Most articles written about internal audit and risk management focus on internal audit’s role in ensuring the effective management of risk within the first and second lines of defense. Little attention is given to managing risk within the third line itself.
Ask any Chief Audit Executive (CAE) for the Risk Register of his Internal Audit function and there is a fair chance he or she will show you the risks relating to the audit universe. That’s all good except for the fact that Internal Audit is not part of that universe. Management is expected to define a set of controls to ensure that the business operates as planned. Regular Control Self Assessments or similar techniques are implemented to monitor the ongoing effectiveness of these controls. In a nutshell, that’s what Internal Audit expects to see when auditing a business unit. But does Internal Audit live up to the same standards? Practice Advisory 2120-2: Managing the Risk of the Internal Audit Activity 1states that “the internal audit activity is not immune to risks. It needs to take the necessary steps to ensure that it is managing its own risks”. So where is the Risk Register for the Internal Audit Department, including gross risk assessments, controls and residual risks? Where are the regular Control Self Assessments for the Internal Audit department? Is there an established Risk Management process within the Internal Audit function? Typically such a process, like any risk management process, should include the following stages:
- Risk Identification: What are the risks Internal Audit is facing?
- Risk Assessment: How severe are those risks? Often assessed by applying an impact / likelihood matrix.
- Risk Mitigation: Accept, mitigate or transfer of risks depending on their severity.
- Risk Monitoring: Look out for new risks, changes to the risk assessment for existing risks and effectiveness of mitigation actions put in place.
Take the example of People Risk, a subset of Operational Risk. When asked about People Risk, CAEs might think of staffing, lack of skills etc. All those risks that might impact the timely execution of the audit plan. But that is only one side of People Risk. The other side is the risk the Internal Audit staff is facing or causing while performing their job. The following scenarios, most based on incidents that appeared in the news, help to raise the awareness for that type of People Risk.
An Internal Auditor is sent from the United States to audit a subsidiary in rural China. On the evening of his arrival, his appendix ruptures and he needs urgent medical treatment. Think of:
- Who will bring the auditor to the hospital and help with translation?
- Who will inform the company?
- Who will secure the personal belongings and the company assets (Laptop, Smartphone) from the hotel room?
- Who will authorize any payments if the hospital wants to see cash?
What do the Standards Say?
The Standards advise1 chief audit executives to address risks related to internal audit department and its objectives and specify 3 categories of risks:
- Audit Failure: This refers to the in ability or “failure” of the internal audit department to identify or make recommendations to prevent control failures. The question asked is usually “Where were the internal auditors?”. Reasons for Audit Failure include poor risk assessments, improperly designed audit procedures, auditors who are not skilled in the area they are auditing, etc.
- False Assurance: This occurs when the management believes that the internal auditors is covering a particular area or risk when in fact it is not. It is important to make sure that the risks being audited are clear and that internal audit’s involvement in projects is clearly defined.
- Reputation Risk: While chief audit executives worry about having a reputation of being a policeman, there can be far worse labels which result from various control failures in the organization, the quality of internal audit staff, the attitude of auditors, etc
Source: The IIA’s International Professional Practices Framework
Local laws and regulation
An Internal Auditor is sent from the Europe to audit a subsidiary in Singapore. While waiting for a taxi he spits out his chewing gum and is fined SGD 1000 (USD 800) by a nearby Police Officer. Think of:
- Do Internal Auditors travelling abroad receive briefings on local laws and regulations?
- Is there an agreement about who has to carry the costs for fines for misconduct that is not a criminal act in one’s home country?
A UK Internal Auditor is conducting an audit at an oil drilling site in Russia. While he is there, a fire breaks out. All emergency signs are in Cyrillic. Think of:
- Do Internal Auditors receive a briefing on local emergency procedures while working in a different location?
- Is there a general procedure how Internal Auditors should react in case of a disaster?
An audit team is investigating a suspicion of fraud at a branch. After returning from lunch they find a letter in their room telling them to leave immediately or they will be killed. Think of:
- Who needs to be informed within the company?
- Should the police be informed?
- Should the audit team be evacuated or stay on site and finish their investigation?
An Internal Auditor who is travelling a lot is fiddling with his expense claims. Think of:
- Internal Auditors are in a position of trusts. Are there ways how they could abuse this? Are there controls in place?
- Does Internal Audit receive the same level of scrutiny like other members of the workforce when submitting claims etc.?
“The internal audit department is not free from risks”
A German Internal Auditor attends an IIA Conference in the US. He takes his business laptop with him. During his last audit assignment in Germany he audited the HR function of his company including the payroll process. A lot of the payroll information is stored on his laptop. By taking the laptop to the US he is physically taking this information out of the European Union. That might be a violation of European Data Protection law and can lead to Reputational Risk. Think of:
- What information is stored on Laptops or Smartphones?
- How is that information protected?
- Are there any restrictions for moving the information to other countries?
The internal audit department faces more than just People Risk. The CAE needs to document and identify these risks and how to respond to them. Also, depending on the size of the department & complexity of operations, he could 1) provide a gross risk assessment, map existing controls to the identified risks and analyze root causes, and 2) put controls in place to bring risks within the stated Risk Appetite,, and 3) Implement ongoing Control Self Assessments to ensure control effectiveness.
Evaluating the effectiveness of risk management and first line of defense is an important part of Internal Audit’s work. But it is equally important that Internal Audit apply the same standards of Risk Management that it expects to see during an audit to itself. Every CAE should have a departmental Risk Register for the Internal Audit function that shows all risks Internal Audit is facing and the steps required to manage these risks.
- IIA Practice Advisory 2120-2: Managing the Risk of the Internal Audit Activity (April 2009)
CHRISTIAN THUROW, CFSA is a lead auditor at a major European bank based in the United Kingdom.