Internal audit has a natural affinity with risk due to its centrality to audit and auditor expertise in monitoring and systems review.
The key issue for determination is the parameters of the internal audit responsibility in the risk management area. Is internal audit best focused on a monitoring and review role, or might this extend to risk identification and the establishment of risk management systems?
There is no one “best-fit” solution, and much will depend on organizational size, safeguards to protect objectivity, and the range and scope of available internal auditor expertise.
Traditionally, internal auditors have been “policemen,” and their efforts have been concentrated on the more detailed, and arguably less appealing, aspects of financial auditing within organizations. Often, therefore, internal auditors have been regarded in the past as the poor relations of their external auditor cousins. This no longer applies, however, as the purpose of many internal audit functions has evolved over time.
From a concern with (arguably) low-level financial audit, internal auditors have progressed to systems audit and an involvement with economy, efficiency, and effectiveness (the 3Es), to their contemporary focus on enterprise risk management. I generalize here, of course; not every internal audit function in every organization has been involved with each of these areas. In the public sector, for example, there has tended to be more involvement with the 3Es. This chapter is concerned with the internal audit role in connection with how enterprises manage risk.
Involvement of Internal Audit with Risk
To an extent, the traditional role of internal auditors in connection with financial auditing gave them an initial knowledge base with which to get involved with risk management. Financial auditing has a concern with the risk of financial misstatement, whereas (although this burden falls primarily on the external auditors) audit risk is primarily concerned with the risk of issuing a wrong opinion on the financial statements. The recent external audit phenomenon of business risk auditing has pinpointed that effective financial audit (whatever the ostensible audit methodology employed) has to engage with business risks. The rationale for the latter assertion is, of course, that entity business risks, of whatever nature, ultimately affect the risk of misstatement in the financial statements. There is, therefore, a clear link between business risk and audit risk.
Thus, in one sense, it is natural for auditors (whether internal or external) to be concerned with the management of risks within organizations. External auditors tend to be involved with organizations on an occasional, rather than an ongoing, basis, and so it is difficult for them to have anything other than a relatively superficial appreciation of the business risks. Indeed, this is a valid criticism that has been made of “business risk auditing” as an external audit methodology. Arguably, therefore, there is a ready-made role for internal auditors in connection with risk.
Undoubtedly, however, the UK Turnbull Report (henceforth “Turnbull”) on corporate governance was an important catalyst in the process of involving internal auditors with risk management. The Turnbull emphasis on the adoption by corporations of risk-based approaches to the establishment of internal control systems, and on the subsequent monitoring of these systems’ effectiveness, created a role for high-level monitoring agencies within organizations. Internal audit functions were the clear beneficiaries of this, and Turnbull provided an opportunity for internal auditors to align their work to real business issues and to make an impact at board level. There was a clear opportunity for internal auditors to enhance their (in many cases) erstwhile humble status and to expand their jurisdiction as a professional interest group.
- Page 1 of 5
- Next section The Internal Audit Risk Role—What Should It Be?