1. Position
Statement
The Institute of Internal Auditors – UK and Ireland
The Role of Internal Audit in Risk Management
Introduction
The revised definition of internal auditing sets out two clear roles for internal auditors as providers of both assurance and consulting
services. What is key to the achievement of these two roles is the need to maintain clear independence and objectivity. Internal auditors
should not ‘hide behind’ independence, but at the same time they need to be aware of the role that they are playing at any point in time.
The increasing emphasis that organisations are placing on risk management has given rise to questions from internal auditors about the
role that it may be appropriate for them to play within their organisation’s risk management process.
As with many issues facing internal auditors in the current climate, there is no ‘right’ answer to this question. Internal auditors must
review the guidance given below in the context of the risk management process within their own organisation and the extent to which
they believe they can add value to this risk process and hence to their organisation as a whole.
Risk management
The responsibility for risk management within an organisation clearly lies with the board (or equivalent) who should be responsible for
setting the strategy, and senior management who should be responsible for implementing the strategy. However, it is also clear that
everyone within an organisation bears some risk management responsibility. This responsibility and accountability is clearly set out in the
Turnbull guidance and other similar pronouncements for non-listed organisations.
In order to successfully achieve the organisational business objectives, management should ensure that sound and effective risk
management processes exist and that they are functioning as intended. Boards and audit committees have an oversight role to determine
that risk management is functioning effectively within the organisation.
The role of internal audit in the risk management process
The role of internal audit within risk management cannot, and should not, be prescribed. The role within one organisation may change
over time and the role from one organisation to another is likely to be very different.
Primary responsibility for risk management lies with line management. Internal audit’s involvement should stop short of responsibility and
accountability for risk management across the organisation and of managing risks on management’s behalf. However, in order to add
value, it is often beneficial for internal audit to give proactive advice or to coach management on embedding risk management processes
into business activities.
The Institute of Internal Auditors
UK and Ireland
2. In practice, internal audit’s role may well fall across the following continuum:
From: Focusing the internal audit To: Providing active To: Training and To: Co-ordinating risk
work on the significant risks support and involvement educating line staff in reporting to the board,
facing the organisation, as in the risk management risk management and the audit committee and
identified by management, and process, such as internal control and the risk committee.
auditing the risk management participation on facilitating risk
processes across the organisation, oversight committees, identification and
including providing assurance on monitoring activities and assessment workshops
the management of risk status reporting
The above list is not exhaustive, nor is the IIA-UK and Ireland saying that internal audit will play only one of the roles outlined above. Each
internal auditor must determine the most appropriate role for their organisation and supply the required services.
However, when determining the most appropriate role to play, internal auditors should pay heed to the professional requirements for
independence and objectivity and should ensure that these are not breached. They must also be certain that they have the necessary
knowledge and skills to play the role that they adopt within the risk management process.
Although it is not the role of internal audit to identify the risks facing the organisation, where additional risks are identified by internal audit
during their work then these should be fed back to management as part of the normal audit reporting process.
Where an organisation does not have a clearly defined risk management process internal audit may have a role to play in supporting the
need to develop a clearly defined process, or in educating senior people within the organisation as to the need for such a change.
The IIA-UK and Ireland would suggest that the following are some ways that internal audit might become involved in risk
management without compromising independence and objectivity:
Acting as facilitators, enabling and guiding managers and staff through the risk management process, usually as part of a self
assessment exercise, by organising and leading workshop based discussions, without themselves necessarily becoming directly involved
in the process.
Operating as team members who are part of broader based groups, often bringing together staff with first hand knowledge of line
management issues as well as those with specific technical expertise. In this scenario, they provide the internal auditing expertise within
such multi-skilled teams.
Acting as risk and control analysts providing managers with expert advice on the identification and assessment of business risks, and
the design and construction of control and mitigation strategies.
Making available to management tools and techniques used by internal audit to analyse risks and controls.
Becoming a centre of expertise for managing risk.
Where internal audit moves away from its ‘traditional’ role it should make it clear that it is operating in a consultative capacity.
3. In addition to the above, internal audit is likely to become involved on a regular basis in auditing the risk management process and
its application. In carrying out this task, internal auditors should consider the following:
The extent to which objectives have been set and communicated at all levels within the organisation, and are supported by consistent
business strategies, plans and budgets.
The adequacy of the mechanisms for identifying, analysing and mitigating key business risks arising from both external and internal
sources.
The existence of mechanisms for identifying and reacting to both routine and more dramatic changes that could affect the organisation’s
ability to achieve its objectives.
In this context, it should be noted that an organisational risk management framework should contain the following elements:
clear, coherent risk strategy, policies and standards;
forums for risk discussions and communications;
responsibility for risk, and authority to manage it are clearly defined and assigned to key staff;
effective two-way communication within the organisation to ensure that policies are widely understood and that the actual situation found
in the business is reported so that it can be seen how effective these policies are;
suitable organisational risk programmes and procedures; and
arrangements for monitoring and reviewing management of risk including continuous learning from experience.