Risk responsibilities; By engaging in several key activities, internal auditors can play a valuable role in the organization's risk management efforts.MOST INTERNAL AUDITORS Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. WOULD likely insist that the responsibility for managing risk lies with organizational management. After all, risk management comprises a process by which managers take stock of the risks to which their business units are exposed and devise controls to reduce the likelihood that those risks will occur. If the audit function is to gain credibility and add value, however, it has a significant role to play in the risk management process as well. This role must be defined clearly so that internal audit deliverables align align (  līn),v to move the teeth into their proper positions to conform to the line of occlusion. appropriately with management expectations. The auditor's role in risk management should involve three key activities: assessing the organization's risk management process, using the risk assessment to develop an audit plan, and expressing an overall opinion regarding the quality of controls designed to mitigate mit·i·gate v. To moderate in force or intensity. mit  i·ga tion n. risk. Each activity is integral to effective risk-based audit processes
and represents an essential component to achieving overall audit
success.
ASSESS THE RISK MANAGEMENT PROCESS Internal auditors should begin their assessment work by determining whether a risk management process is in place. The absence of a formal process does not necessarily mean that organizational risks are unmanaged. For example, individual managers may consciously manage day-to-day day-to-day adj. 1. Occurring on a routine or daily basis: the day-to-day movements of the stock market. 2. risks via insurance policies and exchange rate fluctuation Fluctuation A price or interest rate change. management. However, internal auditing should promote a formal process appropriate for the organization's culture, size, complexity, management style, and business objectives. A formal process entails documenting and prioritizing the organization's risks as well as controls devised to mitigate them, and periodically providing senior management with an overall picture of the organization's risk. If a risk management process does exist, internal auditors should assess its adequacy and effectiveness by: * Determining whether risks arising from business strategies and activities are identified and prioritized. * Ascertaining whether management and the audit committee have determined the level of acceptable risk. * Ensuring there is a process by which controls are designed to reduce or manage risks to the levels deemed acceptable by management and the audit committee. * Periodically monitoring and reassessing the organization's risk and the effectiveness of controls to manage it. * Ensuring that managers responsible for risk management periodically provide the audit committee with reports on the results of the risk management process. In organizations that lack formal, institutionwide risk management processes, risk mitigation MITIGATION. To make less rigorous or penal. 2. Crimes are frequently committed under circumstances which are not justifiable nor excusable, yet they show that the offender has been greatly tempted; as, for example, when a starving man steals bread to satisfy mechanisms are likely to be in place to cover specific activities and operations. In such cases, internal auditors should assess the adequacy and effectiveness of the individual risk management processes that may be in place at various organizational levels. DEVELOP A RISK-BASED PLAN Once the adequacy of the risk management process is confirmed, the chief audit executive should use the risk assessment as the primary source for identifying areas meriting inclusion in the annual audit plan. Internal auditors should also use the risk assessment as the starting point Noun 1. starting point - earliest limiting point terminus a quo commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the for identifying the business units responsible for managing the risks and for assessing whether any significant risks have been omitted. The internal auditors must then obtain relevant, reliable, and sufficient audit evidence regarding the adequacy of existing controls designed to mitigate identified risks. REPORT AN OVERALL OPINION According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. The IIA's International Standards for the Professional Practice of Internal Auditing, the internal audit function must communicate its overall judgment about the adequacy and effectiveness of the risk management and control processes to senior management and the audit committee. If the scope of the proposed audit plan is insufficient to enable and expression of assurance, internal auditing should inform senior management and the audit committee. In their annual reports, many internal audit functions simply provide a synopsis A summary; a brief statement, less than the whole. A synopsis is a condensation of something—for example, a synopsis of a trial record. of audits performed throughout the year and the conclusions reached on each audit. However, this type of "piecemeal piecemeal patchy, e.g. necrosis of the liver in which groups of hepatocytes are separated by small groups of inflammatory cells and fine, fibrous septa following extension of the inflammatory process beyond the limiting plate. opinion" does not tell management what it really wants to know: if the system of internal control is truly effective. Therefore, there may be an expectation gap between what management expects of the audit function and internal auditing's own practical limitations in providing an overall opinion. To reduce this expectation gap, internal auditing should promote a process of risk oversight
Oversight may refer to:
