Primary navigation:

QFINANCE Quick Links
QFINANCE Topics
QFINANCE Reference
Add the QFINANCE search widget to your website

Home > Auditing Best Practice > Internal Auditors and Enterprise Risk Management

Auditing Best Practice

Internal Auditors and Enterprise Risk Management

by Ian Fraser

Executive Summary

  • Organizations should implement effective risk management as a component of good corporate governance.

  • Internal audit has a natural affinity with risk due to its centrality to audit and auditor expertise in monitoring and systems review.

  • The key issue for determination is the parameters of the internal audit responsibility in the risk management area. Is internal audit best focused on a monitoring and review role, or might this extend to risk identification and the establishment of risk management systems?

  • There is no one “best-fit” solution, and much will depend on organizational size, safeguards to protect objectivity, and the range and scope of available internal auditor expertise.

Introduction

Traditionally, internal auditors have been “policemen,” and their efforts have been concentrated on the more detailed, and arguably less appealing, aspects of financial auditing within organizations. Often, therefore, internal auditors have been regarded in the past as the poor relations of their external auditor cousins. This no longer applies, however, as the purpose of many internal audit functions has evolved over time.

From a concern with (arguably) low-level financial audit, internal auditors have progressed to systems audit and an involvement with economy, efficiency, and effectiveness (the 3Es), to their contemporary focus on enterprise risk management. I generalize here, of course; not every internal audit function in every organization has been involved with each of these areas. In the public sector, for example, there has tended to be more involvement with the 3Es. This chapter is concerned with the internal audit role in connection with how enterprises manage risk.

Involvement of Internal Audit with Risk

To an extent, the traditional role of internal auditors in connection with financial auditing gave them an initial knowledge base with which to get involved with risk management. Financial auditing has a concern with the risk of financial misstatement, whereas (although this burden falls primarily on the external auditors) audit risk is primarily concerned with the risk of issuing a wrong opinion on the financial statements. The recent external audit phenomenon of business risk auditing has pinpointed that effective financial audit (whatever the ostensible audit methodology employed) has to engage with business risks. The rationale for the latter assertion is, of course, that entity business risks, of whatever nature, ultimately affect the risk of misstatement in the financial statements. There is, therefore, a clear link between business risk and audit risk.

Thus, in one sense, it is natural for auditors (whether internal or external) to be concerned with the management of risks within organizations. External auditors tend to be involved with organizations on an occasional, rather than an ongoing, basis, and so it is difficult for them to have anything other than a relatively superficial appreciation of the business risks. Indeed, this is a valid criticism that has been made of “business risk auditing” as an external audit methodology. Arguably, therefore, there is a ready-made role for internal auditors in connection with risk.

Undoubtedly, however, the UK Turnbull Report (henceforth “Turnbull”) on corporate governance was an important catalyst in the process of involving internal auditors with risk management. The Turnbull emphasis on the adoption by corporations of risk-based approaches to the establishment of internal control systems, and on the subsequent monitoring of these systems’ effectiveness, created a role for high-level monitoring agencies within organizations. Internal audit functions were the clear beneficiaries of this, and Turnbull provided an opportunity for internal auditors to align their work to real business issues and to make an impact at board level. There was a clear opportunity for internal auditors to enhance their (in many cases) erstwhile humble status and to expand their jurisdiction as a professional interest group.

Back to Table of contents

Further reading

Books:

  • Fraser, Ian A. M., and W. M. Henry. The Future of Corporate Governance: Insights from the UK. Edinburgh, UK: Institute of Chartered Accountants of Scotland, 2003.
  • IFAC. Enterprise Governance: Getting the Balance Right. New York: Professional Accountants in Business (PAIB) Committee, International Federation of Accountants, 2004.
  • Pickett, K. H. Spencer. Auditing the Risk Management Process. Hoboken, NJ: Wiley, 2005.
  • Pickett, K. H. Spencer. Audit Planning: A Risk-Based Approach. Hoboken, NJ: Wiley, 2006.

Websites:

  • The Committee of Sponsoring Organizations of the Treadway Commission provides guidance on organizational governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting: www.coso.org
  • Personal website by David M. Griffiths introducing risk-based internal auditing: www.internalaudit.biz
  • The Institute of Internal Auditors, for internal auditing standards and other professional pronouncements: www.theiia.org

Back to top

Article Author

Share this page

  • Facebook
  • Twitter
  • LinkedIn
  • Bookmark and Share

Related

Most Viewed

Recommended

Latest

 
QFINANCE www.qfinance.com