Draft position statement on risk based internal auditing
Comments from ACCA
May 2003
The Association of Chartered Certified Accountants (ACCA) is pleased to have
this opportunity to comment on the Institute of Internal Auditors' draft
Position Statement on Risk Based Internal Auditing. These comments have been
prepared in consultation with members of ACCA's Internal Audit Sub-Committee, a
group of experienced accountants working in internal audit.
As the introduction to the draft position statement suggests, risk based internal auditing is a "much misunderstood term". In the light of this observation, we do not feel that the draft position statement provides adequate detail to overcome such misunderstandings and to provide internal auditors with practical advice on this approach to internal audit. We acknowledge that the draft position statement indicates that more detailed practical guidance will be issued at a later date. We believe, however, that a more rigorous discussion of the approach and a more detailed outline of risk based internal auditing could usefully have been included within the draft position statement.
ACCA welcomes the recommendation that internal auditors should adopt a risk-based approach which is compatible with the level of sophistication of the risk management approach adopted by their organisation. As a result, there are a spectrum of approaches which could be adopted depending on the extent to which internal audit is able to rely on the risk management processes across the organisation.
We do not consider, however, that the draft position statement adequately describes and distinguishes the following two objectives of risk based internal auditing:
- providing independent assurance on management's risk
management process
and - forming an opinion on the extent to which sound controls have been
implemented and maintained to mitigate those significant risks which
management have agreed to treat.
In addition, we believe that the draft position statement overextends the scope of internal audit. Risk management is the structured identification and assessment, by managers, of the risks they face in achieving their objectives. This should be followed by managers making decisions on the appropriate action to be taken in response to each significant risk which has been identified. The nature of these responses can be classified as follows:
- treat
- terminate
- transfer
or - tolerate.
Internal audit's expertise is in the treatment of risks, specifically in the appropriate internal controls and governance processes which could be used to mitigate such risks. Internal audit may advise management on many aspects of risk, but it is not within internal audit's professional competence to decide whether, for example:
- particularly high risk aspects of the organisation's activities should be terminated
- risks should be transferred to another organisation, typically through
taking out suitable insurance cover
or - the organisation should tolerate particular risks to which it considers it inappropriate to respond in any other manner.
The draft position statement should clearly indicate the above limitations to the professional competence of internal audit and should also emphasise that its particular skill is in identifying and assessing suitable internal controls which should effectively mitigate the risks which managers have determined should be treated.
The draft position statement should also emphasise that internal audit's assessment of risk management is limited to an evaluation of whether a rigorous approach has been adopted and implemented, as planned, across the organisation. This assessment should not include judgements on managers' prioritisation of risk or the suitability or the responses which have been agreed (except for the soundness or otherwise with which appropriate internal controls have been implemented).
We consider that the flowchart in the draft position statement is ambiguous. It could be understood to recommend that if the organisation has an adequate system of risk management then no further internal audit work is required except to facilitate improvement. In fact, as with a 'No' answer, internal audit should still select areas for review and to confirm that appropriate internal controls and governance processes have been introduced.
In the 'Points of information' box:
- the first bullet point un-necessarily restricts the scope of internal audit to 'business risks', the scope of risk-based internal auditing should include all significant risks which the organisation faces
- the second sub-bullet point of the third bullet point should refer to
individual departments or operational units rather than 'firms'
and - the penultimate bullet point largely refers to consultancy work undertaken by internal audit. Where an organisation does not have an adequate risk management process this should be reported by internal audit and it may be that internal audit can then undertake consultancy work to develop such a process in conjunction with the organisation's management.
We consider that the phrase "auditing the control environment" (in the third bullet point of points of information section of the draft position statement, on page four) could be misconstrued. It is not clear whether this refers to the control environment:
- as one on the five components of internal control
which were defined in the COSO report (Internal Control - Integrated
Framework, 1994)
or - as the whole system of internal control of an organisation.
In the section headed 'Risk management continuum', a clear distinction should be made between an organisations view of risk, its risk appetite, and the maturity of its risk management system. An organisation may have well developed risk management processes, but have a high toleration level for the risks it faces.
In the 'Glossary of terms', the definition of risk should also mention the chance of something not happening which would have a positive impact on the organisation's objectives.