Chapter three

Internal Audit’s Role in Evaluating Risk Management

As a minimum, internal audit needs to audit the risk management processes, provide assurance on their adequacy and comment on whether the organisation’s attitude to risk – appetite and tolerance – is suitable for its environment. Internal audit’s evaluation needs to be based on a view on risk maturity. This chapter provides guidance on reaching such a view.

The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes.

Source: PSIAS 2120 Risk Management

RISK MATURITY

Risk maturity is the concept that the more established and embedded risk management arrangements are in an organisation; the more confidence the auditor can have in their ability to safeguard it against risk. Although the concept of risk management has now been around for some time, many organisations have yet to achieve full maturity.

In its most recent survey of heads of internal audit (Governance and Risk Report 2013: Internal Audit’s Perspective on the Management of Risk) the IIA found that 45% of respondents felt that the level of risk maturity within their organisation could be classified as in the early stages of implementation, in development or non-existent (at level 3 or below in the following illustration). This figure was consistent whichever sector was looked at.

The first step is for the auditor to assess risk maturity. The following illustration explains the concept clearly.

Assessing risk maturity

INTERNAL AUDIT’S APPROACH BASED ON RISK MATURITY

In order to consider the most appropriate stance, and to provide the requisite assurance, as a minimum the processes by which risks are identified, analysed and managed must be reviewed as set out in the diagram above. Internal audit’s role moves along a spectrum depending upon the level of maturity the organisation has reached, as illustrated below.

Risk maturity and internal audit’s approach

Internal audit’s role depends on the level of maturity that the organisation has reached. The spectrum of tasks ranges from supporting, promoting and facilitating the improvement of risk management where the organisation is risk naive, to reviewing, assessing and using arrangements to provide assurance that they operate effectively when the organisation is fully risk mature.

As a minimum, or core function, internal audit should always critically review management’s assessment of risks and consider this in relation to the scope of work over which it must provide assurance. In particular, it should ensure that in addition to the key strategic and operational risks to objectives, on which management are often primarily (and rightly) focused, there is sufficient understanding and coverage of other risks arising over:

■projects, systems developments and change
■the reliability and integrity of operational and financial information
■the stewardship of financial and non-financial assets
■compliance with relevant legislation.

Internal audit should also ensure that risk assessment appropriately reflects risks in areas where there are previously identified control deficiencies.

Where management’s assessment of risk is considered by internal audit to be incomplete or flawed, additional or revised risks should be defined, assessed and reflected in the design of the audit plan. Any additions and revisions should be shared and discussed with management and the audit committee to continue to promote a comprehensive and shared view of risks and required action.

Where the risk management process is immature, internal audit has a key role in furthering development and process improvement and should work with management to facilitate the identification and assessment of risks. This is more of a consultancy role, and the relevant PSIAS requirements should be followed.

Where the risk management process is mature and provides for a robust consideration of the risks faced, it should be used to direct the internal audit plan to support the continuous provision of assurance. In reality, few organisations are at the extreme ends of this continuum, and a tailored combination of these actions is the most likely response. In order to consider the most appropriate stance, and to provide the requisite assurance, as a minimum the processes by which risks are identified, analysed and managed must be reviewed.

But there are tasks and issues which internal audit should not be involved in, since this would compromise independence and objectivity; for example, becoming part of the day-to-day risk management process or deciding on risk categorisation or appetite for the organisation.

The way in which internal audit plans its work therefore depends on the assessment of risk maturity. Annex 3.1 to this chapter provides an example of internal audit redesigning its approach to support the organisation’s risk management processes.

INTRODUCING CIPFA’S MODEL FOR ASSESSING RISK MATURITY

CIPFA developed a model for assessing risk maturity in 2005. The model holds good, although it has been enhanced and updated for this publication. It is included in the appendix to this publication in a form that can be copied or adapted by internal audit.

Summary of the model

Each element in the model and in the following table shows the key issues that are critical to the successful implementation and management of a risk framework. The model also sets out key questions to consider, which the auditor should test for design and application in practice. If these elements are in place and working effectively, the risk management framework can be considered to be embedded. Some key documents are suggested but will vary between organisations. Finally, there is space for the auditor to conclude on the organisation’s risk maturity for each element of the framework. This provides a clear overview of where improvement is needed, what action should be taken and where good practice should be recognised.

The model encourages the auditor to assess risk maturity at present, where the organisation would wish to be in the short term (12 months), and where the organisation would wish to be in the long term (say three years or more). This can be carried out at group, organisational or business unit/division/department level.

The level of risk maturity will vary for different parts of the organisation. It is important to have a sense of what is appropriate to each business unit or area on a cost–benefit basis. Not all areas will need to leverage risk management to an area of competitive advantage or top performance (level 5), but all in the public services are likely to need to attain level 3 in order to contribute to the overall control framework and disclosures on internal control in the annual statements. Those parts of the organisation dealing with major business risks are the most likely to need to achieve level 5.

The model enables the auditor to develop an audit programme, considering the risk maturity for each of the following elements.

Risk maturity model

The model relates to PSIAS 2120 Risk Management, as set out in the following table.

