contribution is to provide assurance on
management’s treatment of risk (through governance and control
processes) it may also advise management on other aspects of their
response to risks such as decisions to terminate, transfer or tolerate risks.
Risk Based Internal Auditing
The Risk Based Internal Auditing approach is described schematically below:
Corporate Objectives
Identification of risks to achieving objectives
What is the risk appetite of the business?
Is the risk management process an adequate
and effective process for identifying, assessing,
managing & reporting on risk?
Yes
No
Use organisation’s
own view of risk as
far as possible
Facilitate risk
identification with
management
Facilitate
refinement
Determine risk universe
Determine scope and priority of assignments
Based on risks select areas for review
For each area, review adequacy of risk management processes to identify & manage risks
Where largely OK
Where not OK
Evaluate processes and determine how
management gain assurance that the risk
management activities are being
carried out as intended
Facilitate risk identification and assessment
• inherent risks
• mitigation
• residual risks
Give assurance where OK and facilitate improvement where not
Risk Based Internal Auditing
The practice of Risk Based Internal Auditing
out a range of stages of risk management maturity and the internal
audit approach that might be adopted at each stage:
Points of information:
The scope of risk-based internal auditing includes strategic and
business risks.
The key starting point is to determine that appropriate objectives
have been set by the organisation and then to determine whether or
not the business has an adequate process in place for identifying,
assessing and managing the risks that impact on the achievement
of these objectives.
In a mature risk management environment the focus of internal
audit work may be:
Auditing the risk management infrastructure, for example,
resources, documentation, methods, reporting.
Auditing the whole system of internal control for the complete
organisation and for individual departments.
Carrying out individual audit assignments that are predominantly
about specific risks. Where a number of risks are controlled
through a common system or process, it may be appropriate to
perform a combined audit of that system or process.
In less mature risk management environments, where individual
audit assignments predominantly focus on complete systems,
processes or business units, internal audit needs to review business
objectives and risk management processes within each of these
auditable entities.
Where risk management processes are adequate and embedded,
internal audit aims to rely, where possible, on the organisation’s own
view of the risks in order to determine the audit work that it needs
to carry out.
Where the risk management processes cannot be relied on, internal
audit needs to undertake its own risk assessment (in conjunction
with management) to determine the precise level of the work
required and then focus on how management assures itself that the
risk management activities are operating as intended.
Risk
Maturity
Key
Characteristics
Internal Audit
Approach
Risk Naive
No formal approach
developed for risk
management
Promote risk
management and rely on
audit risk assessment
Risk Aware
Scattered silo based
approach to risk
management
Promote enterprise-wide
approach to risk management
and rely on audit risk assessment
Risk Defined
Strategy and policies in
place and communicated.
Risk appetite defined
Facilitate risk management/liaise
with risk management and use
management assessment of risk
where appropriate
Risk Managed
Enterprise wide approach
to risk management
developed and communicated
Audit risk management
processes and use management
assessment of risk as appropriate
Risk Enabled
Risk management and
internal control fully embedded
into the operations
Audit risk management processes
and use management assessment
of risks as appropriate
Each organisation must determine how it wishes to implement risk
management. This will help determine its appetite for risk and the level
of it’s risk maturity. For example, not all organisations will wish to
become completely “risk enabled” as they may need to weigh up the
costs against their views on the potential benefits. It is for the board of
directors and senior management team to determine how far along the
continuum they wish to travel.
In addition to risk management maturity within an organisation, the
extent to which internal audit needs to undertake its own risk
assessment also depends upon the degree and speed of strategic and
organisational change.
When undertaking an audit of a project, the risk management processes
covering projects in general and also those specific to the individual
project need to be covered.
Conclusion
The end result of each audit assignment should be to give
assurance that risks are being managed to an acceptable level (as
determined by the risk appetite) or to facilitate and/or agree
improvements as necessary.
Risk management continuum
It is important to understand that not all organisations are at the same
stage of risk management implementation. The following diagram sets
RBIA does not preclude the use of systems-based and/or processbased auditing as circumstances dictate. It is, however, an approach
that focuses on the issues that matter to the organisation and on
providing assurance on the risk management framework adopted by the
organisation. RBIA will enable internal audit to link directly with the risk
management framework thereby leveraging synergies.
Risk Based Internal Auditing
Glossary of terms
Risk: the chance of something happening or not happening that will
have an influence upon the achievement of business objectives.
Risk management activities: the methods by which an organisation
chooses to manage its risks as outlined above. This replaces the
traditional approach that focused purely on internal controls.
Risk identification: the process of determining what can happen, why
and how.
Inherent (gross) risk: the status of the risk (measured through impact
and likelihood) without taking account of any risk management
activities that the organisation may already have in place.
Risk analysis: the systematic use of available information to determine
the likelihood of specified events occuring and the magnitude of their
consequences. Measured in terms of impact and likelihood.
Residual (net) risk: the status of the risk (measured through impact
and likelihood) after taking account of any risk management activities
that the organisation may have in place.
Risk appetite: the level of risk that the board or management is
prepared to live with. This is likely to be different for each of the risks
that have been identified.
About Position Statements
Risk evaluation: the process used to determine risk management
priorities by comparing the level of risk against predetermined
standards, target risk levels or other criteria
Risk assessment: the overall process of risk analysis and risk
evaluation.
Risk management: an iterative process consisting of steps, which
when taken in sequence, enable continual improvement in decisionmaking. It is the logical and systematic method of identifying, analysing,
evaluating, treating, monitoring and communicating risks associated
with any activity, function or process in a way that will enable
organisations to minimise losses and maximise opportunities.
(Australian/New Zealand Standard on Risk Management AS/NZS 4360)
Management of risk: the means by which an organisation elects to
manage individual risks. These may be by treatment (i.e. to reduce
impact or likelihood), termination, transfer, or the organisation may
decide to tolerate the risks.
The Institute of Internal Auditors – UK and Ireland (IIA) is the primary
body representing, promoting and developing the professional practice
of internal auditing in the UK and Ireland. Position statements are part
of a range of technical and professional guidance prepared by the
Institute for it’s members. They are designed to clarify the Institute's
official policy position on important and potentially complex matters
confronting internal auditors.
Disclaimer
This technical guidance material is not intended to provide definitive
answers to specific individual circumstances and as such is only
intended to be used as a guide. The Institute of Internal Auditors – UK
and Ireland recommends that you always seek independent expert
advice relating directly to any specific situation. The Institute accepts no
responsibility for anyone placing sole reliance on this technical
guidance.
www.iia.org.uk
13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX
Telephone 020 7498 0101 Fax 020 7978 2492
Email technical@iia.org.uk www.iia.org.uk
© The Institute of Internal Auditors – UK and Ireland Ltd, August 2003
Related documents
MM Assignment briefing - Jun-Sep 2013
MM Assignment briefing - Jun-Sep 2013
COVER LETTER SAMPLE
COVER LETTER SAMPLE
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Sample environmental sustainability audit - CPSISC E
Sample environmental sustainability audit - CPSISC E
CIS 349 – Information Technology Audit and Control
CIS 349 – Information Technology Audit and Control
CHAPTER 13: The Dynamic Business Environment: analysis and
CHAPTER 13: The Dynamic Business Environment: analysis and
Getting to Know Internal Auditing - The Institute of Internal Auditors
Getting to Know Internal Auditing - The Institute of Internal Auditors
Green Impact Auditor
Green Impact Auditor
Download
advertisement