Unlocking Success: How Internal Audit Strengthens Risk Management for Strategic Goals

Introduction

Risk Management is an internal structure to drive the Strategic Objectives of the company it serves. Thus, the Risk Management function is the custodians of the Strategic Objectives of the company. Therefore, the Risk Management functionaries must be part of the strategic planning process of the company.

Internal audit is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. This definition encompasses several key components:

• Systematic: Conducted in a methodical manner.
• Independent: Performed by individuals not directly responsible for the activities being audited to ensure impartiality.
• Documented: Recorded to provide a reliable basis for the audit's conclusions.
• Audit Evidence: Includes records, statements of fact, or other information relevant to the audit criteria.
• Objective Evaluation: An unbiased assessment to ascertain compliance with audit criteria.

These elements ensure that internal audits are thorough, impartial, and provide value in assessing and improving the effectiveness of management systems.

Internal Audit defined in terms of ISO 19011 and the IPPF

The purposes of internal audits according to ISO 19011:2018 and the International Professional Practices Framework (IPPF) of the Institute of Internal Auditors (IIA) are complementary, each providing a comprehensive approach to the internal audit process.

ISO 19011:2018

ISO 19011:2018 provides guidelines for auditing management systems, emphasizing the following purposes:

• Systematic Evaluation: To provide a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled.
• Compliance and Effectiveness: To assess the compliance of the management system with the specified standards, policies, and procedures, and to evaluate its effectiveness.
• Improvement Opportunities: To identify opportunities for improvement in the management system, processes, and operations.
• Risk Management: To support risk management by identifying potential risks and weaknesses within the management system.
• Stakeholder Confidence: To enhance stakeholder confidence in the organization's ability to achieve its objectives and comply with regulatory requirements.
• Audit Principles: To ensure audits are conducted based on fundamental principles such as integrity, fair presentation, due professional care, confidentiality, independence, and an evidence-based approach.

International Professional Practices Framework (IPPF) - Institute of Internal Auditors (IIA)

The IPPF provides a globally recognized framework for the internal audit profession, emphasizing the following purposes:

• Assurance and Consulting: To provide independent assurance and consulting services designed to add value and improve an organization's operations.
• Governance, Risk Management, and Control: To assist the organization in achieving its objectives by evaluating and improving the effectiveness of risk management, control, and governance processes.
• Objective Assurance: To provide objective assurance on the effectiveness of internal controls and risk management practices.
• Advisory Services: To offer advisory services that help management enhance processes and controls, ensuring alignment with organizational goals and strategies.
• Continuous Improvement: To promote continuous improvement by identifying and recommending enhancements to the organization's processes and controls.
• Compliance and Integrity: To ensure compliance with laws, regulations, and internal policies, and to uphold integrity and ethical standards within the organization.
• Stakeholder Communication: To communicate findings and recommendations effectively to stakeholders, facilitating informed decision-making and accountability.

In summary, while ISO 19011:2018 focuses on providing guidelines for conducting management system audits with a strong emphasis on compliance, effectiveness, and continual improvement, the IPPF of the IIA provides a broader framework for internal auditing, encompassing assurance, consulting, governance, risk management, and control processes.

Both frameworks aim to enhance organizational performance, stakeholder confidence, and continuous improvement through systematic and objective evaluation.

Risk Based Auditing

Risk-based audits are a crucial methodology in internal auditing, focusing on identifying and evaluating risks that could hinder an organization from achieving its objectives. This approach is emphasized in both the International Professional Practices Framework (IPPF) of the Institute of Internal Auditors (IIA) and ISO 19011:2018.

IPPF - Institute of Internal Auditors (IIA)

In the context of the IPPF, risk-based auditing is defined as:

Risk-Based Auditing (RBA): A methodology that aligns the internal audit activities with the organization's risk management framework. It involves the following key elements:

• Risk Identification and Assessment: Internal auditors identify and assess the risks that could impact the organization's ability to achieve its objectives. This involves understanding the organization’s risk appetite and risk management processes.
• Audit Planning and Prioritization: Audits are planned and prioritized based on the level of risk associated with various areas and processes. High-risk areas receive more audit attention and resources.
• Resource Allocation: Allocating audit resources effectively to areas with the highest risk exposure to ensure that significant risks are adequately addressed.
• Continuous Monitoring: Ongoing assessment and adjustment of the audit plan based on changes in the organization's risk profile and emerging risks.
• Audit Execution: Conducting audits with a focus on evaluating the effectiveness of risk management processes and controls. This includes testing the design and operational effectiveness of controls.
• Reporting and Recommendations: Providing insights and recommendations to management on how to improve risk management and control processes.

ISO 19011:2018

ISO 19011:2018 emphasizes a risk-based approach to auditing management systems. Key aspects include:

• Audit Planning Based on Risk: The audit program should be planned based on the significance of the processes and areas to be audited, considering their risk and opportunity.
• Prioritization of Audits: Prioritizing audits of high-risk areas to ensure that the most significant risks are addressed first. This involves understanding the context of the organization, its risk appetite, and the impact of potential risks on its objectives.
• Resource Allocation: Ensuring that audit resources are focused on areas with the highest risk exposure. This allows for more effective and efficient use of audit resources.
• Dynamic and Flexible Auditing: Being responsive to changes in the organization’s risk profile and adjusting the audit approach accordingly. This requires continuous monitoring and assessment of risks.
• Objective Evaluation: Assessing the effectiveness of risk management processes and controls in mitigating identified risks. This involves gathering and evaluating audit evidence objectively to determine compliance with audit criteria.

Conclusion

In both IPPF and ISO 19011:2018, risk-based auditing is characterized by:

• Focus on Risk: Centralizing audit activities around the organization’s risk profile.
• Prioritization: High-risk areas receive more attention and resources.
• Dynamic Planning: Adapting audit plans based on evolving risks.
• Effective Resource Use: Allocating resources to areas with significant risk exposure.
• Objective Evaluation: Assessing and improving the effectiveness of risk management and control processes.

By adopting a risk-based approach, internal audits can more effectively identify potential issues, provide valuable insights, and enhance the organization's risk management capabilities. Risk Management results which are verifiable, repeatable and validated is the basis of departure for any audit program. The results of the independent assessments of the Internal Controls done by Internal Audit an independent judgement which can be trusted by the leadership.

These articles are steadily proceeding through the structure of a Risk Register and how to optimise the risk management process as a trusted process within the Strategic Management ecosystem of any company.