‘Financial apocalypse’ recently became more than a concept - slashed share value, job losses, concerns over the security of savings accounts were sure signs that a rigorous risk culture was absent in many parts of the banking world. The very foundations of the world economy have been shaken and a major re-engineering of all aspects of risk culture is at this very moment underway.  It is significant that in many forward-thinking organisations, internal audit will be at the very heart of this review.

Today the professional practice of internal audit is concerned with enabling management to make informed decisions about risk management and thereby creating a control environment which can be regulated.  Speaking at the recent Institute of Internal Auditors’ conference, The Power of Assurance, global governance expert, Professor Mervyn King, commented, “no-one is better placed to understand the risks facing an organisation than internal audit”.  He described internal audit as “the right arm of the Board”.   Internal audit has come of age and the recognition of its value as a core management function is increasing all the time. These few facts alone refute John Abbot’s point about “the disconnect between risk and control management teams and a company’s internal auditors….” in his piece, “Creating Value” in the May 2008 issue of Strategic Risk.

Effective internal audit is a proactive and dynamic activity; at once advisor to and agent of senior management .  It is not all about sweeping up problems once they surface.  On the contrary, internal auditors work with managers to anticipate risk points and create strategies to deal with most eventualities.  This is the cornerstone of good corporate governance practice; the basis of a healthy risk culture. 

Independent, informed assurance

The Institute of Internal Auditors - UK and Ireland (IIA) has been educating internal auditors for sixty years.  It is the primary body representing the interests of internal auditors and has been an influential force in shaping the profession and guiding its development from its former status as a backroom function to its position as beacon in the Boardroom.  Since the early 80s when a whole barrage of frauds and scandals scarred the corporate world, the IIA has redesigned its examination syllabuses and short training courses to prepare internal audit for a more strategic role in management.  Internal audit is a global profession which adheres to a strict and comprehensive range of agreed Standards.  The IIA  defines the role of internal audit thus:

“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. “

The main purpose of internal audit is to provide assurance to the audit committee, and ultimately the Board, on any of the processes within an organisation. Ultimately the profession is addressing the risks that keep the Board and management awake at night. This involves reviewing the effectiveness of the risk management process, and it is this audit methodology (known as Risk Based Internal Audit or RBIA), which provides the basis for internal audit to provide value to the risk management process.

How does internal audit perform its role in risk management?

Variety and versatility are the essence of internal audit.  It reaches into every part of an organisation, from the Board, down the chain of command and across all activities.  In essence, internal audit:

• -Provides assurance on the overall risk management process
• Gives assurance that risks are correctly evaluated
• Evaluates the risk management processes
• Measures and assesses the reporting of key risks
• Reviews the management of key risks.
   

The first process to undertake using the risk-based internal audit approach is the assessment of the risk maturity, which enables the internal audit department to determine what overall work would be required.  The different levels of risk maturity are detailed in Table

1.  Note - diagram to come

Of course, a successful risk based internal audit approach assumes that an organisation is risk mature. A more traditional internal audit approach is required if an organisation has not yet reached that level of maturity. "If the organisation's level of risk maturity is low", says Rob Benson, Partner at Mazars, "then we would work to promote risk management within the business."

Assuming the risk is mature – what would internal audit do?

• It would confirm that the objectives within the organisation are aligned with the overall business objectives and that everyone understands them.
• then evaluate the risk identification and evaluation process – both to gauge and improve individual risk assessment in the business and contribute to our overall aim of providing assurance on the risk management process in the round.
   

Effective and efficient internal audit examines and ensures that all the business areas selected have identified, evaluated and prioritised all of their inherent risks and that the risk appetite has been appropriately discussed and applied. This can be most successfully performed where there is a close working relationship between Risk and Internal Audit. Elaine Banks, Compliance and Risk Officer  for the Medical Defence Union agrees.  "We work closely with the internal audit function to ensure that all risks to the business have been fully considered, internal audit provides feedback and assurance to us that the risk controls are adequate and effective and highlights any deficiencies. This co-operation ensures that the resources of the Risk Management Department are channelled effectively throughout the company."

Only when this is achieved would there be a review of the controls.

Future synergy and opportunity

Internal audit can add a considerable amount of value to an organisation and its risk management.  If contemporary internal audit practice were better understood by more senior managers and also the risk management community at large, we could work together more closely, synergistically even, to boost management performance beyond current expectations.  As John Abbot said in his article, “a little bit of risk equates to opportunity”.  In principle, this is a good commercial maxim, but only if an organisation’s risk management mechanisms are working well and in the real world that means that internal is right up there in the Boardroom, where strategic decisions about risk are made.

By Nicola Rimmer, who is a member of the Institute of Internal Auditors’ Council of Directors and sits on its Professional Development Committee.  She is a Director with Mazars, specialising in Governance, Risk and Internal Audit across a number of sectors.  The opinions expressed in this article are her own personal views.