Audit-Risk Based

(1)

Implementaion

Risk Based

Internal Auditing

Three views on

implementation

David

Griffiths

PhD FCA

www.internalaudit.biz

(2)

(3)

Introduction

Why should I read this book? Why should I read this book?

What is risk based internal auditing? What is risk based internal auditing? What’s the aim of this book?

What’s the aim of this book?

Guidance for directors

Why should I read this? Why should I read this?

What is RBIA as far as I’m concerned? What is RBIA as far as I’m concerned? What do I have to do?

What do I have to do? What’s in it for me? What’s in it for me? I’ve got some questions I’ve got some questions

Guidance for heads of internal audit

What is RBIA as far as I’m concerned? What is RBIA as far as I’m concerned?

What’s the connection between internal audit and

What’s the connection between internal audit and risk management?risk management?

What do I have to do? What do I have to do?

Stage 1 – assessing the organisation’s risk maturity Stage 1 – assessing the organisation’s risk maturity Stage 2 – production of an audit plan

Stage 2 – production of an audit plan

Stage 3 – carrying out an individual assurance audit Stage 3 – carrying out an individual assurance audit What’s in it for me?

What’s in it for me? I’ve got some questions I’ve got some questions

Guidance for internal audit staff

What is RBIA as far as I’m concerned? What is RBIA as far as I’m concerned? What do I have to do?

What do I have to do? What’s in it for me? What’s in it for me? I’ve got some questions I’ve got some questions

Glossary of terms

Appendices

Questionnaire

(4)

(5)

1

1 Introduction

Introduction

1.1

1.1 Why

Why

should

I

read

this?

When Harold Macmillan (UK Prime Minister 1957 - 1963), was asked by a journalist

what can most easily steer a government off course, he answered ‘Events, dear boy.

Events’

Events’..



 Times don’t change; investors and directors don’t like unexpected events. Which is whyTimes don’t change; investors and directors don’t like unexpected events. Which is why regulators are now requiring organisations to determine the risks which might give

regulators are now requiring organisations to determine the risks which might give riserise

to these events and, in some cases, disclose them. to these events and, in some cases, disclose them.



 But it’s But it’s not about bureaucracy: an organisation that understands its risks, understandsnot about bureaucracy: an organisation that understands its risks, understands its opportunities. However:

its opportunities. However:

 If it If it doesn’t know its risks, it doesn’t know the risks it candoesn’t know its risks, it doesn’t know the risks it can accept accept

 If it If it doesn’t know the risks it can accept, it doesn’t know the risks todoesn’t know the risks it can accept, it doesn’t know the risks to taketake

 If it If it doesn’t know the risks to take, it doesn’t know how todoesn’t know the risks to take, it doesn’t know how to grow grow

 If it doesn’t know how to grow, it willIf it doesn’t know how to grow, it will wither away wither away ..



 If it does not If it does not understand its risks, ‘Events’ will knock the organisation backunderstand its risks, ‘Events’ will knock the organisation back; missed; missed opportunities will hold it back.

opportunities will hold it back.



 So how does any organisation control events and seize opportunities? BySo how does any organisation control events and seize opportunities? By understanding:

understanding:

 The risks it faces, both ongoing and in new projects.The risks it faces, both ongoing and in new projects.

 The risks it is The risks it is prepared to accept.prepared to accept.

 The action necessary to manage those risks it is not prepared to accept.The action necessary to manage those risks it is not prepared to accept.



 Since the management of the Since the management of the organisation are responsiorganisation are responsible for controlling events andble for controlling events and seizing opportunities, they are r

seizing opportunities, they are responsibesponsible for le for identifyinidentifying, assessing g, assessing and managingand managing risks. The correct operation of these processes is essential if an organisation is to risks. The correct operation of these processes is essential if an organisation is to achieve its objectives. Stakeholders, including investors and

achieve its objectives. Stakeholders, including investors and other interested bodies,other interested bodies,

now expect confirmation that this risk

now expect confirmation that this risk managememanagement framework is nt framework is operating effectiveloperating effectively.y. Just as external auditors provide confirmation concerning the financial accounts, so Just as external auditors provide confirmation concerning the financial accounts, so internal auditors provide this

internal auditors provide this confirmation concerniconfirmation concerning the ng the risk management framework.risk management framework.

1.2

1.2 What

What

is

risk

based

internal

auditing?



 Risk based internal auditing (RBIA) is the methodology which Risk based internal auditing (RBIA) is the methodology which providesprovides

assurance that risks are being managed to within the

assurance that risks are being managed to within the organisation’s risk appetiteorganisation’s risk appetite..



 RBIA is one of many opinions provided to the board, and audit committee, on corporateRBIA is one of many opinions provided to the board, and audit committee, on corporate governance. These opinions are more conventionally known as ‘assurance’, which governance. These opinions are more conventionally known as ‘assurance’, which includes the opportunity to indicate why assurance cannot be given, in part or whole. In includes the opportunity to indicate why assurance cannot be given, in part or whole. In this book, when using the term ‘assurance’ this includes the possibility that RBIA has this book, when using the term ‘assurance’ this includes the possibility that RBIA has found that all risks are not properly managed and therefore assurance cannot be given. found that all risks are not properly managed and therefore assurance cannot be given.

(6)

(7)



 In implementing RBIA, the assurance required by the In implementing RBIA, the assurance required by the board from various functions (for board from various functions (for example, health and safety, quality control, insurance, the external auditors) will have to example, health and safety, quality control, insurance, the external auditors) will have to be taken into consideration, and this should be reflected in the internal audit

be taken into consideration, and this should be reflected in the internal audit department’s charter (terms of reference). It

department’s charter (terms of reference). It is the internal audit department’sis the internal audit department’s responsibil

responsibility to fity to fulfil the board’s requirements; it is ulfil the board’s requirements; it is the board’s responsibility to fulfil thethe board’s responsibility to fulfil the requirements placed on it by legislation.

requirements placed on it by legislation.



