Chapter Two:

Internal Audit in Enterprise Risk

Management
Part I Internal Audit
 1. Introduction
Definition and role of Internal Audit
• Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organization’s operations. It
helps an organization accomplish its objectives by
bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance processes.
 2. Objectives of Internal Auditors
• This definition reflects the changing role of
internal auditors. Internal auditors should do the
following:
1. Review the reliability and integrity of financial
and operating information and the means used to
identify, measure, classify, and report such
information.
2. Review the system established to ensure
compliance with those policies, plans,
procedures, law and regulations.
 2. Objectives of Internal Auditors
3. Review the means of safeguarding assets and, as
appropriate, verify the existence of such assets.
4. Appraise the economy and efficiency with which
resources are employed.
5. Review operations or programs to ascertain
whether results are consistent with established
objective and goals and whether operations or
programmes are being carried out as planned
 2. Objectives of Internal Auditors
• The objective of internal auditors are
considerably broader than the objective of
external audit and reports are not standardize
because
a. the reporting needs vary for each company and
b. the reports are not relied on by external users
 Their work encompasses all of the organization's
internal control. They evaluate and test the
effectiveness of controls designed to help the
organization meet all of its objectives
 3. Professional standards of Internal
Auditing
• To maintain consistently high - quality service
across the internal auditing profession, the IIA
has issued standards for the professional
practice of internal auditing.
• We will discuss some of the important
standards below.
• See print out
 4. Relationship
of Internal & External Auditors

Difference
• The responsibilities and conduct of audits by
internal and external auditors differ in one
important way.
• Internal auditors are responsible to management
and the board, while external auditors are
responsible to financial statement users who rely
on the auditor to add credibility to financial
statements.
 4. Relationship… Cont’d
Similarities: internal and external auditors share many
similarities:
a. Both must be competent as auditors and remain objective
in performing their work and reporting their results.
b. Both follow a similar methodology in performing their
audits, including planning and performing tests of controls
and substantive tests.
c. Both consider risk and materiality in deciding the extent
of their tests and evaluating results. However, their
decisions about materiality and risks may differ because
external users may have different needs than
management or the board.
 4. Relationship… Cont’
d. External auditors rely on internal auditors
when using the audit risk model to assess
control risk.
– If internal auditors are effective, the external
auditors can significantly reduce control risk and
thereby reduce substantive testing.
– As a result, external auditors may reduce their
fees substantially when the client has a highly
regarded internal audit function
 4. Relationship… Cont’
• External auditors typically consider internal
auditors effective if they are:
i. Independent of the operating units being
evaluated
ii. Competent and well trained
iii. Have performed relevant audit tests of the
internal controls and financial statements
 Part II
Enterprise Risk Management
 Outline of part II
1. Introduction
2. Risk and Risk Category
3. Enterprise Risk Management (ERM)
4. Risk Maturity and Measurement of Risk
5. Impact of Risk Maturity on Internal Auditing
6. Role of IA in ERM
 Discussion
• How risk is defined in your organization
(Comp).
• What kind of risk do you know?
• What causes the risk?
 1.Introduction
• Achievement of organizational objectives is
surrounded by uncertainties which
– both poses threats to and offers opportunity for
increasing success.
• Changing circumstances, such as rising interest
rates, can be an opportunity for an organization
with surplus cash and a risk for a borrower.
• Hence these circumstances need to be seen with
reference to the organisation's objective.
 Introduction… Cont’d
• When defined narrowly, risks are those
uncertainties which impede the achievement
of the objective.
 Introduction… Cont’d
2. What is risk?
– Why are we bothered about risks?
– Because they threaten our objectives.
 Introduction… Cont’d
Example
• The risk of a delayed transport service threatens
production/operation of our company because the
required materials/goods may be delayed
• The risk of a competitor's new product (Dakote Cement
Factory/Derba Cement) threatens profits of Mecebo CF
• Dishonest people may use resources of your company for
their selfish interest.
• Inability of placing the right person in the right position
(job) may affect efficiency and effectiveness of
achievement of company objectives.
 2. Risk and Categories of Risks
So what is a risk?
A risk is a set of circumstances that hinder
the achievement of objectives.
