Risk Management and Internal Audit are two different disciplines in an organisation which are most often confused at or interchanged. However, these two serve different purposes in an organisation.
It is common to say that Internal Audit benefits Risk Management as it improves the effectiveness of Risk Management by assessing risk management and promoting good risk management practices through the improvement of the system of internal control. But looking at it the other way around, what good does Risk Management or in the slightest form having a Risk Management Framework (RMF) does to the practice of Internal Audit.
There are two points that are worth mentioning in this article:
“ Having a risk management framework can lead to a landslide effect for internal auditors as it targets the projects, business units or business processes with the greatest impact”
Enterprise Risk Management Framework (ERMF) integrates the audit activities with the busyness as a whole
Risk Management Framework (RMF) starts by looking into the internal and external environment to identify risks and threats to an organisation, followed-by analysing, minimising and monitoring them. As internal auditors, an organisation having a risk management framework gives auditors a helicopter view of the risks the organisation is facing, its risk appetite and residual risk. In technical terms, the methodology that links the practice of internal audit to risk management as defined by the Institute of Internal Audit is Risk Based Internal Audit (RBIA). In RBIA, Internal Auditors assess the organisations management of risk and controls for the identified risk in relation to its risk appetite.
But, how does the RBIA change the Internal Audit practice? In conducting RBIA, Internal Auditors take into consideration the risk impact of a specific project/process to an organisation; enabling them to identify whether certain controls are not in place where significant risk is present.
Looking into a silver and lead mining company which is in the final stages of diversifying into a copper mine in a new territory, what threats would this imply, when it comes to its rights, operations, resources, social and environmental responsibility, global prices, etc. If a Risk Management Framework is established before an internal audit plan, Internal Auditors would most likely consider the diversification as a priority in their next audit engagement as opposed to following the initial audit plan of a usual practice of auditing units periodically; or a frequency based on the previous routine. A new business in a new territory posse a high risk for a mining company.
2. Risk management framework positively affects audit effectiveness and efficiency
as it looks into the processes with the greatest impact on the organisation.
Having a risk management framework before an internal audit plan could give the audit a landslide effect. Auditors who are used to following the audit plan which is based in a mortar and pestle decision-making may neglect to look into processes with great impact on the organization. For auditors, materiality is important but what is material may not be always the one with the greatest risk. Synonymously, a transaction that is material conservatively may not be material considering the internal and external threats, again considering a higher point of view
Having a risk management framework can lead to a landslide effect for internal auditors as it targets the projects, business units or business processes with the greatest impact, which may lead to detecting potential threats and control gaps at a larger scale and along the way solve smaller gaps and processes too, therefore affecting the Internal Audit effectiveness and efficiency. The practice of internal audit will be viewed as being more effective for their value-added contribution to the organization is more visible and felt and their efficiency will be at its peak as they are targeting business processes with greater impact.
Nonetheless, with all these said, establishing a risk management framework may not be cost effective for smaller organization to be done in house, and a cost-benefit analysis should be made for small to medium organizations. Hiring consultants to design the framework may be the way to go here. If an organization would decide to have a risk management framework before the internal audit plan, looking forward, our auditors should be made aware of business developments and decisions the organization is about to make, be updated on current significant events and be agile and flexible; risk usually happens when there is change. Lastly, this entails constant communication between Risk Management and Internal Audit; key decision makers and Internal Audit.