 The methodology consists of the fThe methodology consists of the five core internal audit roles which cover the ive core internal audit roles which cover the riskrisk management framework of the whole organisation (known as ‘Enterprise-wide risk management framework of the whole organisation (known as ‘Enterprise-wide risk management’ (ERM)):

management’ (ERM)): 1.

1. Giving Giving assurance assurance that that the the processes processes used used by by management management to to identify identify all all significantsignificant risks are effective.

risks are effective. 2.

2. Giving Giving assurance assurance that that risks risks are are correctly correctly assessed assessed (scored) (scored) by by managemenmanagement, t, inin order to prioritise them.

order to prioritise them. 3.

3. Evaluating Evaluating risk risk management management processes, processes, to to ensure ensure the the response response to to any any risk risk isis appropriate and conforms to the organisation’s policies.

appropriate and conforms to the organisation’s policies. 4.

4. Evaluating Evaluating the the reporting reporting of of key key risks, risks, by by managers managers to to directors.directors. 5.

5. Reviewing Reviewing the the managememanagement nt of of key key risks risks by by managers managers to to ensure ensure controls controls have have beenbeen put into operation and are being monitored.

put into operation and are being monitored.



 The core roles are The core roles are described in the IIA-UK described in the IIA-UK and Ireland publicationand Ireland publication,, The Role of Internal The Role of Internal Audit in Enterprise-wide Risk Management

Audit in Enterprise-wide Risk Management .. In oIn other ther wordwords:s:

Enterprise-wide Risk Management drives RBIA

Enterprise-wide Risk Management drives RBIA 

 RBIA therefore applies to any risk RBIA therefore applies to any risk that threatens the achievement of that threatens the achievement of the organisation’sthe organisation’s objectives. These will include financial,

objectives. These will include financial, operationaoperational and l and strategic risks, whether internalstrategic risks, whether internal to the

to the organisatioorganisation, or external.n, or external.

1.3

1.3 What’s

What’s

the

aim

of

this

book?

This book provides separate guidance for directors, heads of

This book provides separate guidance for directors, heads of internal audit and internalinternal audit and internal

audit staff on: audit staff on:

 Why risk based internal auditing (RBIA) should be Why risk based internal auditing (RBIA) should be introducedintroduced

 How risk based internal auditing can be How risk based internal auditing can be implementedimplemented

 The advantages and disadvantages of RBIAThe advantages and disadvantages of RBIA

The aim of this book is to enable an organisation to implement RBIA in an effective and The aim of this book is to enable an organisation to implement RBIA in an effective and efficient manner. It provides details on RBIA which:

efficient manner. It provides details on RBIA which:



 Support current requirements (such as the Turnbull and Smith gSupport current requirements (such as the Turnbull and Smith g uidelineuidelines for s for UK quotedUK quoted companies and the Institute of

companies and the Institute of Internal AuditorsInternal Auditors Standards for the Professional PracticeStandards for the Professional Practice of Internal Auditing

of Internal Auditing ). This book is intended to compliment the IIA-UK and Ireland). This book is intended to compliment the IIA-UK and Ireland Guidance

Guidance An Approach to implementing Risk Based Internal Auditing.An Approach to implementing Risk Based Internal Auditing. (See(See Further Further Reading

Reading for details of how to obtain this gfor details of how to obtain this guidance.)uidance.)



 Give support to the use of Give support to the use of RBIA as an efficient and effective use of internal auditRBIA as an efficient and effective use of internal audit resources.

resources.



 Provide practical advice to enable implementation, which is:Provide practical advice to enable implementation, which is:

(8)

(9)

 Useable by any size of internal audit department.Useable by any size of internal audit department.

 Capable of being implemented in stages.Capable of being implemented in stages.



 The book assumes that readers The book assumes that readers have an understanding of the regulations regardinghave an understanding of the regulations regarding risks and internal controls that

risks and internal controls that affect their organisation, for example, the Turnbull andaffect their organisation, for example, the Turnbull and Smith guidelines to the London Stock Exchange (LSE) Combined Code for UK quoted Smith guidelines to the London Stock Exchange (LSE) Combined Code for UK quoted companies, or the UK Government Internal Audit

companies, or the UK Government Internal Audit Standards. While this guidanceStandards. While this guidance

discusses risk management, it does not

discusses risk management, it does not consider the subject in great depth.consider the subject in great depth. Publications listed under ‘Further Reading’ should be consulted.

Publications listed under ‘Further Reading’ should be consulted.



 This book differs from my other book,This book differs from my other book, Risk Based Internal Auditing – An Risk Based Internal Auditing – An IntroductionIntroduction inin that it is more formal and tries

that it is more formal and tries to reflect the generally accepted view of RBIA. I thereforeto reflect the generally accepted view of RBIA. I therefore refer to RBIA

refer to RBIA providing assurance on the management of risk rather than providing assurance on the management of risk rather than providinproviding ang an opinion. In particular the book aims

opinion. In particular the book aims to be consistent with:to be consistent with:

 Risk Based Internal Auditing Risk Based Internal Auditing ,, Institute of Internal Institute of Internal Auditors (UK and IrelAuditors (UK and Ireland).and).

 The Role of The Role of Internal Audit in Enterprise-wide Risk Management Internal Audit in Enterprise-wide Risk Management ,, InsInstitutitute of te of Internal Auditors (UK and Ireland).

Internal Auditors (UK and Ireland).

 An Approach to implementing Risk Based An Approach to implementing Risk Based Internal Auditing,Internal Auditing, Institute of InternalInstitute of Internal Auditors (UK and Ireland).

Auditors (UK and Ireland).

 The London Stock Exchange Combined CodeThe London Stock Exchange Combined Code,, with the with the TurnbulTurnbull and l and SmithSmith Guidances.

