The role of internal audit in risk management
by
01 Apr 2002

Katharine

Bagshaw

The role of internal audit has developed considerably over the past 10 years.
In the UK, the publication of the Cadbury Report on corporate governance and
the Turnbull Report on Internal Control have speeded this process.
Internationally, similar codes, reports and frameworks have been issued by
organisations such as the Canadian Institute of Chartered Accountants[1] the
Treadway Commission[2], and the Organisation for Economic Co-operation and
Development (OECD).
Students are not required to know the detailed provisions of any code.
However, by way of example, Provisions D.2, D.2.1, and D.2.2 of the Combined
Code on Corporate Governance recommend that boards of listed companies
maintain a sound system of internal control, that the directors should annually
review the effectiveness of internal controls, and that they should report to
shareholders that they have done so. The review should cover all controls,
including financial, operational and compliance controls and risk management.
Companies which do not have an internal audit function should from time to
time review the need for one.
Where companies have made a report to shareholders on internal control,
external auditors are required to review the report. Again, for Paper F8,
students are not required to deal with the implications of this but it is
important for students to recognise the importance of these high level
developments. Companies have been required to report on the risks facing
their business for many years in prospectuses and an increasing number of
companies are including sections on risk management as a key element of

their annual reports.
Corporate governance
Students should be aware that codes of corporate governance deal with
matters such as:
•
•
•
•

the proper constitution of the board – including the presence of non-executive directors, and
proper appointment mechanisms
proper arrangements for the remuneration of directors – including a remuneration
committee
proper mechanisms for shareholder relations – both institutional and private
proper accountability and audit – covering financial reporting, internal control and audit
committees.

A proper system of internal control in practice requires a proper system of risk
management and organisational control. This article focuses on the risk
management element of internal control and how internal audit can assist in
this area. Risk management is now an important feature of management in
both the public and private sectors, but students are not required to have a
detailed knowledge of public sector requirements for this paper.
Risk management
It is important for students to appreciate that businesses do not classify risk in


the way that external auditors do . Audit risk is not the same as business risk,
despite the fact that some firms of auditors have recently indicated that they
are adopting a 'business risk' approach in their audit methodologies.

Risk management is not the responsibility of the internal audit function.
Management may require internal audit to perform the function but this means
the involvement of internal audit in the day-to-day running of the business
which can impair auditor objectivity. Many large organisations have separate
risk management functions. Internal audit’s job may be to assist that function
or the board by:
• providing objective assurance on the adequacy and effectiveness of the risk management
and internal control framework
• helping improve the processes by which risks are identified and managed
• helping strengthen and improve the risk management and internal control framework.
More specifically, internal audit can provide advice on the design,
implementation and operation of control systems, identify opportunities to
make control cost savings, and promote a risk and control culture within the
organisation.
Internal auditors can also act as facilitators, guiding managers and staff
through a self- assessment process, perhaps by leading workshops. Internal
audit can also become a centre of expertise for managing risk by providing
enterprise-wide risk management services (ERM).
In order to do all of this, internal audit needs to be aware of how risk
management works.
Any system of risk management and internal control needs to be aligned with
business objectives. Business objectives and risks relating to those objectives
can be classified in many ways. One classification is as follows:
• effectiveness and efficiency of operations (including profitability customer service, and
corporate responsibility, for example)
• reliability of internal and external reporting (ie internal financial control)
• compliance with internal and external regulations.
Another classification might be as follows:
• business risks (relating to the economy, technology and competition, for example)
• financial risks (relating to liquidity, interest rates, exchange rates and the misuse of

financial resources, for example)
• compliance risks (such as a breach of stock exchange regulations, non-compliance with
accounting standards or company law, and non-compliance with tax or environmental
regulations, for example)
• operational risks (such as loss of assets, poor service levels, employee-related issues, or a
shortage of raw materials, for example).
There are many business risk models available. Students are not required to be
familiar with any particular model, but they should be able to come up with an
appropriate classification, to identify the likely risks and to state how internal
audit can assist in the risk management process for a simple business
scenario. Risk management involves:
• identifying the risks relating to business objectives
• assessing risk in terms of probability and timing, measuring the potential impact and
thereby prioritising risks
• deciding how to deal with the risks identified


•

monitoring.

Identifying risks
For a chemical manufacturing company, risks relating to business objectives
might include: the risk to profitability from competitors; the risks to compliance
relating to environmental regulations; the risks relating to inadequate
reporting of environmental matters in the financial statements; and the risks to
the company’s corporate reputation. Internal audit can advise on the process
by which management identifies risk. For example, does the company use
external consultants? Does it use recognised methods for risk identification?
Does it perform the exercise on a regular basis?

Assessing risks
Risks are often placed on a grid as follows:
High impact, high likelihood
High impact, low likelihood
Low impact, high likelihood
Low impact, low likelihood
So, for the same chemical company, high impact, high likelihood risks would
include risks related to environmental contamination. High impact, low
likelihood risks might include the risk of catastrophic damage to production
facilities as a result of earthquake (assuming facilities are not located in an
area prone to earthquake). Low impact, high likelihood risks might include
minor injuries to employees. Low impact, low likelihood risks are sometimes
difficult to identify because they may not be regarded as real risks at all, but
they might include the risk of a claim against the company for unfair dismissal
by a junior employee, for example.
The assessment and classification of risk will be different for each company
and internal audit can help management by commenting on the criteria used
for classification, for example and on how the criteria have been applied.
Dealing with risks
Students should be familiar with the following list of risk management
techniques:
• accept the risk (eg for low impact, low likelihood risks)
• reduce the risk (eg by implementing improved internal controls)
• avoid the risk (eg by not engaging in a particular activity)
• transfer the risk (eg by means of insurance, or by requiring third parties to sign
indemnities).
Again, internal audit can advise on the criteria used in deciding how to deal
with risks, and can suggest methods by which risk can be reduced, avoided or
transferred. For our chemical company, internal audit might advise
management that reducing the risk of environmental damage might be

achieved by employing external consultants to advise on methods of
improving operational controls, for example. Alternatively it might advise that
the risk of claims against the company in respect of products might be reduced
by inserting clauses in sales contracts limiting liability.
Students interested in this subject might find it useful to do a search on the
ACCA’s website for articles and other publications on risk management.
Articles on the role of internal audit can also be found at the Institute of
Internal Auditors.
The following documents are not required reading but those with an interest in
the subject may find them useful as background:
• The Combined Code (Gee Publishing Ltd)


•
•
•
•
•

Providing Assurance on the Effectiveness of Internal Control. Briefing Paper (Auditing
Practices Board)
Implementing Turnbull. A Boardroom Briefing (Centre for Business Performance, ICAEW)
Internal control. Guidance for Directors on the Combined Code (ICAEW)
Financial Reporting of Risk. Proposals for a Statement of Business Risk (ICAEW)
No Surprises. The Case for Better Risk Reporting (ICAEW)

REFERENCES
1. Reports issued by the Criteria of Control Board (COCO)
2. Reports issued by the Committee of Sponsoring Organisations (COSO)