 2. Risk and Categories of Risks
Categories of Risk
Generally risk can be classified as
1. Expected and Unexpected risks
2. Systematic (pure) and Unsystematic Risk
3. Internal or external
 2. Risk and Categories of Risks
1. Expected and Unexpected Risks
Expected Risks
– Firm knows with reasonable as to its occurrence
(e.g., the expected default rate of corporate loan
portfolio)
• Unexpected losses
– Are associated with unforeseen events (e.g.
unexpected increase in interest rate, inflation,
increase in foreign exchange, flood etc)
 2. Risk and Categories of Risks
2. Systematic (pure) and Unsystematic Risks
Systematic Risk (Uncontrollable Risk)
• Cannot be influenced by the manager and are
independent of business decisions.
Unsystematic Risks (controllable Risks)
• are the result of managerial decision-making and
can either have a negative or a positive outcome.
Q. Give example of each in reference of your
company.
 2. Risk and Categories of Risks
3. Internal and External (classification by source)
Internal Risks
• Results from internal managerial decisions and are controllable
(affects that specific company)
• Example:
– Credit risk, liquidity risk, operating risk etc
External Risks
• occur in the business environment of the company and affect
all companies
• Example:
– Political Risk, Legal risks, marketing risk, risk from change in
technology, risk from change in macroeconomic
environment
 2.1 Specific Types of Risks
1. Credit Risk
2. Financial Risks
3. Liquidity risk
4. Legal Risk
5. Market Risks
6. Operating Risk
 2.1 Specific Types of Risks
1. Credit Risk
• Possible loss due to default of customers
• Example
– Failure (default) of credit customers of Trans
Ethiopia to pay their debt within the stipulated
time
– Risk of bad debts or non-performing loan in
banks
 2.1 Specific Types of Risks
2. Financial risk
• Refers to the chance a business's cash flows
are not enough to pay creditors and fulfil
other financial responsibilities
• The more debt a business owes, the more
likely it is to default on its financial obligations.
• Taking on higher levels of debt increases a
business's level of financial risk.
 2.1 Specific Types of Risks
3. Liquidity risk
• Liquidity risk is the risk arises when our
company is not able to pay due payments b/s
of inadequate available funds (possibly due to
bad business environment that affects your
sales volume or other factors.
• Liquidity risk is a financial risk due to
uncertain liquidity
 2.1 Specific Types of Risks
4. Legal Risk
• Legal risk is risk from uncertainty due to legal
actions or uncertainty in the applicability or
interpretation of contracts, laws or regulations
• Legal risk can be a particular problem for
institutions who transact business across
borders.
 2.1 Specific Types of Risks
• Example:
• If Sur construction has a subsidiary company
in outside Ethiopia (eg in South Sudan)
enactment of the following laws or directives
may affect profits of Sur (EFFORT)
– Enactment of new law to increase profit tax
– Investment law- restrictions on operations of
foreign firms
– Restrictions on reparation of proceed from foreign
 2.1 Specific Types of Risks
3.5. Market risk
• Market risk is exposure to the uncertain market
value of a portfolio of assets (both financial and
non-financial assets).
• Market risk is the risk of loss due to changes in
market prices.
• Elements of market risks
– Interest rate risk
– Foreign exchange risk
– Commodity risk (price change risk)
 2.1 Specific Types of Risks
• Interest rate risk. is the risk of loss resulting from
changes in interest rates.
• Foreign exchange risk. Foreign exchange risk is
the risk of loss resulting from the difference
between assumed and actual foreign exchange
rates
• Commodity price risk/Price Change Risk: this the
risk of loss resulting from a decline in the value of
assets due to changes in the prices of
commodities or securities, etc
 2.1 Specific Types of Risks
6. Operational risk
• It is the risk of loss due to actions or by
people, processes, infrastructure, technology
or similar, which has an operational impact
including fraudulent activities.