Guidances.

Details are provided in the ‘Further Reading’ section. My other book can be downloaded Details are provided in the ‘Further Reading’ section. My other book can be downloaded from

from http://www.internalaudit.biz/http://www.internalaudit.biz/..



 Every organisation is different, with a different attitude to risk, different structure andEvery organisation is different, with a different attitude to risk, different structure and different processes. This book can only

different processes. This book can only provide advice and ideas for an provide advice and ideas for an experiencedexperienced internal audit department to implement RBIA according to its

internal audit department to implement RBIA according to its charter and practicalcharter and practical

limitations. It is not intended as an internal audit manual to be implemented in every limitations. It is not intended as an internal audit manual to be implemented in every detail, and assumes an appropriate knowledge of internal auditing methods of operation detail, and assumes an appropriate knowledge of internal auditing methods of operation and reporting. An

and reporting. An internal audit manual internal audit manual ,, using Rusing RBIA, can bBIA, can be downe downloaded loaded fromfrom www.internalaudit.biz

www.internalaudit.biz..



 Please complete the questionnPlease complete the questionnaire at the end of aire at the end of this book so that I this book so that I can assess howcan assess how useful it has been and how it can be improved.

useful it has been and how it can be improved.



 This book is the copyright of D This book is the copyright of D M Griffiths. It may be distributed freely withM Griffiths. It may be distributed freely with acknowledge

acknowledgement of the ment of the copyright. It may not copyright. It may not be sold, in any be sold, in any way.way.



 Many people have commented on this book during its many versions. Since they mayMany people have commented on this book during its many versions. Since they may disagree with this final version, I won’t embarrass them by including their names. I will disagree with this final version, I won’t embarrass them by including their names. I will say “thank you” to

(10)

(11)

2

2 Gu

Gu

id

an

ce

for

di

re

cto

rs

2.1

2.1 Why

Why

should

I

read

this?



 Risks threaten the achievement of your Risks threaten the achievement of your organisatiorganisation’s objectives. It is on’s objectives. It is therefore in your therefore in your interest to understand how internal auditing can help you manage these risks.

interest to understand how internal auditing can help you manage these risks.



 Stakeholders, including investors, trustees, customers, directors, councillors, taxpayersStakeholders, including investors, trustees, customers, directors, councillors, taxpayers and employees expect an organisation to achieve its

and employees expect an organisation to achieve its objectivesobjectives. Since . Since risks threatenrisks threaten this achievement, regulations are increasingly requiring disclosures on risk.

this achievement, regulations are increasingly requiring disclosures on risk.



 The Smith Guidance to the LSE Combined Code clearly defines the role of The Smith Guidance to the LSE Combined Code clearly defines the role of management in the response to risks

management in the response to risks (paragraph 4.6):(paragraph 4.6):

The organisation’s management is responsible for the

The organisation’s management is responsible for the identification,identification,

assessment, managem

assessment, management and monitoring of risk, ent and monitoring of risk, for developing, operating for developing, operating

and monitoring the system of i

and monitoring the system of internal control and for providing assurance tonternal control and for providing assurance to

the board that it has done so.



 Directors therefore need to ensure that Directors therefore need to ensure that these risk management processes arethese risk management processes are operating properly and gain assurance that they are

operating properly and gain assurance that they are effective.effective.

2.2

2.2 What

What

is

RBIA

as

far

as

I’m

concerned

?



 Risk based internal auditing (RBIA) is the methodology which the Internal AuditRisk based internal auditing (RBIA) is the methodology which the Internal Audit Department uses to provide assurance that risks are

Department uses to provide assurance that risks are being managed to within thebeing managed to within the

organisation’

organisation’s risk s risk appetite. In other words:appetite. In other words: the processes that manage risks to a level the processes that manage risks to a level considered acceptable by the board are working effectively and efficiently

(12)

(13)



 For example, an important risk For example, an important risk management process is a system of management process is a system of internal controlinternal control that reduces risks to a level that

that reduces risks to a level that the board considers acceptablethe board considers acceptable, the ‘risk appetite’ of , the ‘risk appetite’ of the organisation. The simplified diagram below shows the relationship between the risk the organisation. The simplified diagram below shows the relationship between the risk appetite (dotted line), risks before they

appetite (dotted line), risks before they are controlled (are controlled (inherent inherent risks) and risks after risks) and risks after they are controlled (

they are controlled (residual residual risks).risks).

2.3

2.3 What

What

do

I

have

to

do?



 In order for RBIA to be effective, directors need to ensure that the risk managementIn order for RBIA to be effective, directors need to ensure that the risk management framework includes the

framework includes the following:following:

 Directors and managers have identified and assessed the risks threatening their Directors and managers have identified and assessed the risks threatening their organisation’s objectives and have developed a system of internal control, or organisation’s objectives and have developed a system of internal control, or other suitable response, to reduce this threat

other suitable response, to reduce this threat to below the risk to below the risk appetite, or reportappetite, or report to the board where this is not possible.

to the board where this is not possible.

 The inherent risks are recorded and assessed in some way that permits them toThe inherent risks are recorded and assessed in some way that permits them to be ranked in order of threat.

be ranked in order of threat.

 The board have approved a risk appetite for the organisation on such a basisThe board have approved a risk appetite for the organisation on such a basis that risks can be easily identified as being above, or below, the risk appetite. that risks can be easily identified as being above, or below, the risk appetite.

