Chapter one

Introduction

BACKGROUND

Failure to manage risk properly continues to hit the headlines. When the 2005 edition of this publication was written, it was predominantly business failure that attracted attention to poor governance and poor risk management – the Maxwell scandal, Barings Bank, BCCI, Enron, Parmalat, Shell and Equitable Life. Business and financial failings have continued – the collapse of Northern Rock, rogue trading at Societe Generale, the Icelandic banking crisis, and the much wider crisis in banking around the world.

Now, governance and risk management failings have broadened beyond the financial sector – the BP oil spill; The Co-operative Bank scandal; tragic failings in child protection; lack of public confidence in patient safety at the Mid Staffordshire NHS Foundation Trust; nursing and care home scandals; reputational damage to government through the failure of security services at the Olympic Games; the inability of healthcare providers to deliver effective sickness benefit assessments; failures to safeguard personal data; and costly major IT project failures. The list goes on.

Such adverse events directly affect the safety, wellbeing and economic livelihood of individuals. They have many complex causes but there are common threads – poor standards of ethical behaviour; lack of governing body or governance leadership; ineffective regulation or scrutiny; weak financial reporting; fraud; and failings in control and power vested in the hands of too few dominant senior executives or chair-persons. They can also be due to organisations having too narrow or short term a risk horizon and failing to anticipate changes and their impact on risks.

Unless organisations can manage and mitigate their risks more effectively, service failure and reputational damage will continue.

We live in a riskier world, but we also live in a more controlled and regulated world. Processes designed to avoid risk can have costly and inefficient consequences – for example, measures intended to prevent terrorism or illegal immigration can result in longer waiting times for passports or at border control.

A balance needs to be struck between the risks we are prepared to accept and those that we need to control. As a source of assurance on the adequacy of risk management and control, internal audit has a vital contribution to make in helping avoid public service failure.

WHY IS THIS PUBLICATION NEEDED?

The 2005 edition of It’s a Risky Business was itself an update of the 1997 publication It’s a Risky Business: The Auditor’s Role in Risk Assessment and Risk Control. The 2005 edition was a practical guide for public sector internal auditors to help them play a major role in reducing risk and make a valuable contribution to their organisations’ annual governance statements.

Much has changed since 2005:

■developments in public sector governance, including a clearly defined role for governing bodies and those charged with governance, and a higher profile for audit committees
■reform of the regulatory regime across the public sector
■greater expectations around ethical behaviour and codes of conduct for those who govern
■continuing concern about high-profile risk failure, affecting everyone, not just businesses, investors and shareholders
■the economic downturn, reduced resources and the consequent need for public sector organisations to seek innovative ways to deliver better for less
■the introduction of Public Sector Internal Audit Standards, setting out a clear role for auditors in evaluating, reporting on and improving risk management in their organisations.

There have also been a number of detailed changes to legislation, professional standards and practices. But the main elements of the 2005 publication still hold true:

■internal auditors need to understand the concepts of risk and risk management and to have the skills to deliver assurance on the quality and effectiveness of risk management
■the audit programme needs to be based on an assessment of the maturity of risk management
■internal audit needs to take a risk-based approach to planning and undertaking its work in order to provide an opinion on the internal control environment.

WHO IS THIS PUBLICATION FOR?

Those charged with setting the strategic direction for the organisation and for ensuring its achievement (the governing body or board) are responsible for owning the risks to objectives and managing them effectively. But internal auditors have a valuable part to play in evaluating and contributing to risk management, governance and assurance processes.

This publication is therefore aimed at internal audit, and has been written by audit practitioners for audit practitioners to provide step-by-step guidance to assist auditors through the complex world of public sector risk management. It also has a wider audience in the public sector – all those interested in or responsible for public service governance and risk management, including leadership teams, chief executives, audit committees, other stakeholders and those responsible for managing the internal audit function.

DEFINING RISK AND RISK MANAGEMENT

This is not a manual on risk management (on which there is already a wealth of published material). Instead, it has been designed to enhance internal auditors’ understanding of the contribution they can make to improving risk management.

To start, it is important to be clear about what is meant by risk.

Risk is the effect of uncertainty on objectives, where effect is any deviation from the expected – positive or negative.

Source: ISO 31000

It is important to make a distinction between audit risk and business risk.

Audit risk has a specific meaning: the risk that the audit process provides an inappropriate opinion – ie that the accounts contain a material misstatement or error.

This publication focuses on business risk: the risks that might prevent a business achieving its objectives, and the role that audit can play in giving confidence to the business that its risk is being managed.

