Globalization and competition increased the risk in many enterprises worldwide at a faster pace. A great number of organizations invest heavily in risk management to be able to face the ambiguities and challenges in the business world. The Institute of Internal Auditors (IIA) Glossary defines risk as: “the uncertainty of an event occurring that could have an impact on the achievement of objectives. The risk is measured in terms of consequences and likelihood” (Internal audit terms 2017, para. 2).
The rise of demand for managing risk practices in organizations occupies an increase in the role of internal auditing function to assure the risk management practices in organizations. The institute of internal auditors defined internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve the organization’s operation. It helps organizations accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance process” (Risk-based internal auditing 2014, p. 1). According to the IIA definition, the role of internal auditors is to assess and develop the success of risk management within the organization.
What is Risk Management?
In the world of business, risk management is the practice of defining the potential risks beforehand and preparing to implement certain strategies to reduce or eliminate them. Thus, for example, when an organization invests money into a certain plan, there is always a risk that this investment will be a failure. The number of financial risks depends on the kind of an instrument used in a particular operation (Risk management… the what, why, and how 2016). The financial risks usually increase due to such economic processes as market volatility, recession, inflation, bankruptcy, and so on.
Thus, to reduce risks and gain maximum control over the investments, companies use various risk management strategies. These strategies are developed not only to identify the risks but also to evaluate its significance and predict the influence that it can have on a particular project or action. Also, risk management can be continuous, which presupposes quite a long process of the identification and resolution of the problem, which can affect multiple spheres of activity of a company. This includes, maintaining control over expenses, planning and allocating a company’s budget, organizing various projects, and so on (Risk-based internal auditing 2014). Thus, the process of risk management allows a company to change its focus from reactive management strategies to proactive ones, which are considered much more effective.
The Process of Risk Management
In general, the process of risk management consists of four main steps. The first step is the identification of potential problems that can occur in a company during the process of implementing a particular plan. At this stage, the most common action is brainstorming. The personnel analyzes the present evidence and the experience of companies dealing with certain risks. Then they put the potential risks into different categories and set priorities concerning what risks must be managed first (Abbott et al. 2016). Also, these risks can be classified according to the probability of their occurrence.
The second step in the process of risk management is the identification of the potential consequences that a certain problem can cause and the spheres of business that it can affect. Basically, at this stage, the process of risk assessment begins. The personnel starts the problem-solving process regarding the identified risks. Additionally, before trying to develop any methods to reduce the potential risks, they usually identify the main causes of their occurrence (Chambers & Odar 2015). Then they try to analyze the potential impact of the identified problems take place.
The third step in the process of risk management is the development of responses to the identified risks. At this stage, the personnel begins searching for methods to prevent these risks from happening and manage them if they occur. The priority is usually put on those risks that have the highest probability to take place and those that have the potential to cause a lot of damage.
The fourth step in the process of risk management is the development of a contingency plan. This is a good strategy that is not practiced by all organizations. Developing a contingency plan is particularly useful when there are unpredictable risks. Thus, at this stage, the personnel discuss and develop a contingency plan for every potential risk and put them aside (Chambers & Odar 2015). If the preventing strategies do not help, and the problem takes place, the contingency plan will be implemented, thereby reducing the necessity to manage this problem directly.
Risk-Based Internal Audit
In general, risk-based internal auditing is the process of developing the main goals of a company and identifying the biggest risks that prevent the company from achieving these goals. Particularly, while the key task of the company’s management is to identify and manage risks, the main objective of the internal audit is to make sure that the found risks are properly handled (Risk-based internal auditing 2014). Risk-based internal auditing (RBIA) is a set of strategies that connect a general company’s risk management system and internal audit.
Overall, the process of creating RBIA consists of three main stages. The first stage focuses on the assessment of risk maturity. At this stage, internal auditors receive a general overview of how the company’s management identify, evaluate, handle, and control risks. This indicates the reliability of the system of registering risks for various audit purposes (Risk-based internal auditing 2014). The main objectives of internal auditors at this stage are to evaluate the risk maturity of the company, report to the audit committee and the company’s management regarding their evaluation, and develop an audit strategy.
The second stage concerns itself with periodical audit planning. At this stage, internal auditors identify the assurance and provide consulting assignments for a particular period using setting priorities in those areas which are exposed to potential risks and require assurance. This includes the general process of risk management, the strategies for handling the main risks, and their recording and reporting (Abbott et al. 2016). The main objectives of internal auditors at this stage are to provide a response to individual risks and to develop the process of assessing risks, deciding on the means of managing them, monitoring the process of handling them, and reporting to the company’s management.
The third stage focuses on individual audit assignments. At this stage, internal auditors complete the assignments based on the individual risk to make sure that the company’s management uses appropriate methods in dealing with risks. This also includes the reduction of separate or different groups of risks (Abbott et al. 2016). The main objectives of internal auditors at this stage are to manage risks, handling residual risks, implementing a contingency plan, and assessing the effectiveness of the developed strategies for reducing risks.
The Role of Internal Auditors in Risk Management
In general, internal auditors are responsible for evaluating the methods that a company uses to reduce risks and providing the best techniques of how to manage different risks. They provide their objective assurance to the company’s management concerning the effectiveness of their risk management strategies (Boyle, DeZoort & Hermanson 2015). Indeed, according to the studies, both companies’ directors and internal auditors claim that the two most crucial advantages that internal auditing gives to companies are to assure the directors that their risk management plans are effective and to assure them that their internal control over risk management is operating properly.
Additionally, internal auditors offer consulting services regarding the company’s internal control, risk management, and governance. The extent of this consulting usually depends on the external and internal resources of a company and its risk maturity, which is constantly changing. Thus, if a company’s risk maturity rises and risk management processes become more integrated into the company’s operations, the role of internal auditors reduces (Boyle, DeZoort & Hermanson 2015). Conversely, if the company accepts the services of internal auditors, their role in assessing risks for the company increases, and they focus not on their consulting role but on the role of being a valuable instrument within the organization.
Thus, no matter what kind of business a company does, it is always exposed to certain risks. In most cases, companies try to identify potential risks, develop risk management strategies, and controlling the outcomes using only their personnel, which can often be ineffective. Other companies have enough resources to hire a professional team consisting of internal auditors who guide to those companies’ directors regarding the effectiveness of the risk management strategies, thereby significantly decreasing the probability of the occurrence of these risks.
Abbott, L J, Daugherty, B, Parker, S & Peters, G F 2016. ‘Internal audit quality and financial reporting quality: the joint importance of independence and competence’, Journal of Accounting Research, vol. 54, no. 1, pp. 3-40.
Boyle, D M, DeZoort, F T & Hermanson, D R 2015. ‘The effects of internal audit report type and reporting relationship on internal auditors’ risk judgments’, Accounting Horizons, vol. 29, no. 3, pp. 695-718.
Chambers, A D & Odar, M 2015. ‘A new vision for internal audit’, Managerial Auditing Journal, vol. 30, no. 1, pp. 34-55.
Internal audit terms. 2017. Web.
Risk based internal auditing. 2014. Web.
Risk management… the what, why, and how. 2016. Web.