Shirley Jeeban Acting Head of Internal Audit, Musanada 5th April 2011

Tradition:

Crisis:

Internal Audit and Risk:

Today ..
Brief History of Internal Auditing What is Risk Based Internal Auditing? Risk Based Internal Auditing Advantages .....and potential difficulties The 10 Deadly Sins of Risk Based Auditing Summary

Internal Auditing Brief History

Necessity created internal auditing and is making it an integral part of modern business. No large business can escape it. If they havent got it now, they will have to have it sooner or later, and, if events keep developing as they do at present, they will have to have it sooner.

Arthur E. Hald 1944

Internal Auditing a developing discipline

Early 20th century protection from theft and later

broader financial transactions;

Internal Auditing a developing discipline

USA 1957 Statement of Responsibilities of Internal Audit
Reviewing and appraising the soundness, adequacy, and application of

accounting, financial, and operating controls.

Ascertaining the extent of compliance with established policies, plans

and procedures.
Ascertaining the extent to which company assets are accounted for, and

safeguarded from losses of all kinds.

Ascertaining the reliability of accounting and other data developed

within the organization.

Appraising the quality of performance in carrying out assigned

responsibilities.

Internal Auditing a developing discipline

1978 IIA US Standards:

Internal auditing is an independent appraisal activity. It is a control which functions by examining and evaluating the adequacy and effectiveness of other controls. The objective of internal auditing is to assist members of the organization in the effective discharge of their responsibilities. The audit objective includes promoting effective control at reasonable cost.

Developing Risk Thinking COSO 1992: linked traditional internal controls to protecting against risks; 2000-02: Corporate Governance guidance explicitly talked of Managements Responsibilities in respect of risk management and internal control And in relation to all aspects of an entitys business

Internal Auditing a developing discipline

2004: The modern worldwide definition: Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. IIA UK: The role of internal audit is to provide independent assurance that an

organization's risk management, governance and internal control processes are operating effectively. Internal auditors deal with issues that are fundamentally important to the survival and prosperity of any organization. They look beyond financial risks and statements to consider wider issues such as the organization's reputation, growth, its impact on the environment and the way it treats its employees.

Risk Based Internal Auditing Definition

David Griffiths (UK) 2006:

The main aim of internal auditing is to help the organization achieve its

objectives
A risk is a set of circumstances that hinder the achievement of objectives.

An internal control is a process which manages the risks.

Risk Based Internal Auditing Definition

Objectives

Risks

Controls

Risk based internal auditing is an audit approach designed to provide assurance that the business is appropriately mitigating SIGNIFICANT risks to the achievement of objectives

Risk Based Internal Auditing Advantages

External Environment

Strategy

Operations

Policies & Procedures

Risk Based Internal Auditing Advantages

POLICEMAN

OBJECTIVE BUSINESS PARTNER

Risk Based Internal Auditing Advantages

The potential for Internal Auditing to become a more attractive profession than we have been traditionally. Attracting the best people.

Risk Based Internal Auditing Advantages

When I grow up I want to be an Internal Auditor

Risk Based Internal Auditing Advantages

Risk based Audit

Reduced Cost

Targeted Resources

Potential Difficulties
My business does not have Enterprise Risk Management (ERM) yet? - consult - management input - share outputs What about compliance checks? - focussed - as long as policies/procedures address objectives / risks Audits perceived as important by management may disappear - Education Closer working relationship with management may compromise independence - Boundaries - Education

The 10 Deadly Sins of Risk Based Internal Audit

(1) We want to do Risk Based Audit but were scared

Audit Plan - Still auditing low risk areas; Coverage of the whole business; Spending time on minor risks within an audit area; Auditing all the controls, not just key controls to key risks;

(2) Death By Risk

Overcomplicated low level Risk Assessments; Risk Registers develop a life of their own multiplying and mutating; Success judged by number of risks rather than effective identification of key risks and emerging risks

(3) Risk to what?

We forget:

Controls
Objectives

Risks

(4) Looking Backwards not Forwards

External Audit looks backwards, Internal Audit should look forwards;

Internal audit only looks to the past to inform the future;

Looking at risks to the achievement of objectives naturally gives a future focus, but it can be wasted;

(5) Forgetting to train our auditors

New skill sets required; Real business / strategic understanding; Understanding of risk and assurance; Logical thinking, not checklists;

Asking so what? in all that we do and all that we find;

Ability to focus on whats important, and the courage to leave whats not.

(6) The controls checklist is still king

(7) Mixing up objectives, risks and controls

r
RISK:

SAMPLE RISK REGISTER EXTRACT AND AUDIT TESTING:

CONTROL: TEST PLAN: RESULT: RECOMMENDATION:

No succession plan in place

Succession Plan

Obtain succession plans for xxxx

No succession plans

Put succession plan in place.

a
OBJECTIVE: Business continuity

MORE APPROPRIATE:
RISK: Staff in key positions are absent / leave the business CONTROL: (1) Appropriate notice periods for key staff; Short and long term succession plans in place TEST PLAN: (1) Obtain list of key staff / positions Check notice Review adequacy of contingency plans RESULT: Notice periods ok, short term contingency ok, lack of longer term planning RECOMMENDAT ION Introduce succession planning across the business linked into career development plans. This should include a one to five year time period.

(2)

(2) (3)

(8) Forgetting to educate the business

We may know weve changed . But the business wont know unless we tell them.

(9) Reporting on controls not risks

Controls are only relevant when linked to a risk;
A risk is only a risk when linked to an objective; Management want to know what our findings mean to

the business;
Risks
Objectives

Controls

(10) Keeping the benefits to ourselves

Risk Registers remain in Internal Audit.

Wasted opportunities to discuss risk with management.

Audit

Management

CONCLUSIONS
Many businesses have made moves towards risk based

Internal Audit; Business wide focus. BUT: Unless we eliminate the 10 Deadly Sins, we will not realize the full benefits; Internal Auditors need to think OBJECTIVE RISK CONTROL in everything they do; Risk based thinking throughout the audit process is essential; Risk based auditing must not be just a buzzword.

Thank You!