 The responsibility for providing assurance on the risk management framework isThe responsibility for providing assurance on the risk management framework is defined. This will include defining the

defined. This will include defining the responsibilresponsibilities of ities of managemenmanagement, externalt, external audit, internal audit and any other

audit, internal audit and any other functions that provide assurance, such as HR,functions that provide assurance, such as HR,

C C o o n n s s e e q q u u e e n n c c e e

Likelihood

inherent inherent risk risk

Risk appetite

RBIA provides

assurance that these

controls are

operating effectively

residual residual risk risk

control

Fig

(14)

(15)



 In most large organisations a suitable risk management framework will be in place,In most large organisations a suitable risk management framework will be in place, because they are affected by

because they are affected by regulations which require the identification, assessment,regulations which require the identification, assessment, management and monitoring of risks. Additional work may be

management and monitoring of risks. Additional work may be required to ensure allrequired to ensure all

significant risks have been identified and to record all risks and score these in order to significant risks have been identified and to record all risks and score these in order to prioritise them. None of these

prioritise them. None of these tasks is the tasks is the responsibiresponsibility of tlity of the internal audithe internal audit

department, although it could act as champion, and even project manager, for risk department, although it could act as champion, and even project manager, for risk management, especially in the early stages of introduction.

management, especially in the early stages of introduction.



 Some boards may wish to define different risk appetites for different parts of their Some boards may wish to define different risk appetites for different parts of their organisation (for example corporate HQ

organisation (for example corporate HQ and overseas subsidiaries) or differentand overseas subsidiaries) or different processes (for example new product

processes (for example new product developmedevelopment and fnt and financial transactions).inancial transactions).



 While it is an ideal that every organisation will have identified its risks at every level,While it is an ideal that every organisation will have identified its risks at every level, this book aims to be practical and recognises that this will not apply in all cases. So it this book aims to be practical and recognises that this will not apply in all cases. So it offers alternative practical solutions, but always on the

offers alternative practical solutions, but always on the understandinunderstanding that rg that risks, andisks, and the associated

the associated internal controls, are internal controls, are management’management’s rs responsibilesponsibility.ity.

2.4

2.4 What’s

What’s

in

it

for

me

–

the

pluses

and

minuses?



 RBIA directs scarce internal audit resources at RBIA directs scarce internal audit resources at checking the responses to the risks checking the responses to the risks thatthat present a serious threat to

present a serious threat to an organisation and regulations are now requiring directorsan organisation and regulations are now requiring directors to ensure these risks

to ensure these risks are properly managed. RBIA thus provides directors withare properly managed. RBIA thus provides directors with assurance that this is happening, or a warning that it isn’t.

assurance that this is happening, or a warning that it isn’t.



 However RBIA requires that the However RBIA requires that the organisation has a complete, structured, prioritised listorganisation has a complete, structured, prioritised list of inherent risks. This may list several hundred risks and, since risks are a

of inherent risks. This may list several hundred risks and, since risks are a management responsibil

management responsibility, will involve senior ity, will involve senior management resources to compile it.management resources to compile it. However, once compiled, such a list needs only to be kept up-to-date by periodic However, once compiled, such a list needs only to be kept up-to-date by periodic revisions and is required for other

revisions and is required for other purposes, such as management decision-mapurposes, such as management decision-making.king.



 One aim of RBIA is tOne aim of RBIA is t o check that the system of o check that the system of control is reducing risks to below thecontrol is reducing risks to below the organisation’

organisation’s risk s risk appetite. The board should therefore have formally approved theappetite. The board should therefore have formally approved the risk appetite in the

risk appetite in the same terms as used fsame terms as used for prioritising the risks (usually likelihood andor prioritising the risks (usually likelihood and consequence)

consequence). This is a . This is a complex issue and boards may be reluctant to define the riskcomplex issue and boards may be reluctant to define the risk appetite in such exact terms.

appetite in such exact terms.



 One benefit of RBIA is tOne benefit of RBIA is that, not only should it highlight risks that are not properlyhat, not only should it highlight risks that are not properly controlled; it should highlight risks

controlled; it should highlight risks that are that are over-controllover-controlled and ted and therefore consumingherefore consuming unnecessary resources.

unnecessary resources.



 Since RBIA involves assuring directors on the Since RBIA involves assuring directors on the risk management processes over allrisk management processes over all risks, the audit plan may contain audits not carried out by auditors before, for example, risks, the audit plan may contain audits not carried out by auditors before, for example, covering risks affecting

covering risks affecting public relations, supply chain management and treasury.public relations, supply chain management and treasury. Internal audit’s responsibil

Internal audit’s responsibility is ity is limited to ensuring managers have identified their riskslimited to ensuring managers have identified their risks and have responded appropriately to reduce them to below the

and have responded appropriately to reduce them to below the risk appetite. If risk appetite. If

specialist knowledge is required to do this, it may be available from within the specialist knowledge is required to do this, it may be available from within the organisation, and suitably qualified staff could be seconded to

organisation, and suitably qualified staff could be seconded to internal audit, if they areinternal audit, if they are

independent of the area being audited. If such specialist knowledge has to be obtained independent of the area being audited. If such specialist knowledge has to be obtained outside, additional costs will be involved. In

outside, additional costs will be involved. In addition, there may be resistance fromaddition, there may be resistance from managers not used to

managers not used to audits of their areas audits of their areas of responsibiliof responsibility.ty.



 By concentrating on audits of By concentrating on audits of inherent risks above the risk appetite, some auditsinherent risks above the risk appetite, some audits previously considered important might disappear. These could include audits of small previously considered important might disappear. These could include audits of small overseas subsidiaries, ‘petty cash’ and the Staff Social Club.

(16)

(17)

2.5

2.5 I’ve

I’ve

got

some

questions

It’s all very well you saying drop audits of petty cash, but if my local authority

auditors don’t do these audits and

auditors don’t do these audits and there is even a

there is even a small fraud, the council’s name

small fraud, the council’s name

appears in the

appears in the local newspaper as wasting taxpayers money

local newspaper as wasting taxpayers money. How do

. How do you solve

you solve

this?

