In July 2012, Stephen Maycock delivered a webinar on risk-based internal auditing as part of the IIA series of free webinars supported by Oracle. This proved to be a popular topic with a good turnout accompanied by plenty of questions from the audience. There were too many to cover individually during the live webcast but many had common themes that were worth exploring further. Stephen has therefore written a short series of articles to clarify some of the points raised.

The first two articles explored the different roles of internal audit and risk management functions and the relationships that they need to establish, including the potential for review and reliance.

In this article, the final of the series, Stephen explores the concepts of gross and net risk within the context of the role of internal audit.

Theme 3: Risk management tends to focus on net risk and the link with risk appetite, while internal audit concentrate on gross risk. How can internal auditors overcome this disconnected relationship?

I do not see this as a disconnect, but rather a valid differentiation of the roles – and only one of the many ways in which these roles differ, I hasten to add.

While the differences between the internal audit and risk management functions can only be fully clarified by reference to the formal remits that have been established for the two functions, one common distinction is that the risk management function may be more focused on net risk.

This may arise from a strong remit to encourage management to ensure that all risks are being handled within the risk appetite, or that action plans are being robustly pursued where this is not the case. I was working with such a team recently and they were under a lot of pressure to “turn the reds into greens” as quickly as possible.

During the webinar, one delegate pointed out that “perceived net risk may be low and therefore fall below the audit radar, but it may be dependent on controls that are in fact not working”.

As I pointed out at the time, the internal audit radar should in fact be focused on gross risk. If the controls are not working, as this delegate suggested, the real net risk may be higher than it is believed to be. Internal auditors should therefore verify the effectiveness of controls for risks that have a high gross (inherent) value.

A key focus of internal audit continues to be the provision of assurance that the highest inherent risks are being effectively managed to within the risk appetite. The difference today is the greater contextual emphasis on risk, whereby risk mitigation activities – including controls – are evaluated within the context of how they are changing inherent risks in relation to the risk appetite. This important context helps us to recognise the purposefulness of controls and assists in the evaluation of their cost effectiveness.

What is the role of internal audit when the risk register indicates that the net level of a risk is above the appetite?

In this instance we are unable to provide assurance that the risk is being managed within the risk appetite. We might instead provide advice to management on potential risk mitigation activities that could help to bring the net level of risk to within the risk appetite.

So, while our internal audit radar is focused on high gross risks for the purposes of providing assurance, we may have a separate radar looking for high net risks to target where consulting activities might be of most value.

The establishment of risk management functions and effective ERM systems allows internal auditors to take a step up. They should find themselves working with more senior levels of management, performing less detailed work and providing more holistic and more valuable assurance on the organisation’s management of risk. This entails the provision of assurance over the way the organisation manages risk as a whole, not just individual risks.

I hope that you have found these articles helpful and informative, and a final thank you once again to everyone who attended the webinar and to those who posed such interesting questions.

Further information

If you wish to explore these topics in more depth, the IIA offers a range of courses on risk-based internal auditing.

In November, there will also be new course that provides comprehensive practical guidance on “Auditing the ERM framework”.

Click here for more information on these and other courses on offer from the IIA.

Stephen Maycock is a trainer in internal audit and risk management. He delivers a number of the IIA training courses, particularly where these two related disciplines come together.