Integrating Risk Management and Internal Audit – An Internal

Audit Perspective
Sean de la Rosa
Group Audit Manager: Sasol Limited

Introduction

Within the last five years, there has been an increasing awareness of and need for improved and
more flexible risk management. Some of the major reasons for this focus include the economic
slowdowns since 9/11 (September 11, 2001), the slew of accounting scandals in the US and
elsewhere, and the debate generated by the Sarbanes Oxley Act. Other factors such as changes
in stakeholder expectations and legislative and regulatory pressures on risk management have
also been noted.

In 2001, the Committee of Sponsoring Organizations of the Treadway Commission (COSO)

setout to establish a risk management framework that would be readily usable by managers to
evaluate and improve their organizations’ risk management discipline in these turbulent times.
COSO also recognized that a considerable amount of information regarding risk management
had already been developed but that no consolidation of effort had taken place.

One of the consequences of these factors has been a greater differentiation between the various
assurance activities within the corporate organisation (Figure 1 provides examples of the different
disciplines that may exist).

Figure 1: Various assurance activities

Purpose

Although a number of distinct assurance activities exist within the corporate governance milieu,
as shown in figure 1 above, the scope of this article will be limited to the integration potential
between internal audit and risk management.
The article’s key aim will be to provide the reader with pertinent ideas on achieving the integration
of these two activities. This aim will, in the main, be achieved by considering the key components
of the COSO framework on risk management, as well as considering the Institute of Internal
Audit’s mandatory standards and recommended best practice advisories.

The article will consider this topic from the perspective of the internal auditor.

The COSO framework

COSO, a private sector organization formed in 1985, is dedicated to improving the quality of
financial reporting through improving business ethics, effective controls, and corporate
governance. COSO is probably best known for its Internal Control – Integrated Framework that
was published in 1992.

The sponsoring organizations include:

y American Institute of Certified Public Accountants;

y The Institute of Internal Auditors;
y Financial Executives International;
y Institute of Management Accountants; and
y American Accounting Association.

Recognizing the need for definitive guidance on risk management, COSO initiated a project to
develop a conceptually sound framework providing integrated principles, common terminology,
and practical implementation guidance supporting entities’ programs to develop or benchmark
their risk management processes. In developing the framework, the underlying premise was that
every entity exists to provide value to its stakeholders. Furthermore, risk management should
provide a framework for management to effectively deal with uncertainty and its associated risk
and opportunity, thereby enhancing its capacity to build value.

The framework further provides the following definition of risk management:

“Enterprise risk management is a process that includes the identification of potential events that
may influence objectives and which drives risk assessment and response plan processes. It will
also consider risks in the formulation of the organization’s strategy process and the managing of
risks to be within the organisation’s overall risk appetite.”

Risk management ultimately provides enhanced capabilities to align risk appetite and strategy.
This in turn results in the following benefits:

y Ability to link growth, risk and return;

y enhancing risk response decisions;
y minimising operational surprises and losses;
y identifying and managing cross-enterprise risks;
y providing integrated responses to multiple risks;
y seizing opportunities; and
y rationalising capital allocation.

Integration objectives

The integration of risk management and internal audit should achieve the following objectives:

y Provide the risk management initiative with the necessary supporting evidence that
internal controls are operating as management believes;
y ensure that the internal audit function focuses on what is important to the organisation
(this would be ultimately reflected in the internal audit plan presented to the audit
committee of the organisation);
y provide the audit committee with the necessary assurances that the risk management
initiative is effective and efficient; and
y since many of the techniques used in accumulating information within risk management
and within internal audit are similar, focus on ensuring that synergies between the two
functions are fully optimised and that any potential duplication of effort is avoided.

Each of these points is discussed below.

Effective operation of controls

Standards established by the Institute of Internal Auditors specify that the scope of internal
auditing should encompass risk management and control systems. This includes evaluating the
reliability of reporting, reviewing the effectiveness and efficiency of operations, safeguarding
assets, and ensuring compliance with laws, regulations, and contracts.

Regarding the idea that internal audit provides the risk management initiative with the necessary
supporting evidence that internal controls are operating as management believes they are, the
audit team would then need to identify those risks that are of greatest potential impact on the
business and to assess the mitigating controls for each of these risks within the process being
reviewed. Considerations that might prove helpful in the planning process:

y Identify the significant risks and determine whether a risk management process is in
place within the process being audited;
y evaluate the effectiveness and efficiency of the risk management process, if any;
y ensure that there are reports and other outputs from different assurance activities relating
to the process being audited; and
y determine what use is being made of results of management self assessment surveys.
(This will be especially true for organisations that require compliance with the Sarbanes
Oxley Act within the next year or two.)