It is unfortunate that a £500 fraud will attract more

It is unfortunate that a £500 fraud will attract more media attention than the failure of amedia attention than the failure of a £2m project to deliver all the expected benefits. Apart from the obvious answer of £2m project to deliver all the expected benefits. Apart from the obvious answer of

increasing the number of auditors in order to obtain assurance on the management of low increasing the number of auditors in order to obtain assurance on the management of low risks, which is not

risks, which is not usually an option, the responsibility of managers needs to usually an option, the responsibility of managers needs to bebe considered.

considered. Since they are responsSince they are responsible for developinible for developing, operating and monitorig, operating and monitoring theng the system of internal control, they

system of internal control, they are accountable for controlling accounting transactions -are accountable for controlling accounting transactions -not internal audit. Thus, the controls

not internal audit. Thus, the controls which managemenwhich management use tt use to monitor risks need to o monitor risks need to bebe considered. For example, do managers occasionally observe, without warning, the

considered. For example, do managers occasionally observe, without warning, the

counting of cash floats, do they receive regular confirmation that the petty cash float has counting of cash floats, do they receive regular confirmation that the petty cash float has been counted by an

been counted by an independent member of staff? independent member of staff? While this is additional work for While this is additional work for managers, the cash floats are t

managers, the cash floats are their responsibilheir responsibilityity, not , not those of internal audit. Ithose of internal audit. In addition,n addition, involvement by management emphasises to staff that controls are considered important. involvement by management emphasises to staff that controls are considered important.

My company is subject to US regulations. How does Sarbanes-Oxley fit in with risk

based internal auditing?

The failure to comply with Sarbanes-Oxley is a risk like any other, which should be The failure to comply with Sarbanes-Oxley is a risk like any other, which should be included in the risk register and audited accordingly. Sarbanes-Oxley doesn’t otherwise included in the risk register and audited accordingly. Sarbanes-Oxley doesn’t otherwise have any impact on internal auditing as

have any impact on internal auditing as a concept, The Institute of a concept, The Institute of Internal AInternal Auditors is notuditors is not rewriting any definitions as a result of

rewriting any definitions as a result of the legislation. The main impact of Sarbanes-Oxleythe legislation. The main impact of Sarbanes-Oxley is to provide additional work for an internal audit department which involves documenting is to provide additional work for an internal audit department which involves documenting and advising on internal financial controls. There is therefore the

and advising on internal financial controls. There is therefore the danger that it removesdanger that it removes

internal audit resource from providing assurance on the risk

internal audit resource from providing assurance on the risk managemenmanagement framework,t framework,

which is arguably the more important task. which is arguably the more important task.

How do I set a risk appetite?

Deciding on a risk appetite is a complex issue and this book is not intended to provide Deciding on a risk appetite is a complex issue and this book is not intended to provide advice on risk management. However a brief explanation is possible. For more details, the advice on risk management. However a brief explanation is possible. For more details, the references in ‘Further reading’ should be checked, for example the ‘Orange Book:

references in ‘Further reading’ should be checked, for example the ‘Orange Book:

Management of Risk - Principles and Concepts’ available on the H M Treasury website is Management of Risk - Principles and Concepts’ available on the H M Treasury website is applicable to any organisation.

applicable to any organisation.

Although there are other business reasons for setting

Although there are other business reasons for setting a risk appetite, the a risk appetite, the management of management of risk requires a level against which a risk can be compared to determine if it needs a

risk requires a level against which a risk can be compared to determine if it needs a response to reduce it. The system

response to reduce it. The system of controls which reduces risks to of controls which reduces risks to below this level canbelow this level can be considered as ‘operating effectively’.

be considered as ‘operating effectively’. A

A risk appetite can be defined by firstlrisk appetite can be defined by firstly defining the levels of consequey defining the levels of consequence for annce for an organisation. For example:

organisation. For example: Loss of cash Loss of cash flow if risk flow if risk occurs occurs Less than Less than £5,000 £5,000 £5,001 £5,001 -£50,000 £50,000 £50,001 £50,001 -£1m £1m £1m £1m - - £5m £5m Over Over £5m£5m De

Descscririptptioion n ImImmamateteririalal SmSmalall l SignSignifificicanant t MMajajor or CaCatataststrorophphicic Consequence

(18)

(19)

These levels can also be set for a subsidiary, or other unit in a large organisation. These levels can also be set for a subsidiary, or other unit in a large organisation. Risk appetite can then be

Risk appetite can then be defined as a combination of likelihood and consequence. For defined as a combination of likelihood and consequence. For example risks with a consequence score equal to, or greater than 3, with a likelihood of example risks with a consequence score equal to, or greater than 3, with a likelihood of ‘certain’ will not be tolerated, assuming they can be cost effectively controlled. There will ‘certain’ will not be tolerated, assuming they can be cost effectively controlled. There will probably be a need to set a higher risk appetite for

probably be a need to set a higher risk appetite for new ventures, in order not to stiflenew ventures, in order not to stifle opportunities.

opportunities.

It would be possible to set a risk appetite so high that few, if any, risks exceeded it. It would be possible to set a risk appetite so high that few, if any, risks exceeded it. However, there will still be a need to comply with any regulations requiring ‘effective However, there will still be a need to comply with any regulations requiring ‘effective controls’. The risk appetite should therefore be set at a level below which all risks are controls’. The risk appetite should therefore be set at a level below which all risks are considered ‘effectively controlled’.

(20)

(21)

3

3 Gui

Gui

dan

ce fo

r He

ads

of I

nter

nal

aud

it

3.1

3.1 Why

Why

should

I

read

this?

Directors

Directors are expected to understand the risks tare expected to understand the risks their organisation is facing;heir organisation is facing; managersmanagers areare expected to identify, assess, monitor and report these risks; the

expected to identify, assess, monitor and report these risks; the Head of Internal Audit Head of Internal Audit isis

expected to provide assurance that risk management processes are effective. Risk based expected to provide assurance that risk management processes are effective. Risk based internal auditing provides the means to do

internal auditing provides the means to do this.this.

