“Internal Audit and Risk Management” - Whether Synonyms or something else.
What is Risk Management?
Risk management once a jargon has become a much known and much discussed word. It is termed as the tactics and practices being followed by organisations and individuals to combat with different risks. Risk Management has been defined by different organisations and different individuals with their perspective but some common definitions of risk management are discussed below:
According to ISO 31000 2009 “Risk management refers to a coordinated set of activities and methods that is used to direct an organization and to control the many risks that can affect its ability to achieve objectives”. “The term risk management also refers to the architecture that is used to manage risk. This architecture includes risk management principles, a risk management framework, and a risk management process” From above definition, we may note that Risk management is mechanism used to manage the risk.
To manage the risk, one must know:
1. What is risk?
2. What are risks faced by the organisation?
To analyze the risk to identify whether to control the risk, reduce the risk, transfer the risk. Risk Management Process From the above analysis, we may say that Thus risk management is a big spectrum comprising Risk identification, risk analysis & Risk response. The Risk Management process of an entity may be presented in the given image Now after discussing brief about risk management, we will analyze about internal audit.
What is Internal Audit?
Institute of Internal Auditor Florida USA defines internal audit as The Preface to the Standards on Internal Audit, issued by the Institute of Chartered Accountants of India, Defines the internal Audit as From the above two definitions of Internal Audit, we may say that Internal Audit is the independent evaluation of management functioning and its appraisal with an aim to contribute towards between risk management and follow sound corporate governance practices. ‘ Internal Audit Process Internal Audit is generally a process having no end like Statutory Audit. Internal Audit starts with indentifying audit areas, making internal audit plan in consultation of strategic management team.
It matures with conducting Internal Audit and review internal control process, submitting the internal audit observation and it concludes with taking management feedback on internal audit observations, getting the accepted recommendation implemented. This cycle preferably completed in audit period this is generally 1 year. The internal Audit process of an organisation may be understood in the under given image Internal Audit and Risk Management Internal Auditor plays an important role in risk management for an organisation by Reviewing operations, policies, and procedures which helps in ensuring that goals and objectives of organization are met. For this, internal auditor is requiring to understand the “big picture” and diverse operations of an organisation and make his recommendations to improve economy and efficiency.
In a simplistic view, risk management and internal audit go hand in hand. Risk management identifies risk to an organisation and internal audit checks the compliance to policies and procedures set up to mitigate risk, ensuring compliance. Both are independent of the main function of the organisation It would be very interesting to note that small organisation uses Internal Auditor as Risk Managers. In small organisations, it is the role of internal audit department only to identify the risks with the organisations and to suggest the ways to combat with the risk perceived. So we may not differentiate /separate the Risk management from the internal auditor. There is no doubt the risk management is a big spectrum and internal auditor facilitate the risk management in various ways i.e. identify the effectiveness of risk management techniques, finding challenges/risk for the existing measures/giving clues about the future challenges etc.
The main focus of internal audit is Internal Controls. The internal Audit only checks and reports if these Internal Controls are able to manage the perceived risks effectively. However, Internal Audit does much more than ensuring that these risks are within the manageable levels within Internal Controls. Internal Audit, with the skills, tools and techniques at its hands, provides the necessary insights for the management where the businesses is moving to and if there are any risks that have not yet been identified. If the perceived risks are identified as potential risks, the management devices ways and means to mitigate these Risks. Internal Audit, as part of Corporate Governance, is necessarily related to Risk Management process but Internal Audit does not manage Risks. Internal Audit works very closely with all the areas of operation of an organization and it is equally important that Internal Audit works closely with the Risk Management function too.
The Risk Appetite may well be decided working closely with Internal Audit. Where there are separate Risk Managers in an organization, the responsibilities of Internal Audit and Risk Management need to be clearly defined. Essentially, those risks that are perceived are identified by the management and the concerned managers become the owners of these risks and it is their responsibility to manage the same. Internal Audit only reports on the effectiveness of the management of these risks by the various managers. Of course, Internal Audit of late, is regarded more as Risk Based Internal Audit because Internal Audit focuses on risk identification, prioritization of audit areas and allocations of audit resources in accordance with the Risk and Audit Universe by properly grouping Risks into Audits that aim to mitigate the perceived risks as also identify the potential risks. It is really very interesting to note the kind of metamorphosis that Internal Audit has been undergoing in the past two decades or so and surely the Internal Auditor is expected to be a ‘strategic contributor’ in the days to come. The traditional role of ensuring the effectiveness of internal controls has been enlarged with the responsibilities of covering in its scope, the entire organization, and helping it accomplish its objectives by bringing in a systematic and disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
This shift in role has been necessitated by the sudden and convulsive global economic uncertainties in the recent past. The Internal Auditor needs to adapt and align with the CEO and the new strategies of the organization and be prepared to deliver value as demanded by the changed situation. The increased regulatory pressures, globalization as well as complex industry dynamics have impacted the focus of the Internal Audit function and have made it necessary for Internal Audit to synchronize its approach with that of the management. The Internal Auditor needs to succeed in this endeavor, so that he delivers tremendous value to the organization. If he does not succeed, he would risk losing relevance within the organization. Internal Audit is a subset or species of the process of Risk Management. Basically risk management should focus to identification of all types of risks and evaluation of them and the probability of negative incidents. Depending on a type and the scope of business risk management function could be more or less detailed and powerful in some cases Risk Management could interfere in different processes and stop them or give orders to managers. However internal audit should review all the procedures and business processes including Risk Management to provide the Board (not just management) with independent guarantees that the Company works in a right direction according to the objectives that Owners set up. To sum up we may say that Risk Management is a broader strategic process and internal audit is an operational tool to achieve this strategy.
Risk Management is Second Line of Defense, while Internal Audit is Third Line of defense. Both of these functions are very important for the long term and continual survival of an organisation.
By: CA Jai Prakash Agarwal
M.Com, LL.B, ACMA, ACA, ACS, DISA (ICAI), DIRM (ICAI), UGC NET