Presently, the need to manage risks has become recognized as an important element of an effective company or business. This has placed many organizations under high pressure to recognize all the business risks they face and to clarify how they control them. One of the processes that are involved in managing risks and have been identified as a vital part of maintaining an effective business is the internal audit. As it is known that the responsibility for managing and recognizing risks belongs to the management, one of the major roles of internal audit is to offer assurance that those risks have been well managed.
Risk based internal auditing as a process connects internal auditing to an organization’s general risk management framework and offer assurance to the board that risk management processes are managing risks well.
Risk Based Internal Auditing is at the cutting edge of internal audit practice. Therefore, it is a part that is changing and developing fast with little agreement on the best way to implement it and is more challenging to manage than traditional internal audits. It is challenging to monitor progress against a yearly plan that is always changing. Also, setting targets and assessing staff may become more complex. But the benefits of risk based internal auditing are much greater.
Even when formal risk assessments have not been carried out by the management, there will most times be other documentary sources that can aid the internal audit unit to detect individual risks.
- The operational plans for the organization.
- The earlier reports by external or internal audit.
- The annual report of the organization.
- The main reviews of functions or activities carried out by management or by external bodies.
The most common technique of recognizing risks will be by discussions and interview with management. This should at all times be done, as management have a significant insight on risks to the company. It is beneficial to carry out a combined risk assessment workshop with the management and this could also involve a short training session on risk management. This may also inspire or encourage the management to develop its own risk management procedures. The first aspect of the workshop would be dedicated to recognizing risks and the second aspect would assess the identified risks for probability and impact.
Advantages of Risk Based Internal Auditing
By following risk based internal auditing, the internal audit should be able to conclude that:
- The management has recognized, assessed and reacted to risks above and below the acceptable risk level.
- The reactions to risks are active but not extreme in managing essential risks within the acceptable risk level.
- Action is being taken to remedy where residual risks are not in line with the acceptable risk level.
- The risk management procedures, including the effectiveness of responses and the completion of actions, are being watched by management to make sure they continue to operate effectively.
- The risks and actions are being properly classified and reported.
All this enables internal audit to give the board the assurance that it needs which are:
- The risk management procedures, both their design and how well they are working.
- The management of risks classified as “major”, including the efficiency of the controls and other responses to them.
- An accurate, appropriate, complete reporting and classification of risks.
The Implementation of Risk Based Internal Auditing
The implementation and continuous process of risk based internal auditing has 3 stages:
First Stage – Assessing risk maturity
Procuring an outline of the extent to which the board and management define, manage, assess and monitor risks. This offers an indication of the reliability of the risk register for audit planning purposes.
Second Stage – Periodic audit planning
Recognizing the assurance and consulting assignments for a precise period, usually yearly, by detecting and prioritizing all those areas on which the board needs objective assurance, including the risk management procedures, the management of major risks, and the recording and reporting of the risks.
Third Stage – Individual audit assignments
Implementing specific risk based projects to offer guarantee on the part of the risk management framework, including the mitigation of individual or groups of risks.