3.2

3.2 What

What

is

RBIA

as

far

as

I’m

concerned

?

If RBIA is to provide assurance on those risk management processes which cover all If RBIA is to provide assurance on those risk management processes which cover all significant risks threatening the objectives of the organisation, there are f

significant risks threatening the objectives of the organisation, there are f our elementsour elements

which the Head of

which the Head of Internal AuInternal Audit needs to dit needs to consider:consider: 1.

1. The extent The extent to which to which the board the board and management and management determine, assess manage anddetermine, assess manage and monitor risks. (The ‘risk maturity’ of

monitor risks. (The ‘risk maturity’ of the organisation).the organisation). 2.

2. The existence The existence of a risk of a risk register (also register (also known as a known as a ‘risk profile’‘risk profile’), which li), which lists allsts all

significant risks, and the extent to which this may be relied upon for audit planning. significant risks, and the extent to which this may be relied upon for audit planning. 3.

3. The compilation of The compilation of an audit an audit universe, which lists universe, which lists those audits those audits aiming to aiming to provideprovide assurance that all inherent risks above the risk appetite are being properly assurance that all inherent risks above the risk appetite are being properly managed.

managed. 4.

4. The conduct oThe conduct of individual audits, f individual audits, which conclude which conclude on won whether inherent risks hether inherent risks aboveabove the risk appetite are being controlled to reduce them to within the risk appetite. the risk appetite are being controlled to reduce them to within the risk appetite. These elements are described in

(22)

(23)

3.3

3.3 What’s

What’s

the

connectio

n

between

Internal

audit

and risk

management?

Before detailing how the Head of Audit can implement RBIA, it’s important to consider the Before detailing how the Head of Audit can implement RBIA, it’s important to consider the relationship betwee

relationship between the quality of n the quality of the risk management framework in an the risk management framework in an organisation (itsorganisation (its ‘risk maturity’) and the approach to

‘risk maturity’) and the approach to be used by the be used by the internal auditors. Considerainternal auditors. Consideration of thistion of this relationship also highlights the difference between ‘traditional’ internal audit and

relationship also highlights the difference between ‘traditional’ internal audit and RBIA.RBIA.

3.3.1 Responsibility for risk management



 The Smith and TThe Smith and Turnbull Guidanceurnbull Guidances clearly state that s clearly state that management is responsiblmanagement is responsible for e for determining internal and external risks. There is no

determining internal and external risks. There is no place for a place for a separate ‘Internal Audit’separate ‘Internal Audit’ list of risks, or

list of risks, or ‘off the shelf’ lists of risks. Risks should be identified by managers for ‘off the shelf’ lists of risks. Risks should be identified by managers for their organisation. Lists of risks

their organisation. Lists of risks compiled by third parties should not be compiled by third parties should not be used other thanused other than to check, at the

to check, at the end of the identification exercise, if any risks have been missed.end of the identification exercise, if any risks have been missed.



 If Internal Audit If Internal Audit does not consider management has identified all the significant risks,does not consider management has identified all the significant risks, they should discuss the omissions with the management involved. If this does not they should discuss the omissions with the management involved. If this does not resolve the issue, it

resolve the issue, it should be reported to more senior management, and the should be reported to more senior management, and the auditaudit committee, as

committee, as appropriateappropriate..



 Internal Audit should never be involved in any Internal Audit should never be involved in any risk management activities that mightrisk management activities that might compromise their independence and objectivity. The II

compromise their independence and objectivity. The II A publicationA publication The Role of The Role of

Internal Audit in

Internal Audit in Enterprise-widEnterprise-wide Risk e Risk ManagemenManagement t has further has further informationinformation..

3.3.2 Response to risks



 Risks may be managed by rRisks may be managed by responding as follows:esponding as follows:

 Tolerate - do nothing. This response is used where it is not possible to costTolerate - do nothing. This response is used where it is not possible to cost effectively reduce the risk. Where this applies it

effectively reduce the risk. Where this applies it is important that the boardis important that the board

formally accepts the risk. The need for contingency plans should be considered. formally accepts the risk. The need for contingency plans should be considered.

 Transfer - pass the risk to another party, for example by insurance or contractingTransfer - pass the risk to another party, for example by insurance or contracting it out. Note that outsourcing does not necessarily transfer a risk, it may only it out. Note that outsourcing does not necessarily transfer a risk, it may only change the person responsible for managing it. Insurance does not

change the person responsible for managing it. Insurance does not transfer alltransfer all

the risk; only some or most of

the risk; only some or most of the cost of impact.the cost of impact.

 Terminate - remove the circumstances giving rise to the risk.Terminate - remove the circumstances giving rise to the risk.

 Treat – implement a system of internal control to reduce the risk to below the riskTreat – implement a system of internal control to reduce the risk to below the risk appetite.

appetite.



 Alternatively an organisation could respond by taking the opportunity – This Alternatively an organisation could respond by taking the opportunity – This is anis an option that applies to t

option that applies to tolerate, transfer or treat and olerate, transfer or treat and particularly appliparticularly applies to es to new ventures.new ventures. Risk modelling techniques should be used to ensure that the value at risk is justified by Risk modelling techniques should be used to ensure that the value at risk is justified by the likely gain.

the likely gain.

3.3.3 The changed audit approach



 The ‘traditional’ audit report usually consists of The ‘traditional’ audit report usually consists of a confirmation that controls area confirmation that controls are operating properly (a term not

operating properly (a term not often defined), and makes recommendations where theyoften defined), and makes recommendations where they are not. The making of recommendations by internal auditors, which managers were are not. The making of recommendations by internal auditors, which managers were expected to accept, could result

expected to accept, could result in the assumption that in the assumption that internal audit were responsibleinternal audit were responsible for controls and, by

(24)

(25)



 However, the Turnbull Guidance (and guidance subsequently issued by other However, the Turnbull Guidance (and guidance subsequently issued by other organisations) emphasi

organisations) emphasised the sed the reality: managers are responsible for reality: managers are responsible for developideveloping theng the responses to risks and for deciding the action to be taken if

responses to risks and for deciding the action to be taken if risks are not properlyrisks are not properly

controlled. controlled.



