George Williams, Director of Risk Advisory Services, BDO
With the wake of recent developments in the global arena revealing the devastating effects of the #wannacry cyberattack that caused major business disruptions in 104 countries, businesses have been prompted to re-evaluate the state of their cyber readiness. One key learning from the attack was how the business world is constantly changing, which continually exposes organisations to risk. Fortunately, internal auditors can help companies to manage this risk.
But what exactly is the role of internal audit in Enterprise Risk Management?
Besides IT threats, other examples of risk include “ethical lapses”, poor decision-making, natural catastrophes like floods and tsunamis, socio-political shocks like Marikana, financial crises and many more.
Internal audit exists to educate companies about the possibility that an event may occur. But ultimately, it is the board and senior management who are responsible for risk management, and they need to develop various risk responses, processes and structures.
The internal audit function reviews systems of internal control, to decide whether the controls are adequate and effective.
Internal auditors can’t be responsible for risk management. The board and senior management are responsible for implementing a risk management process, which is a responsibility that cannot be abdicated or passed on. Viljoen and Barac directly address this issue in their paper “Managing risk: What should internal audit do?” in the Southern African Journal of Accountability and Auditing Research.
As they point out, an internal auditor has two types of roles: core roles, and legitimate roles.
Core roles relate to assurance activities. They provide assurance to the audit committee and the board, whether their controls are working or not. Internal auditors also provide assurance on risk management and governance processes.
“The internal audit is about determining whether risks are correctly evaluated,” write Viljoen and Barac. It evaluates risk management processes, and the reporting of key risks.
They go on to say that internal audit’s legitimate roles relate to “consulting activities which could be performed by internal auditors, provided that the necessary safeguards to their independence are in place”.
Internal Auditors can’t effectively fulfil both roles of referee and player. In their professional capacity, they can provide a consulting service on risk management, but can’t be the ones responsible for risk management. They can review the process of governance, but can’t get involved in governing or do the accounting. That has to be done by roping in a third party.
The internal auditor must not be responsible for management functions, this essentially means that they can’t sit on the board of directors or be shareholders of the company. If they do, this presents a self-review threat. If they were to operate in this manner, it might undermine their independence. The simple rationale for this is that when placed in such a position, they’re less likely to overtly advise the board on something that is not working, if it might affect their own pocket.
The role of an internal audit service provider is to facilitate a process where the company identifies its risks and manages them.
Internal auditors can help identify and evaluate emerging risks — like when something such as #wannacry happens and threatens business operations. They can also coach management on how best to respond to risk and provide consulting reports to facilitate or improve risk-management processes.
They have the risk-management tools, so they can consolidate all the risks and report on them. But they cannot manage the company, or set the company’s risk appetite and implement the risk responses. Similarly, internal auditors cannot be accountable for risk-management processes.
In practice, internal auditors may draft a risk management policy and a framework, but the client will have to approve it.
In these uncertain times, management needs to take responsibility for risk management. Unprecedented threats can hit out of the blue — like #wannacry, a black swan. But while the ultimate responsibility rests with the board and the audit committee, internal audit consultants are there to advise, assist and facilitate.
There needs to be clarity on where the boundary is, how internal auditors can add value and where their responsibilities start and end. These are practical, legal and ethical questions.
Companies that are unclear about this delineation of roles, or suspect their internal auditors may have overstepped the boundaries, should seek counsel from external internal audit providers to gain greater assurance.
To ensure that your company’s internal auditors are managing risks and that their role definition is clear, it’s useful to perform a quality assurance review (QAR) of your internal audit function. This is a trusted process which has been conducted by several leading organisations and they always prove worthwhile.
Indeed, the best way to really take responsibility for your company’s risk management is often to enlist the support of the consulting firms best equipped to do so.
Read more BDO Insights