In a sense, this is nothing new. We all deal with risks on a daily basis in our personal and working lives, from crossing the road to making an investment decision. Risk has always been the business of internal audit. The auditor’s job is to assess the likelihood of something adverse happening as a consequence of a control or a process not working properly. The concept of risk gives meaning to the audit process; if there is no risk of anything ever going wrong, there is no point to the audit process. Identifying risk and judging the materiality of risk in any system of control are the key skills required of an effective internal auditor.

It is important to appreciate the positive as well as the negative aspects of risk. There is as much danger in not taking action as there is in taking action, since failing to take an opportunity to invest in a service or to transform the way it is delivered can lead to the risk of wasting ever scarcer resources. This is particularly important in times of austerity.

Risk management comprises the set of co-ordinated activities to direct and control an organisation’s risks. Specifically it enables organisations to safeguard their objectives and make the right decisions about taking opportunities and investing resources effectively. The concept of risk management is explored in more detail in chapter two.

INTERNAL AUDIT’S ROLE

Internal audit’s role in risk management is more explicit than ever before – not just contributing assurance through the governance statement, but helping the organisation to achieve its objectives by managing risk more effectively. It needs to provide both objective challenge and support, and to act as a catalyst for positive change and improvement in governance. The developing role of internal audit is illustrated below.

The developing role of internal audit

Source: Scottish Local Authorities Chief Internal Auditors Group

This diagram indicates the raised expectations of audit, moving from a traditional focus on financial control and compliance, to supporting the organisation’s governance, objectives and risk management arrangements.

CIPFA’s 2010 statement The Role of the Head of Internal Audit in Public Service Organisations emphasises the critical role internal audit plays in delivering the organisation’s objectives by championing best practice in governance, objectively assessing the adequacy of governance and management of existing risks, and commenting on responses to emerging risks and proposed developments. Internal audit also provides an opinion on the adequacy and effectiveness of the organisation’s control environment; the systems of governance, risk management and internal control.

Since 2013, internal audit’s developing role has been recognised further in the Public Sector Internal Audit Standards, which were adopted across the public sector. These standards require internal audit to provide an objective assessment on the framework of governance, risk management and control. The standards define the role of internal audit as:

… an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Both these descriptions of internal audit’s role indicate the expectations placed on internal audit in relation to risk. It is CIPFA’s view that there are core functions that internal audit must deliver, discretionary functions that it can undertake to support or improve risk management, and some functions that it should not be involved in to avoid the danger of losing independence or objectivity. A clear distinction needs to be made between internal audit supporting and improving risk management (including working with risk managers and sharing expertise and knowledge) and internal audit being relied upon to perform part of the risk management function.

Internal audit needs as a minimum to perform the following core functions:

■audit risk management processes, provide assurance on their adequacy and comment on whether the organisation’s attitude to risk is suitable for its environment and financial capacity
■assess the risk maturity of the organisation and developing an audit plan based on such an assessment; as maturity is reached the internal audit approach should move from risk identification to assurance on the effectiveness of the risk management system
■take a risk-based approach to audit assignments by identifying objectives, risks and controls, evaluating the extent to which those controls address the organisation’s risks, identifying over- or under-control, articulating residual risk and recommending management action as appropriate
■specifically:

… the internal audit activity must evaluate risk exposures relating to the organisation’s governance, operations and information systems regarding the:

■achievement of the organisation’s strategic objectives
■reliability and integrity of financial and operational information
■effectiveness and efficiency of operations and programmes
■safeguarding of assets
■compliance with laws, regulations, policies, procedures and contracts.

Source: PSIAS 2120.A1

Internal audit can also perform the following discretionary functions:

■help improve risk management through facilitating, advising on and supporting the identification of current and emerging risks
■advising on how to treat and manage risks
■provide training on risk
■identify and report on the consequences of risk not being managed effectively.

In carrying out the core and discretionary functions, there are advantages to be gained from internal audit and risk managers working together (this issue is explored in more depth in chapter four), but not at the expense of threats to internal audit’s independence and objectivity. Therefore, internal audit should not:

■be part of the risk management process
■dictate or influence risk identification, profiling or risk appetite
■act to mitigate or control risks.

The rest of this publication provides guidance to help internal auditors fulfil their challenging role.

STRUCTURE OF THIS PUBLICATION

Chapter two describes the concepts and sets out internal audit’s responsibilities for governance, risk management, internal control and assurance. It provides guidance on building an assurance framework.

Chapter three provides guidance for internal auditors on assessing the risk maturity of the organisation, developing an approach to auditing the elements of the risk management process and contributing to the assurance framework. It introduces CIPFA’s model for assessing risk maturity, which is provided as an interactive tool in the appendix to this publication.

Chapter four sets out how internal auditors can apply the concept of risk to the audit planning process, undertaking risk-based audit assignments and thereby supporting the head of internal audit opinion.

Previous | Next