Академический Документы
Профессиональный Документы
Культура Документы
13.1 PURPOSE
Review internal audit as one of the three lines of defence, providing independent assurance to the board on the effective
operation of the risk management framework and validating the risk measurement process.
Internal audit forms a critical part of the third of the classic three lines of defence and has two complementary parts, namely
internal and external audit. Internal audit provides independent assurance to the board on the effective operation of the risk
management framework and validates the risk measurement process. External audit gives an opinion on the financial
statements. Internal audit has to assure itself of the quality of risk governance and controls over things such as ethical values,
management style and values, and human resource policies and practice.
Independence - to fulfil its function, internal audit must be functionally independent of the activities it audits.
Assurance – from a risk perspective, internal auditors will usually assure on
risk governance and the risk management processes, considering their design and how well they are working
the management and oversight process for risks, including the effectiveness of controls and other responses to them
the accuracy and reliability of the components of the risk assessment and reporting process
Internal and external audit share a common goal of assuring the board that the risk and control processes are appropriate
and effective. Both should function independently of management and report to the board. However, there are differences
in the roles they play:
Internal auditors are part of the organisation, and the audit committee or the board determines their objectives.
External auditors are outside the organisation, and their objectives are driven partly by statutory and professional
requirements.
In financial services, the internal audit function is obligatory, whether in-house or outsourced. Internal audit provides
assurance to the board on the first and second lines of defence. Regarding the first line, it provides assurance that controls
are working effectively and are appropriate to the risks of the organisation. As for the second line of defence, oversight
functions such as risk management ensure consistent application of the risk management framework and provide a challenge
to business operations. Internal audit assures that the oversight functions are working effectively, picking up on adverse
changes in the risk profile and the reporting of them.
As an independent assurer, internal audit is valuable and necessary in operational risk. Operational risk managers are usually
intimately involved in developing the operational risk framework and are responsible for providing data inputs and producing
reports, effectively placing them in the first and second lines of defence. Therefore, there needs to be an independent
assurance process of the information provided and the methodologies used.
Policy – internal audit should operate within a clear policy statement, approved by the firm’s board and management, which
outlines its
status and position within the firm, including its relationship to the business lines and oversight functions
Planning and priorities - having established its role, the head of internal audit can work with the board to develop and deliver
the audit plan. The audit plan should be risk-based and use some form of the risk and control assessment process, which
drives the audit cycle.
Status and resourcing - audit, the third line of defence, is a critical part of a firm’s risk management framework, which should
be accepted and recognised as such by everybody in the firm.
Reporting to management and the board - having established the plan and put it into action, it is internal audit’s job to report
its progress and significant issues to the board and senior management for action.
The internal auditor as consultant - internal audit is, among other things, a consulting activity designed to add value and
improve an organisation’s operations.
Consulting can
provide management with the tools and techniques used in internal audits to analyse risks and controls
support risk management by leveraging internal audit’s expertise in risk management and controls, and its overall
knowledge of the organisation
support risk management by providing advice and promoting the development of a common language and
understanding as part of embedding risk in the firm
support managers as they work to identify the best way to mitigate their risks
Investigations - events continually occur which require investigation and assurance. If the request comes from the chairman
of the audit committee or the non-executive directors, there is no risk of internal audit being conflicted. However,
management should use its resources wherever possible, probably from those in an oversight role (i.e. the second line of
defence), leaving audit to fulfil its proper role of independent reviewer and assurer.
The audit committee, comprising independent non-executive directors, performs a key oversight role for the board and
should be the critical link between the board and both internal and external audit. In most financial sector firms, there will be
a separate risk committee.
Audit committee and internal audit - the head of internal audit should report to the chair of the audit committee from a
functional point of view.
Audit committee and external audit - the audit committee appoints the external auditors and agrees their terms of
engagement and fees.
An audit committee health check - audit committees are not just about financial reporting and assessing internal controls.
Their brief as independent assessors of the quality of risk management also takes them into non-financial risk assessments.
Audit committees should be continually considering several risks in assessing the overall health and tone of the company they
serve.
13.5 SUMMARY
Business line management creates the scenarios and assumptions; risk management challenges the assumptions made in the
scenarios and the outcomes; and internal audit provides assurance on the process and the process that derives the
assumptions.
13.7 REFLECTION
Before you continue to the next lesson, reflect on the following personal questions:
a. Where, in your professional life, do you think you will be able to use the skills you have learnt in
this lesson?
b. What did you find difficult? Why do you think you found it difficult? Do you understand it now, or
do you need more help? What are you going to do about it?
c. What did you find interesting in this lesson? Why?
d. How long did it take you to work through chapter 13 for this lesson? Are you still on schedule, or
do you need to adjust your study programme?
e. How do you feel now?
Blunden, T & Thirlwell, J. 2013. Mastering operational risk: a practical guide to understanding operational risk and how to
manage it. 2nd ed. London: Pearson.