Please [ improve this article] or discuss the issue on the talk page. coordinate to provide feed-back to the audit committee on the quality of systems for risk management, as well as financial and operating control. As permanent in-house In-house In the context of general equities, keeping an activity within the firm. For example, rather than go to the marketplace and sell a security for a client to anyone, an attempt is made to find a buyer to complete the transaction with the firm. adviser, internal auditing should provide the audit committee with the link between the more narrow work and opinions of the external auditors and the wider feedback on the overall quality of the entity's corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. , risk management, and internal controls. Internal auditing must then communicate with the audit committee and assist it in ensuring that it is receiving a coherent opinion with no overlaps or omissions in assurance. If internal auditing is not in a position to opine on the effective ness of internal controls, it should say so. However, it should agree up front on the type of assurance statement that can be expected, thereby reducing the expectation gap and avoiding leaving management with a false sense of security. An internal audit charter, approved by the audit committee, should include a definition of the scope and type of opinion to be provided. Additionally, internal auditing should address the following constantly evolving points with the audit committee in the context of the internal audit work plan: * A definition of internal control. An internal control framework, such as The Committee of Sponsoring Organizations of the Treadway Commission's, should be adopted. The framework should define criteria for internal control, determine what level of control is satisfactory, and establish an acceptable risk level. * The scope of internal control components. The audit committee should agree on the control objectives to be included (i.e., financial only or financial, strategic, operational, and compliance), the parts of the organization to be included, the time period to be covered, and whether the internal control system as a whole should be evaluated, in addition to specific internal controls over transactions. * The scope of the opinion to be provided. If the opinion cannot be broad enough to represent the organization as a whole, it should be focused and expressed for a defined number of key risks, processes, or business units. * Positive or negative phrasing of the opinion. "Nothing came to our attention" is a negative opinion, which indicates no responsibility for the adequacy of scope or level of effort expended ex·pend tr.v. ex·pend·ed, ex·pend·ing, ex·pends 1. To lay out; spend: expending tax revenues on government operations. See Synonyms at spend. 2. to find concerns. A positive opinion, which requires more audit evidence, asserts that the scope and level of work was adequate to find what should be found. An internal auditor's overall opinion on the adequacy and effectiveness of risk management and control processes in an organization should be attuned at·tune tr.v. at·tuned, at·tun·ing, at·tunes 1. To bring into a harmonious or responsive relationship: an industry that is not attuned to market demands. 2. to the corporate governance environment in which the organization operates, the scope of internal audit work undertaken, and the expectations of stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. . Providing an overall opinion often proves to be a delicate task for internal auditors, who can find themselves walking a tightrope between a prudent sense of restraint RESTRAINT. Something which prevents us from doing what we would desire to do. 2. Restraint is lawful and unlawful. It is lawful when its object is to prevent the violation of the law, or the rights of others. and a legitimate desire to commit oneself to providing a valuable opinion. This balancing act is one of the major challenges of professional life for internal auditors. A VALUABLE ROLE The audit function is poised to be a vital player in the organization's overall risk management efforts. After all, The IIA's very definition of internal auditing includes the term risk management; it states that one of the auditor's responsibilities is to evaluate and improve the effectiveness of risk management processes. Although management must clearly take front-line responsibility for risk management, the value of internal auditing's contribution lies in its ability to coordinate with external auditors and provide assurance to the audit committee regarding the state of internal controls designed to reduce or manage the organization's risk. At the end of the day, the scope of audit work and the form of opinion acceptable to management and the audit committee is their choice. Internal auditing can be said to be doing its job if it provides information consistent with the previously agreed-upon conditions, whatever those may be. PETER STOKHOF, CIA CIA: see Central Intelligence Agency. (1) (Confidentiality Integrity Authentication) The three important concerns with regards to information security. Encryption is used to provide confidentiality (privacy, secrecy). , CA, is deputy auditor-general at the Organisation for Economic Co-operation and Development The Organisation for Economic Co-operation and Development (OECD), (in French: Organisation de coopération et de développement économiques; OCDE) is an international organisation of thirty countries that accept the principles of representative democracy and a free market in Paris. To comment on this article, e-mail the author at peter.stokhof@theiia.org See .org. (networking) org - The top-level domain for organisations or individuals that don't fit any other top-level domain (national, com, edu, or gov). Though many have .org domains, it was never intended to be limited to non-profit organisations. RFC 1591. . To submit a "Back to Basics" article for consideration, or to request coverage of an introductory-level internal audit topic, e-mail David O'Regan O'Regan can refer to:
EDITED BY DAVID O'REGAN |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion