In order to understand the role of an internal auditor in Risk Based Internal Audit (RBIA), it is useful to understand:
- What are risks and what are the different types of risks an organization is exposed to;
- The Enterprise Risk Management(ERM) process;
- The importance of risk management under the regulatory requirements in India, and
- The role of an Internal Auditor in RBIA
A. Risk Classification
Strategic risks are those that flow from high level/strategic objectives formulated by the management and approved by the Board. Strategic risks may also arise from the external environment
2. Operational Risks
These risks are largely the ones that are linked with people, processes and resources within the organization, the customers and the other and stakeholders of the organization. These are not high level risk such as the strategic risks, but may make the organization vulnerable to high volume losses resulting in loss of profit and reputation risk, if not addressed in a timely manner.
3. Reputation Risks
The inability of an organization to appropriately treat its strategic and operational risks may lead to reputation risk. For example, a few weeks back, Maggi faced a reputation risk when the customers reported the presence of higher quantities of unhealthy ingredients in their products.
Risks that the organisation might fail to comply with applicable laws and regulations. For example, failure to appropriately maintain pollution control equipment might lead to the violation of environmental laws.
5. Reporting Risks
Risks that the internal or external reporting might not be reliable. For example, failure to maintain proper accounting records might lead to material error in figures reported in financial statements published by the firm.
B. The Enterprise Risk Management (ERM) Process
An ERM process involves the following stages:
1. Risk Identification
It is the processes of identifying risks. Different organizations adopt different methodologies for identification of risks.
2. Risk Assessment
Risk assessment can be done qualitatively as well as quantitatively. The assessment is made through a risk assessment matrix.
3. Risk Treatment
Once the risks are identified, the risk manager in consultation with the risk owners, devise risk treatment strategies. Also called as risk response,
4. Residual Risk Reporting
Risk treatment is the process of managing the identified risks with various strategies like risk avoidance/acceptance/mitigation /reduction or sharing.
a. Risk Avoidance: The strategy is to avoid the situations /events leading to such risks. For example, an agro-based product company that assesses risk of farming very high, do not take up farming rather procures inputs from the market.
b. Risk Reduction: The strategy is to accept the risk and establish appropriate controls to mitigate the risks.
c. Risk Sharing: The strategy is to share the risk.
d. Risk Acceptance: The strategy is to accept the risk without any mitigation plan. It is most probable that the frequency/likelihood and impact of such a risk is too low the management to pay attention to them and cost of any control will exceed the benefit.
e. Residual Risk Reporting: The risks that still remain with the organization, after risk treatments are residual risks.
C. Regulatory Requirement in India
The SEBI Guidelines for the listed companies or the Companies Act, 2013, the corporate regime is being geared towards adoption of risk management systems.
– Clause 49 of the Listing Agreement
The Clause 49 of the Equity Listing Agreement of SEBI ,while enumerating the key functions of a Board includes the following functions:
- Reviewing and guiding corporate strategy ,major plans of action ,Risk policy, annual budgets and business plans; setting performance objectives; and monitoring implementation and corporate performance ; and overseeing major capital expenditure
- Ensuring the integrity of company’s accounting and financial reporting systems, including the independent audit, and that appropriate systems of control are in place, in particular, Systems of risk management, financial and operational control, and compliance with the law and relevant standards.
- Evaluation of internal financial controls and Risk management systems
– Companies Act, 2013
Similarly, the Companies Act, 2013 vide its various sections also emphasizes on risk management as a pertinent function of the Board and senior management.
- Section 134(3)(n) stipulates that each company shall include in the Board report a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company;
- Section 177(4)(vii) while spelling out the responsibilities of the Audit Committee of the Board includes ‘evaluation of internal financial controls and risk management systems’ amongst one of the responsibilities of the committee.
- Schedule IV (Roles and functions of independent Directors) includes the following as functions of an independent director:
- help in bringing an independent judgement to bear on the Board’s deliberations especially on issues of strategy ,performance, Risk management, resources, key appointments and standards of conduct’, and
- satisfy themselves on the integrity of financial information and that financial controls and the systems of risk management are robust and defensible.
D. The role of an Internal Auditor in RBIA
While auditing using the RBIA approach, an internal auditor may face different situations. There may be organizations:
- that have implemented ERM
- that have not implemented ERM, and
- that are in the process of implementation ERM and have achieved a particular maturity level
In each of those situations, the orientation of the internal auditor should be to plan his audit, focussing on testing the adequacy and effectiveness of the ERM process, if an ERM systems is in place. Where the ERM system has not been adopted, the auditor should allocate the audit resources based upon his individual perception of high risk areas and areas where the controls are stressed. Where the organization is in the process of implementation an ERM system, the internal auditor gets involved in every step of the implementation process
Therefore, when an internal auditor accepts his engagement as an internal auditor of a firm, he has to:
- Understand the risk appetite of the firm.
- Assess whether the firm has adopted an ERM system
- Assess the maturity level of the ERM system if, the firm is in the process of implementation an ERM system