Establishing a Risk Management Framework before designing the Internal Audit Plan

Risk Management and Internal Audit are two different disciplines in an organisation, which are often confused or interchanged. However, these two disciplines serve different purposes in an organisation.

It is common to say that Internal Audit benefits Risk Management, as it improves the effectiveness of Risk Management by assessing risks and promoting good risk management practices through the improvement of the system of internal control. But looking at it the other way around, it poses the question of how does Risk Management, or in the slightest form having a Risk Management Framework (RMF,) impact or influence the practice of Internal Audit. 

There are two points that are worth mentioning in this article:

1) The Risk Management Framework (RMF) integrates the audit activities with the business as a whole.

The Risk Management Framework (RMF) starts by looking into the internal and external environment to identify risks and threats to an organisation, followed by analysing, minimising and monitoring said risks. When an organisation has a risk management framework, it gives auditors a helicopter view of the risks the organisation is facing, its risk appetite and residual risk. In technical terms, the methodology that links the practice of internal audit to risk management as defined by the Institute of Internal Audit is Risk Based Internal Audit (RBIA). In RBIA, Internal Auditors assess the organisation’s management of risk and controls for the identified risk in relation to its risk appetite. 

But, how does the RBIA change the Internal Audit practice? In conducting RBIA, Internal Auditors take into consideration the risk impact of a specific project/process to an organisation; enabling them to identify whether certain controls are not in place where significant risk is present. 

An Example: A Mining Company

Looking into a silver and lead mining company which is in the final stages of diversifying into a copper mine in a new territory, what threats would this imply, when it comes to its rights, operations, resources, social and environmental responsibility, global prices, etc. If a Risk Management Framework is established before an internal audit plan, Internal Auditors would most likely consider the diversification as a priority in their next audit engagement as opposed to following the initial audit plan of a usual practice of auditing units periodically; or a frequency based on the previous routine. A new business in a new territory posse a high risk for a mining company.

2) Risk management framework positively affects audit effectiveness and efficiency as it looks into the processes with the greatest impact on the organisation

Having a risk management framework before an internal audit plan could give the audit a landslide effect. Auditors who are used to following the audit plan, which is based on a mortar and pestle decision-making frameworks, may neglect to look into processes with a greater impact on the organisation. For auditors, materiality is important – but what is material may not be always the one with the greatest risk. Similarly, a transaction that is material conservatively, may not be material, if you consider the internal and external threats, again considering a higher point of view.

Having a risk management framework can lead to a landslide effect for internal auditors as it targets the projects, business units or business processes with the greatest impact. This may lead to detecting potential threats and control gaps at a larger scale and along the way solve smaller gaps and processes too, therefore affecting the Internal Audit effectiveness and efficiency. Therefore, the practice of internal audit will be viewed as being more effective since their value-added contribution to the organisation is more visible and their efficiency will be at its peak as they are targeting business processes with greater impact. 

Nonetheless, with all this said, establishing a risk management framework may not be cost effective for smaller organisation to be done in house, and a cost-benefit analysis should be made for small to medium organisations. Hiring consultants to design the framework may be the way to go here. If an organisation decides to have a risk management framework before the internal audit plan, auditors should be made aware of business developments and decisions the organisation is about to make, be updated on current significant events and be agile and flexible; risk usually happens when there is change. Lastly, this entails constant communication between Risk Management and Internal Audit; and key decision makers and Internal Audit.

Disclaimer: The content of this article is general in nature and is presented for informative purposes. It is not intended to constitute tax or financial advice, whether general or personal nor is it intended to imply any recommendation or opinion about a financial product. It does not take into consideration your personal situation and may not be relevant to circumstances. Before taking any action, consider your own particular circumstances and seek professional advice. This content is protected by copyright laws and various other intellectual property laws. It is not to be modified, reproduced or republished without prior written consent.