PSIAS 2120: Determining whether risk management processes are effective is a judgment resulting from the internal auditor's assessment that:	CIPFA model elements
Organisational objectives support and align with the organisation’s mission	Vision, commitment and ownership Vision comes from the top and should be shared throughout the organisation. To have any impact, risk management must have strong support and endorsement from the top. The ownership of risk cannot be delegated and must be owned by those accountable for the achievement of their element of the organisation’s objectives, at whatever level. The extended enterprise No organisation is entirely self-contained – it will have a number of interdependencies with other organisations. These are sometimes called the ‘extended enterprise’ and will impact on the organisation’s risk management, giving rise to certain additional risks that need to be managed.
Significant risks are identified and assessed	Identifying the risks Ultimate responsibility and ownership of the process of risk identification lies with the organisation’s executive/governing body. The task of risk identification may be carried out at this top level of management or devolved or delegated to a corporate risk management group/committee. Monitoring and review Performance monitoring of risk management activity must ensure that the treatment of risks remains effective and that the benefits of implementing risk control measures outweigh the costs of so doing.
Appropriate risk responses are selected that align risks with the organisation’s risk appetite	Action and response Having identified the key risks and prioritised them, the next stage is to decide what the response should be. The organisation will want to tackle those risks that threaten the key business objectives and service provision, and/or areas where the existing controls are weakest.
Relevant risk information is captured and communicated in a timely manner across the organisation, enabling staff, management and the governing body to carry out their responsibilities	Structure, roles and responsibilities An effective structure is likely to include a working group or risk committee, bringing together staff from the main services, with a chair at a senior responsible level to organise and lead the activity. Categorising and prioritising the risks The key risks and main contributory risks will need to be linked, prioritised and categorised – possibly into ‘high’, ‘medium’ and ‘low’ – to ensure a comprehensive understanding of the threats to achieving the business objectives and opportunities to take risks. This is not an exact science. The process can range from a group of people using their collective judgment and wisdom, to complex scoring mechanisms. Embedding risk management within the organisation Within an organisation there needs to be a framework of the various risk management processes that occur as part of the organisation’s normal procedures. Integrated risk management can only be said to have been fully achieved when the management of risk is embedded into all the functions and processes within the organisation; when everyone from the chief executive down is risk aware.

Chapter Summary

The more established and embedded risk management arrangements are, the more confident internal audit can be that the organisation is safeguarded from risk.

Where risk management is immature or naive, internal audit will need to rely on its own assessment of risk. Where risk management is enabled, it can rely on management's assessment of risk. Internal audit's role will be more supportive in risk-naive organisations, working with management to further and develop risk management. Its role will be more assurance based in risk-enabled organisations.

CIPFA's model can be used interactively to determine risk maturity.

CHECKLIST FOR AUDITORS

Do you know where your organisation is on the spectrum from risk naive to risk enabled?	□
Does your audit strategy take account of risk maturity?	□
Are you performing your minimum role of critically reviewing management’s assessment of risks and considering this in relation to the scope of work over which internal audit must provide assurance?	□

ANNEX 3.1: HM REVENUE & CUSTOMS – REDESIGNING INTERNAL AUDIT’S APPROACH TO RISK

HM Revenue & Customs fundamentally redesigned its internal audit approach in 2012 alongside its risk management assurance practices which, up to that date, had been largely separate. In both instances, it was recognised that a significant proportion of the activity was process driven rather than conversation driven. This had led to:

■potential misunderstanding by the business of the actual assurance it had by confusing a tick-box data capture exercise with active risk management
■a perception of both as a process that had to be ‘tolerated’ rather than actually adding value.

Over the next two years internal audit reviewed how it spent its time, changed the emphasis of its work and more importantly used every opportunity with audit clients to reinforce good risk management principles and to learn about clients’ perspectives.

Rather than describing every detail of the changes made by internal audit, there are three key features to HMRC’s approach that fundamentally made the difference:

■Instead of always looking at the same A3 sheet of paper with all the risks on, the focus is on the quality of the first point of contact. What this means is that the internal audit resource is dedicated to the first time a risk or issue is identified. The emphasis is placed on really getting clarity on the risk or issue, the actions that needed to be taken, the results of those actions, and the timescale. A ‘flight path’ is developed. Senior management can watch these risks or issues knowing that they will get flagged by exception when they come off the flight path, so they do not have to trawl each time to find out what has moved.
■As well as rating the overall report and individual agreed management actions, internal audit reports give assurances on the control framework and risk management, and explicitly the risk tolerance. The last element has allowed frank conversations to take place with management where they have set a tolerance, eg management look only at transactions over £X. Internal audit then talks openly with management about how this lines up with the control framework they are operating within and therefore links it to their risk management activities.
■Language – internal audit has actively changed the language of its products. Specifically there are two core instances:
– Terms of reference – there is now an audit and client agreement that makes it clear that there is a two-way commitment to the work before it starts, and not something that is ‘done to’ the client.
– Recommendations are now split into agreed management actions (to which management sign up to do) and accepted management risks. This allows internal audit to have a conversation with management where, for whatever reason, eg conflict of priorities, while they accept what internal audit has found and agree the proposal for correcting it, they choose within their control framework to tolerate it. This reinforces the principle that management should actively manage risk.

This cuts down on delays due to wordsmithing, results in greater appreciation by the internal audit team of the pragmatic issues facing the business, and improves the business’ opinion of internal audit balancing delivery challenges with being independent and holding the business to account.

Previous | Next