In July 2012 I delivered a webinar on risk-based internal auditing as part of the IIA series of free webinars supported by Oracle. This proved to be a popular topic, attracting a good turnout and plenty of questions from the audience. There were too many of these to cover individually during the live webcast, but many had common themes that were worth exploring further. In this, the second of three articles, I will offer additional insight into one of these themes.

Theme two: if risk management is already embedded in a business, what level of review would you expect internal audit to conduct in order to ensure that risk identification, analysis etc are sufficiently accurate and robust to form the basis of an audit plan?

In the first article I explained that a number of organisations had established a “three lines of defence” model for the different roles providing assurance over the management of risks. Such models typically set out the responsibilities of management / management control functions (as the first line of defence), risk management functions (second line) and internal audit (third line). In such relationships the later lines of defence might review the earlier lines and seek to rely on some of their activities.

What does this mean for the relationship between internal audit and the risk management function? How does this affect the reliance that internal auditors might place on enterprise resource management (ERM) systems?

The usual principles of reliance apply: any form of reliance should be preceded by sufficient evaluation in order to form a conclusion about the effectiveness of what’s being relied upon. When seeking to place reliance on the output of an ERM system, the first step is to evaluate the ERM processes. Hence, the first step of a risk-based internal audit approach is to assess the maturity of ERM in the organisation.

Where a risk management function exists, this may also include a review of that function. This can be a sensitive area and the review should be undertaken in such a manner as to preserve a good relationship. This will enable essential co-ordination activities to continue effectively, based on mutual respect, trust and understanding. The outcome of the review of the risk management function may enable internal audit to place some reliance on the activities performed by that function. This could then reduce some of the internal audit activities that would be performed as part of the review of the ERM system.

One should not underestimate the complexity of reviewing the ERM system, particularly where there may be mixed maturity levels, as is often the case. Although there are tools available for assessing risk maturity, a thorough understanding of all aspects of ERM is essential to ensure that the review is robust enough to produce reliable conclusions.

The results of this review will be a vital component of the overall assurance sought by the audit committee. The results will also have a significant influence on the design of the internal audit strategy. The review of the ERM system is therefore a crucial internal audit activity.

Once it’s been decided that the output of the ERM processes can be relied upon for the purpose of periodic internal audit planning, I would not suggest that blind reliance should then be placed on every aspect of each risk documented in the risk register. The concept of internal audit providing an independent review, with an appropriate level of professional scepticism, remains important at every level.

The IIA’s approach to risk-based internal auditing, as outlined in the webinar, includes the need to review risk maturity across the organisation’s various functions. The results of these reviews will then guide the application of the approach in the different parts of the organisation.

My next article, to be published in the week starting 24 September, will explore the concepts of gross and net risk in the context of the role of internal audit. This was clearly a key area of interest, prompting questions from several members of the audience.

Stephen Maycock is a trainer in internal audit and risk management. He delivers a number of the IIA training courses, particularly where these two related disciplines come together.

Further information

If you wish to explore these topics in more depth, the IIA offers a range of courses on risk-based internal auditing, the next of which will be held in October. There is a one-day course for internal audit practitioners and a more in-depth two-day course for internal audit managers. These events are also an opportunity to discuss approaches used by other organisations. In November there will also be new course providing comprehensive practical guidance on “Auditing the ERM framework”.

Click bit.ly/Nk9ySm for more information on these and other IIA courses.