 The impact on the internal audit activity is to The impact on the internal audit activity is to clarify its role:clarify its role:

Internal Audit’s core role is to provide assurance to the management and

board on

board on the effectiveness of risk management.the effectiveness of risk management.

Where assurance cannot be given, the onus is

Where assurance cannot be given, the onus is on management to implement on management to implement

the appropriate response. Internal audit

the appropriate response. Internal audit may still make recommendations, but may still make recommendations, but

this is part of

this is part of a ‘consultancy’ role.a ‘consultancy’ role.



 Splitting the role of internal audit in this way, has a Splitting the role of internal audit in this way, has a major implication for the internalmajor implication for the internal audit department:

audit department:

Within the context of RBIA, internal audit

Within the context of RBIA, internal audit can only provide assurance where acan only provide assurance where a

risk management framework is in

risk management framework is in place: all other wplace: all other work is consultancy.ork is consultancy.



 In practice there has to be compromise, and this book provides practical advice.In practice there has to be compromise, and this book provides practical advice. However, the clarification of the role does show the importance of the organisation’s However, the clarification of the role does show the importance of the organisation’s risk maturity to

risk maturity to the internal audit approach.the internal audit approach.

3.3.4 Assessing risks



 The assessment (evaluationThe assessment (evaluation/scoring) of risks is outside the scope of this /scoring) of risks is outside the scope of this book but thebook but the results, and the way they are used, affect the

results, and the way they are used, affect the audit approach (assuraaudit approach (assurance or nce or

consultancy) which will be discussed in more detail when looking at audit planning. consultancy) which will be discussed in more detail when looking at audit planning.



 The usual method of scoring risks is to assign a The usual method of scoring risks is to assign a level (e.g. high, medium, low), or level (e.g. high, medium, low), or score (e.g. 1 to

score (e.g. 1 to 5) to the consequence and likelihood of the risk. Where levels are5) to the consequence and likelihood of the risk. Where levels are assigned a numerical value, consequence and likelihood scores may be combined (for assigned a numerical value, consequence and likelihood scores may be combined (for example, by multiplication

example, by multiplication, or by , or by ranking on a grid) to provide an overall score. So for ranking on a grid) to provide an overall score. So for example, the score of the highest risk would be 25 on this basis, when using a 1 to 5 example, the score of the highest risk would be 25 on this basis, when using a 1 to 5 scoring range.

scoring range.

An example grid is below. The organisation concerned has defined any risk scored at An example grid is below. The organisation concerned has defined any risk scored at 5, or above, is above its risk appetite, although it considers any risk scoring 9 or

5, or above, is above its risk appetite, although it considers any risk scoring 9 or aboveabove

is a key risk and

is a key risk and action must be taken to manage the risk (see 3.3.2).action must be taken to manage the risk (see 3.3.2).

Appendix A provides further advice on the scoring of risks, using a 1-5 scale. Appendix A provides further advice on the scoring of risks, using a 1-5 scale.

(26)

(27)



 Both inherent and residual risks are Both inherent and residual risks are scored. In a numerical scoring system tscored. In a numerical scoring system thehe difference between these scores is known as

difference between these scores is known as thethe control scorecontrol score,, the athe assesssessmensment of t of control effectiveness, or the control co-efficient. The

control effectiveness, or the control co-efficient. The higher the control score, the higher the control score, the moremore important the control. Since risks now have a numerical value, they can be sorted to important the control. Since risks now have a numerical value, they can be sorted to show the greatest inherent risks, greatest

show the greatest inherent risks, greatest residual risks, or those with tresidual risks, or those with the greatesthe greatest control scores.

control scores.

Unacceptable

Unacceptable:: ImmediImmediate actiate action required to manaon required to manage the riskge the risk Issue

Issue:: Action Action required to mrequired to manage thanage the riske risk Supplementary issue

Supplementary issue:: ActioAction is advisable if resources are avan is advisable if resources are availablilablee Acceptable

Acceptable:: No acNo actiotion requin requiredred R R a a r r e e ( ( 1 1 ) ) U U n n l l i i k k e e l l y y ( ( 2 2 ) ) P P o o s s s s i i b b l l e e ( ( 3 3 ) ) P P r r o o b b a a b b l l e e ( ( 4 4 ) ) A A l l m m o o s s t t c c e e r r t t a a i i n n ( ( 5 5 ) ) 2 2 Acceptable Acceptable In

Insisigngnifificicanant t (1(1) ) MiMinonor r (2(2)) MoModederarate te (3(3) ) MaMajojor r (4(4) ) CaCatataststrorophphic ic (5(5))

L

i

k

e

l

i

h

o

d

o

f

r

i

s

k

Consequence of risk

16 16 Unacceptable Unacceptable 3 3 Acceptable Acceptable 2 2 Acceptable Acceptable 1 1 Acceptable Acceptable 5 5 Issue Issue 3 3 Acceptable Acceptable 5 5 Supplementary Supplementary Issue Issue 4 4 Acceptable Acceptable 4 4 Acceptable Acceptable 4 4 Acceptable Acceptable 6 6 Supplementary Supplementary Issue Issue 6 6 Supplementary Supplementary Issue Issue 9 9 Issue Issue 12 12 Issue Issue 8 8 Supplementary Supplementary Issue Issue 8 8 Supplementary Supplementary Issue Issue 12 12 Issue Issue 10 10 Issue Issue 10 10 Issue Issue 15 15 Unacceptable Unacceptable 20 20 Unacceptable Unacceptable 15 15 Unacceptable Unacceptable 20 20 Unacceptable Unacceptable 25 25 Unacceptable Unacceptable

