×
NewsDay

AMH is an independent media house free from political ties or outside influence. We have four newspapers: The Zimbabwe Independent, a business weekly published every Friday, The Standard, a weekly published every Sunday, and Southern and NewsDay, our daily newspapers. Each has an online edition.

The role of an internal audit function in identifying and monitoring business risk

Business
Business risk is the exposure of an organization to factor(s) that threaten its ability to meet its objectives. Business leaders face a range of complex, interconnected and fast-evolving risks.

Business risk is the exposure of an organization to factor(s) that threaten its ability to meet its objectives. Business leaders face a range of complex, interconnected and fast-evolving risks.

New technologies create new markets and disrupt existing business models. New tax laws could create windfalls or hamper international commerce. Weather events wreak havoc on regions and industries.

Geopolitical volatility raises serious questions about global operations. Organisations must understand and manage risk and seek an appropriate balance between risk and opportunities.

Business risks include:

• Financial risk (price, liquidity, credit); • Operations risk (capacity, cycle time, sourcing, supply chain); • Information processing/technology risk; • Integrity risk (fraud, unauthorised use, reputation); • Compliance and legal risk; • Reporting risks; • Strategic risks; and • Geographic risks.

An internal audit helps an organisation achieve its objectives by improving risk management and governance processes.

It also identify voids, shortcomings and inherent risk potential in all facets of the organisation (including, but not limited to policies, processes and information technology) in times of business stability and change. An internal audit recommends improvements to these areas and others.

The Institute of Internal Auditors (IIA) defines internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Developing an internal audit plan Risk-based internal audit plans help to determine the priorities of the internal audit activity to be consistent with the organisation’s goals. An assessment of the client’s risk maturity should be performed and it should shape the internal audit approach.

An internal audit should provide assurance to the board that risk management processes are managing risk effectively, in relation to the risk appetite.

Risk appetite Risk appetite is best expressed as a series of boundaries, appropriately authorised by the Board, which give each level of the organisation clear guidance on the limits of risk which an organisation is willing to take.

An organisation that understands its risk appetite and can articulate it fully is perceived to be more risk mature than an organisation that cannot. There are numerous definitions of organisational risk appetite, but they all refer to the level of risk an organisation is willing to take.

Levels of risk maturity There are five levels of risk maturity that could be considered. These are as follows:

Risk Naïve – No formal approach developed for risk management

The information obtained from risk assessments should assign relative weight to the risks identified based on likelihood and significance. The audit plan should consist primarily of those things that show up in the top right quadrant, which means that there is a high likelihood they will occur with significant adverse effect on objectives.

When an organisation has completed the process of risk assessment which includes the creation of risk registers, the responds to identified risk should be developed. The responds to risks can be:

An organisation needs to be aware of the changing risk profile affecting the entity to ensure that the internal audit plan is aligned to the current risk profile.

Organisations often operate in fast moving environments and thus need to revisit their risk profile regularly.

An organisation’s risk profile should therefore be refreshed on a periodic basis. Typically, this should be a review of the business and any changes (including updates to applicable legislation and regulation) to ensure the risk profile remains up to date and to identify any changes in the significance of known risks.

This should be used to keep the internal audit plan up to date and focused on the current risk profile of the entity.

We hope you will find information in this article helpful in giving you an overview of the role of internal audit function in business risk mitigation.