Role of Internal Auditors in Risk Management
Enterprise risk management is a structured process used by organizations in identifying and managing unforeseen situations, either opportunities or threats that are likely to affect their objectives.
The internal auditor of any organization should be able to do assessment of both financial and operational risk because these risks affect the financial misstatement of the organization. Since the internal auditor is concerned with analysing the financial misstatement, he/she should be able to understand what causes these misstatements. However, they should not make risk management decisions because currently most auditors only receive training in finance and therefore risks that are not financial may be given inadequate consideration. (Beasley 8). Internal auditors also should not be part of risk management decision making team because this will interfere with their independency.
According to COSO, risks must be assessed before necessary response is taken. Risk assessment is the process of identifying and analysing possible risks that are likely to affect the organization’s objectives (Moeller 119). It involves analysing the chance that an event will occur and its impact on the business objectives. After risk assessment, we then respond to those risks. Risk response is the way the risks identified in the previous stage is managed. (Moeller124). The different methods of managing risks include:
- Mitigation of risk. It is reducing the chances of the risks occurrence to levels accepted by the business.
- Transferring the risk to another company. This can be done by taking an insurance cover.
- Avoiding the business activities that may make the risk to happen.
The internal auditor’s main role in risk assessment and response is to facilitation of the identification and evaluation of risk and training the management on how to manage this risk. (Beasley 8). They achieve the role of assessing the risk by following three main steps. These include:
- Definition of the problem. This is done by coming up with a number of questions which include who are the stakeholders and the responsible party for the risk. While doing this, they must ensure that there is a relationship between the risk and the risk owner.
- Analyzing Risk. In this step, the chance that a risk will occur is predicted. This so because there are those risks whose likelihood of occurrence is high than others. During the risk analysis, the amount of impact the risk is likely to cause to the business is also evaluated. The two main methods of analyzing risks are quantitative analysis and qualitative analysis.
- Coming up with various alternatives. It involves defining ways of treating the identified risk so that they do not affect the organization goals negatively.
After risks have been identified, an order in which the risk should be treated must be developed. This is because resources are usually limited and therefore the risk to be given the first priority should be the risk with the highest probability of occurring and one that is likely to impact the most on the organization goals. The probability and impact of a risk can be measured or predicted using previous information. If a risk had occurred previously, the internal auditors can use this information to predict its likelihood of occurrence and its impact on the organization objectives.
When managing risk, equal attention should be given to both operational and financial risk. This is because these two activities are linked and therefore focussing on one risk and giving less attention to one will mean that the entire business risk is not managed properly. The overall effect of this scenario is the organization not accomplishing its goals.
organization risk should be identified early enough and this can be achieved if
accurate and timely information is provided to the internal auditors.
Beasley, Mark S. Clune. “ERM: a status report; A study funded by The IIA Research Foundation reveals how far organizations have come in developing enterprise risk management and internal auditing’s role in the process..” Internal Auditor 1 Feb. 2005: 8. Print.
Moeller, Robert R.COSO enterprise risk management establishing effective governance, risk, and compliance processes. 2nd ed. Hoboken, N.J.: Wiley, 20112007. Print.