Definition of Risk Based Auditing
August 2002
The Association of Chartered Certified Accountants (ACCA) is pleased to have this opportunity to comment on the Definition of Risk Based Auditing (the Definition) currently being developed by the IIA's Professional Issues Committee. These comments have been prepared in consultation with members of ACCA's Internal Audit Sub-Committee, a group of experienced accountants working in internal audit.
ACCA believes that the Definition requires further development before it can provide a useful, practical definition of risk based internal auditing. Risk based internal auditing involves two related activities, these being:- as the Definition indicates, providing independent assurance on the management of risks
and - forming an opinion on the extent to which sound controls have been implemented and maintained to mitigate those significant risks which management have agreed to treat.
We believe, however, that internal auditors should be careful not to overextend their scope. While internal auditors are considered experts in internal control, risk management as a whole is the responsibility of management in general. This should be clarified within the Definition.
Risk management is the structured identification and assessment of risks followed by decisions on the appropriate action to be taken in response to each significant risk which has been identified. The nature of the response can be classed as following:- treat
- terminate
- transfer
and - tolerate.
Internal audit's expertise is in the treatment of risks, specifically in the appropriate internal controls and governance processes which could be used to mitigate such risks. Internal audit may advise management on many aspects of risk, but it is not within internal audit's professional competence to decide whether:
- particularly high risk aspects of the organisation's activities should be terminated
- risks should be transferred to another organisation, typically through taking out suitable insurance cover
or - the organisation should tolerate particular risks to which it considers it inappropriate to respond in any other manner.
The Definition should clearly indicate the above limitations to the professional competence of internal audit and should also emphasise that its particular skill is in identifying and assessing suitable internal controls which should effectively mitigate the risks which managers have determined should be treated.
The Definition should also emphasise that internal audit's assessment of risk management is limited to an evaluation of whether a rigorous approach has been adopted and implemented, as planned, across the organisation. This assessment should not include judgements on managers' prioritisation of risk or the suitability or the responses which have been agreed (except for the soundness or otherwise with which appropriate internal controls have been implemented).
Internal auditors are increasingly required to provide an annual assurance on the system of internal control which feeds into an organisation's Statement of Internal Control. Any audit approach needs to be capable of covering the entire system of internal control in order to provide this opinion.
Finally, we believe that risk based auditing does not start with risks. Risks do not exist independently, circumstances only constitute a risk if they threaten the achievement of an organisation's objectives. Thus the starting point for risk based internal audit is the organisation's objectives.
We hope that you find these comments helpful in developing further guidance on risk based auditing. Please do not hesitate to contact me if you wish to discuss our comments. Our Internal Audit Sub-committee would be happy to comment on future output from your research project into best practices in risk based auditing.