The reader is referred to Practice Advisory 2100-4: Internal Audit’s Role in Organisations without
a Risk Management Process for guidance on the approach to be adopted when no risk
management process is in place for the procedure being reviewed.

Focusing on the hot spots

In the case of an organization with a relatively mature risk management process, the internal
audit function should utilise risk management as a method of devising the audit plan that will
ultimately be ratified by the audit committee. In the past, the internal auditor would have relied
upon practice advisory 2210.A1-1: Risk assessment in engagement planning for suitable
guidance.

In situations where there is limited or no risk management process in evidence the internal
auditor should review practice advisory 2110-1: Assessing the adequacy of risk management
processes.

Assessing the risk management initiative

Internal auditors play a key role in evaluating the effectiveness of and recommending
improvements to the risk management process. While approaches and techniques vary, a
discipline should always be brought to the process. The evaluator should understand each of the
entities’ activities and each of the components of the risk management process being addressed.
COSO further indicates that internal auditors would normally perform evaluations as part of their
regular duties, or at the specific request of senior management. Similarly, management may
utilize input from external auditors in considering the effectiveness of the risk management
process.

The Institute of Internal Auditors comments that among other things, the internal auditor should
be objective with regard to the activities they audit. Their position and authority within the entity
should reflect this objectivity. Internal auditors are objective when not placed in a position where
their judgment on audit matters can be compromised by operational considerations. To promote
this objectivity the internal auditor should not assume operating responsibilities. Similarly, they
should not be assigned to audit activities where they have had past operating accountability.
Accordingly, risk management roles the internal auditor should not undertake include:

y Setting the enterprise’s risk appetite;

y imposing risk management processes;
y management assurance on risks;
y taking decisions on risk responses;
y implementing risk responses on management’s behalf; and
y accountability for risk management.

The internal auditor may however provide certain consultative services in the risk management
process. These include:

y Making available to management the tools and techniques used by internal audit to
analyze risks and controls;
y championing the introduction of risk management into the organization, by leveraging his
expertise in risk management and control and his overall knowledge of the organization;
y providing advice, facilitating workshops, coaching the organization on identifying and
managing risk and implementing control, and promoting the development of a common
risk management language and frame of reference ;
y acting as the central point for coordinating, monitoring and reporting on risks; and
y supporting managers as they work to identify the best way to moderate a risk.

Certain conditions should however apply before such consultative services are offered:

y It should be clear that management remains responsible for risk management;

y the nature of internal audit’s responsibilities should be documented in the audit charter
and approved by the audit committee;
y internal audit should not manage any of the risks on behalf of management;
y internal audit should challenge as well as provide advice and support to management’s
decision-making, as opposed to taking risk management decisions themselves; and
y internal audit cannot be required to give objective assurance on any part of the risk
framework for which it is responsible;

IIA practice advisory 2110-1: Assessing the adequacy of risk management processes provides
the internal auditors with possible audit procedures that can be applied in the review of the risk
management process.

All risk management deficiencies that affect an entity’s ability to develop and implement its
strategy and to achieve its established objectives should be reported to the management level
positioned to take necessary action. In considering what needs to be communicated, it is
necessary to look at the implications of the findings. It is essential not only that the particular
transaction or event be reported, but also that potentially faulty procedures be re-evaluated.
Maximizing synergies

Figure 2 below depicts a suggested integration model. It is clear that the amalgamation of the
once autonomous assurance activities would create a number of new opportunities and cost
reduction initiatives. The reader’s attention is specifically drawn to that of internal audit and risk
management.

This type of integration ensures that duplication of effort between these two assurance activities
is minimized. For this to succeed it is imperative that the functions do not operate in isolation but
as part of one integrated function. Communication and ongoing interaction is paramount.
Figure 2: Integration Model
Conclusion

Internal audit’s role in risk management is to provide objective assurance to the board on the
effectiveness of the business’ risk management activities. It should also help ensure key business
risks are appropriately managed and that the system of internal control is operating effectively.

The article identifies four major objectives for the integration of risk management and internal
audit, viz:

y Provide the risk management initiative with the necessary supporting evidence that
internal controls are operating as management believes them to be;
y provide assurance to management that the internal audit function’s focus is on what is
important to the organisation;
y provide the audit committee with the necessary assurances that the risk management
initiative is effective and efficient; and
y ensure that synergies between the two functions are fully optimised and that any potential
duplication of effort is avoided.

The article details the roles that the internal auditor may and may not undertake, as well as
providing guidance on the consultative services that could be provided. Certain conditions do
however have to be met before consulting services can be offered.

In conclusion, progressive internal audit departments believe that the internal audit activity adds
value to the business as a whole and should be able to demonstrate this continuously. It is the
belief of the author that this objective can only be achieved when internal audit professionals
realize the need for integration with risk management professionals. This integration will then
ensure they both discharge their responsibilities with the required level of professional care.