Risk is a fundamental aspect of the internal audit profession. It determines annual audit plans, the size of internal audit departments, and the role internal audit plays with respect to major risk categories.
As part of its ongoing research, the Institute of Internal Auditors (IIA) has recently released three global reports relating to risk and internal audit. The reports cover the role of internal audit in risk management, responding to fraud risk, and combined assurance. The 3 research reports are:
1. Who owns risk? A look at internal audit’s changing role
2. Responding to fraud risk: Exploring where internal auditing stands
3. Combined assurance: One language, one voice, one view
These risk-focused reports are part of the IIA’s 2015 Global Internal Audit Practitioner Survey. The survey was completed by more than 14,500 internal auditors in 166 countries around the world, including more than 350 internal auditors from the UAE Internal Auditors Association (UAE-IAA).
This article shares highlights of the three research reports from both a global and UAE point of view.
The role of internal audit in risk management
The first report covers risk management trends and internal audit’s responsibilities. The results show that the majority of companies in the UAE had some components of risk management in place, however only 38 percent of UAE auditors surveyed said they had formal risk management in place as compared to 53 percent globally. The majority of those with formal risk management were from financial institutions or companies with $1 billion or more in revenue.
It is also interesting to learn that when formal risk management is available at a company, internal auditors in the UAE are providing assurance on risk management as a whole. This is a very advanced concept where the UAE seems to be doing well.
Another issue that has been discussed globally for several years is whether internal audit and risk management should be merged into one department. The views continue to vary depending on region and industry. In the UAE, internal audit and risk management are separate functions in 71 percent of cases (80 percent globally). Meanwhile, in 29 percent of cases (20 percent globally), internal audit is responsible for facilitating risk management. In many cases, it is more efficient to have internal audit facilitate risk management in the non-financial services sector and in particular at privately held companies. A properly executed risk assessment by internal audit can be used to build the foundation of a fit-for-purpose risk management process. However, in the financial services sector, risk management is much more complex, and regulation also impacts the way risks are monitored and managed in this sector.
Selected recommendations on the role of internal audit in risk management:
- Regardless of industry, internal audit should advocate the establishment of formal risk management processes.
- Internal auditors should strive to give management assurance on risk management as a whole and not just on individual risks.
- Make sure that the role of internal audit as it relates to risk management is clear to all key stakeholders.
Responding to fraud risk
The second research report covers fraud risk and the how it impacts the internal audit profession. Not surprisingly, globally and in the UAE, around 80 percent of internal auditors have some or more responsibility for fraud detection and prevention and 55 percent of respondents in the UAE said they are “advanced” or “expert” when it comes to supporting fraud risk awareness. Oddly, research showed that around a fifth of internal auditors in the UAE believed they had no responsibility for either fraud detection or prevention. This approach does not make sense as internal auditors cannot wash their hands of fraud detection responsibilities. The IIA’s standards require internal audit to assess the potential for fraud before any audit as well as how well the organisation is managing fraud risk. Furthermore, when it comes to detection, both internal audit and line management have a shared responsibility to ensure that anti-fraud controls are in place and are working properly.
Furthermore, survey respondents stated that fraud risk was not one of top five risks that internal audit or executive management were focusing on, either globally or in the UAE. This is not unexpected as strategic and operational risks take up more of a company’s focus. Similarly, only 30 percent of chief audit executives in the UAE believe that focus on fraud risk will increase in the near future. While the results are not surprising when things are normal, it is when major fraud occurs that both internal audit and executive management redirect their focus to the fraud incident.
Selected recommendations on responding to fraud risk:
- Internal auditors should use their skills to educate management on fraud risk and build awareness across your organisation.
- Be proactive in addressing fraud risk by carrying out fraud risk assessments and increasing the frequency of audits in high fraud risk processes.
- Learn from previous fraud incidents. Made sure circumstances which lead to the fraud are documented as well as how it was discovered. Use these lessons to improve the effectiveness of internal controls across the organisation.
The third research report covers the relatively new concept of combined assurance. Combined assurance involves integrating and aligning assurance processes at a company so that management and the board get an overall and consistent overview of governance, risk and controls at the company. Such an approach is essential for the board or board committee in order for them to exercise appropriate risk oversight based on unified assurance reporting.
The concept of combined assurance takes place at 3 levels:
1) Management: Responsible for risk management and internal control and the timely identification and remediation of control deficiencies.
2) Internal assurance providers: Their role is to support management in their risk and control efforts and include functions such as risk management, compliance and internal audit.
3) External assurance providers: Include the external financial auditor and/or regulators who carry out audits or assessments at the company and report results to management and the board.
When we look at the research results, we see that only 22 percent of companies have adopted a combined assurance model in the UAE as compared to 40 percent globally. Further, almost 1/3 of internal auditors in the UAE are not even familiar with the concept of combined assurance. Clearly, the knowledge and implementation of combined assurance is not widespread globally or in the UAE. However, once implemented, combined assurance provides a common view of risks and issues across a company.
The research and corresponding recommendations clearly show that internal audit faces several challenges when it comes to the important topic of risk and, consequently, the evolution of internal audit’s role. Risk is the foundation of modern internal auditing around the world and in the UAE. Internal auditors need to continue to provide assurance around not just individual risks but risk managed as a whole. They also need to make sure that fraud risk is adequately addressed by management and that the role of internal audit is clearly defined. Finally, although the implementation of combined assurance remains relatively low, this is an area that internal auditors will address over the coming years.
Despite these challenges, internal auditors will continue to work hard in order to meet the new mission of internal audit by adapting themselves to the time in order “to enhance and protect organisational value”.