In the seventh in our series of blogs about independent assurance Tony and John explain how Internal Audit can provide valuable consultancy to the firm, but that it should take a cautionary approach, particularly when involved in investigations. Operational Risk Software can be key to supporting this discipline.
Taken from: Mastering Risk Management
Advice and support
The IIA states that internal audit (LINK to blog 40), among other things, is a ‘consulting activity designed to add value and improve an organisation’s operations’. Risk management consulting is, of course, far more interesting than ticking back controls and procedures. That’s understandable, but not if it means the fundamental job of checking processes is down-graded or, even more seriously, if it provides potential for conflicts of interest.
Having said that, consulting can be a legitimate activity for internal audit where there is no strong risk management function, but it requires careful control. Consulting can:
- Make available to management the tools and techniques used in internal audit to analyse risks and controls
- Support risk management by leveraging internal audit’s expertise in risk management and controls, and its overall knowledge of the organisation (and indeed vice versa)
- Support risk management by providing advice and promoting the development of a common language and understanding as part of embedding risk in the firm
- Support managers as they work to identify the best way to mitigate their risks.
However, whenever internal audit acts to help management set up or improve risk management processes, its plan of work should include a clear strategy and timeline for migrating the responsibility for these services as soon as possible to members of the management team. Advice and support is one thing; taking risk management decisions is quite another. Even being involved in designing part of the process can led to significant conflicts for later audits.
Where internal audit does become responsible for some aspect of risk management, it cannot then provide independent assurance for that aspect. This will have to be obtained from a suitably qualified independent third party.
If everybody is satisfied that internal audit’s independence will not be compromised and it is asked to undertake work beyond its standard and agreed assurance activities, this should be recognised as a consulting engagement and appropriate terms of engagement agreed. While each department in the second line looks over the whole organisation in their particular function, only internal audit sees the complete whole, and therefore should consider itself as an added value.
Events continually occur which require investigation and assurance. If the request comes from the chairman of the audit committee or the non-executive directors, there is no risk of internal audit being conflicted.
If, however, the request comes from management, they should seriously consider using their own resources wherever possible, probably from those in a oversight role (i.e. the second line of defence), leaving audit to fulfil its proper role of independent reviewer and assurer.
In our next blog Tony and John discuss what makes the ideal Audit Committees.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information about how Operational Risk software can help your organisation, contact us today on email@example.com