Risk appetite, as defined by the board Risk appetite, as defined by the board

IR

RR

IR

IR =

= Inherent

Inherent Risk

Risk

RR

RR =

= Residual

Residual Risk

Risk

I I n n t t e e r r n n a a l l c c o o n n t t r r o o l l Fig.2

Fig.2 Grid showing the significance of risksGrid showing the significance of risks

Unacceptable

L

i

k

e

l

i

h

o

d

o

f

r

i

s

k

Consequence of risk

IR

RR

IR

IR =

= Inherent

Inherent Risk

Risk

RR

RR =

= Residual

Residual Risk

Risk

I I n n t t e e r r n n a a l l c c o o n n t t r r o o l l Unacceptable

L

i

k

e

l

i

h

o

d

o

f

r

i

s

k

Consequence of risk

IR

RR

IR

IR =

= Inherent

Inherent Risk

Risk

RR

RR =

= Residual

Residual Risk

Risk

I I n n t t e e r r n n a a l l c c o o n n t t r r o o l l Fig.2

(28)

(29)



 In organisations with several operating units, such as In organisations with several operating units, such as overseas subsidiarioverseas subsidiaries, riskes, risk consequence may be scored in relation to that unit’s value as well as in relation to the consequence may be scored in relation to that unit’s value as well as in relation to the organisation as a whole. Thus a risk causing catastrophic failure of a small subsidiary organisation as a whole. Thus a risk causing catastrophic failure of a small subsidiary may score

may score a consequence of 5 a consequence of 5 in the in the subsidiary’s risk registsubsidiary’s risk register, but only er, but only 3 in 3 in thethe corporate risk register.

corporate risk register.

3.3.5 3.3.5 Management monitoring

Management monitoring of controls

of controls



 The clarification that management are responsible for developing, operating andThe clarification that management are responsible for developing, operating and monitoring the system of

monitoring the system of internal control leads to the requirement for management tointernal control leads to the requirement for management to have processes in place which check that

have processes in place which check that controls are operating properly. Suchcontrols are operating properly. Such monitoring controls may include:

monitoring controls may include:

 AA monthly checklist of key controls, simonthly checklist of key controls, signed by the staff responsigned by the staff responsible, as evidenceble, as evidence that important checks have been carried out.

that important checks have been carried out.

 Management approval of bank reconciliations to check for old, or unusual, items.Management approval of bank reconciliations to check for old, or unusual, items.

 Management checks of outstanding debtor lists, to ensure credit controls areManagement checks of outstanding debtor lists, to ensure credit controls are operating effectively.

operating effectively.



 With RBIA, the With RBIA, the emphasis on checking controls moves from ensuring key operatingemphasis on checking controls moves from ensuring key operating controls (such as authorisation of invoices) are

controls (such as authorisation of invoices) are effective, to checking that managementeffective, to checking that management controls which report failures in key operating controls are

controls which report failures in key operating controls are effective. While checkingeffective. While checking

that operating controls are effective is still important, there is a danger that that operating controls are effective is still important, there is a danger that management rely on internal audits to confirm their proper operation instead of management rely on internal audits to confirm their proper operation instead of instigating their own checks.

(30)

(31)

3.3.6 The RBIA stages

The implementation and ongoing operation of RBIA has three stages (see

The implementation and ongoing operation of RBIA has three stages (see An approach to An approach to

implementing Risk Based Internal Auditing) implementing Risk Based Internal Auditing):: 1.

1. Assess Assess the the risk risk maturity maturity of of the the organisationorganisation 2.

2. Assign Assign the the risks risks to to an an audit audit that that will will examine examine their management. their management. Set Set up up the the Risk Risk andand Audit Universe (RAU) and draw up a plan for carrying out audits, usually annual Audit Universe (RAU) and draw up a plan for carrying out audits, usually annual 3.

3. Carry Carry out out individual individual risk risk based based audits audits and and feedback feedback the the audit audit results into results into the the RAURAU The diagram below shows the main tasks in these stages:

The diagram below shows the main tasks in these stages:

Assess risk Assess risk maturity maturity Feedback results Feedback results Individual audit Individual audit Management's Management's Risk Register Risk Register (if available) (if available) A

Audit udit planplan

A

Audit reudit reportport

Risk Naive

Risk Naive Risk EnabledRisk Enabled

Risk

Risk ManagManageded Risk Defined Risk Defined Risk Aware Risk Aware Use organisation's Use organisation's risks risks Facilitate risk Facilitate risk identification identification Audit Committee Audit Committee report report

Stage 2

Stage 1

A

Audit univeudit unive rserse

Management's Management's Risk Register Risk Register (amended) (amended) Assign risks to Assign risks to audits audits

Risk and audit Risk and audit

universe universe (RAU) (RAU)

Stage 3

(32)

Audit-Risk Based

Implementaion

Implementaion

Risk Based

Risk Based

Internal Auditing

Internal Auditing

Three views on

Three views on

implementation

implementation

David

David

Griffiths

Griffiths

PhD FCA

PhD FCA

www.internalaudit.biz

www.internalaudit.biz

Contents

Contents

Introduction

Introduction

Guidance for directors

Guidance for directors

Guidance for heads of internal audit

Guidance for heads of internal audit

Guidance for internal audit staff

Guidance for internal audit staff

Glossary of terms

Glossary of terms

Further reading

Further reading

Appendices

Appendices

Questionnaire

Questionnaire

1

1

Introduction

Introduction

1.1

1.1

Why

Why

should

should

I

I

read

read

this?

this?

1.2

1.2

What

What

is

is

risk

risk

based

based

internal

internal

auditing?

auditing?

1.3

1.3

What’s

What’s

the

the

aim

aim

of

of

this

this

book?