 2.1 Specific Types of Risks
Examples
The following risks (events or problems) may
make achievement of your anticipated profit
difficult or impossible:
– Weaknesses in your supply chain- Delay in delivery
of materials in Mesebo or spare parts in Trans
Ethiopia
– Outdated manufacturing equipment,
– A poor sales force
 2.1 Specific Types of Risks
Example of Operating risk ….ctd
– Dishonesty in work force may result in
unreasonable stoppage of operations, theft or
embezzlement of company resources (cash,
inventory, fixed assets etc)
– If your IT department doesn't maintain Internet
security, for example, one hacking incident could
cost you vital corporate information.
 Discussion
• Explain how the cause and impact of the
following types of risks from your company point
of view:
1. Credit Risk 2.Financial Risk
3. Liquidity Risk 4. legal Risk
5. Operating Risk
6. Market Risk
– Change in interest rate
– Change in commodity price (Raw M; output etc)
– Change in exchange rate (appreciation or
depreciation in foreign currency)
 3. Enterprise Risk Management (IIA)

Introduction
• The importance to strong corporate
governance of managing risk has been
increasingly acknowledged.
• Organizations are under pressure to identify
all the business risks they face;
• Internal auditing, in both its assurance and its
consulting roles, contributes to the
management of risk in a variety of ways.
 Enterprise Risk Mgt … Cont’d
Important Glossary
1. Assurance Services: An objective examination of
evidence for the purpose of providing an
independent assessment on governance, risk
management, and control processes for the
organization.
2. Control: Any action taken by management and
the board to manage risk and increase the
likelihood that established objectives and goals
will be achieved.
 Enterprise Risk Mgt … Cont’d
3. Enterprise-wide risk management (ERM): A
structured, consistent and continuous process across
the whole organization for identifying, assessing,
deciding on response and reporting on opportunities
and threats that affect the achievement of its
objectives.
4. Risk Appetite-is the level of risk that an organization is
willing to accept.
5. Risk Management Framework: The totality of the
structures, methodology, procedures and definitions
that an organization has chosen to use to implement
its risk management processes.
 Enterprise Risk Mgt … Cont’d
6. Risk Maturity is The extent to which a robust risk
management approach has been adopted and
applied, as planned, by management
– The degree to which the organization understands
risks and has implemented risk management is
known as its risk maturity.
7. Risk responses (management) is The means by
which an organization elects to manage individual
risks.
– Tolerate, Treat, Transfer, Terminate etc
 Enterprise Risk Mgt … Cont’d
Glossary cont’d
8. Consulting Services: Advisory and related
client service activities, example
– include counsel, advice, facilitation, and training
9. Risk Register is a list of risks identified and
put together by managers who have been
properly trained.
 Enterprise Risk Mgt … Cont’d
4.2. What is Enterprise-wide Risk Management
(ERM)?
Enterprise-wide risk management (ERM) is a
structured, consistent and continuous process
across the whole organization for identifying,
assessing, deciding on responses to and
reporting on opportunities and threats that
affect the achievement of its objectives.
 Enterprise Risk Mgt … Cont’d
4.2. What is ERM?... Cont’d
• Enterprise risk management is defined by
COSO as a process designed to:
1. Identify potential events that may affect the
organization
2. Manage risk to be within the organization’s
risk appetite
3. Provide reasonable assurance regarding the
achievement of the organization’s objectives
 Enterprise Risk Mgt … Cont’d
Eight Components of ERM –COSO
• The COSO definition goes on to outline eight
interrelated components of enterprise risk
management.
1. Internal Environment
The internal environment encompasses the tone of an
organization, and sets the basis for how risk is viewed
and addressed by an organization’s people, including
risk management philosophy and risk appetite,
integrity and ethical values, and the environment in
which they operate.
 Components of ERM… Cont’d
2. Objective Setting
Objectives must exist before management
can identify potential events affecting their
achievement.
3. Event Identification
Internal and external events affecting
achievement of an organization’s objectives
must be identified, distinguishing between
risks and opportunities.
 Components of ERM… Cont’d
4. Risk Assessment
Risks are analyzed, considering likelihood and
impact, as a basis for determining how they
should be managed. Risks are assessed on an
inherent and a residual basis.
5. Risk Response
Management selects risk responses:
– avoiding, accepting, reducing or sharing risk
– developing a set of actions to align risks with the
entity’s risk tolerances and risk appetite.
 Components of ERM… Cont’d
6. Control Activities
Policies and procedures are established and
implemented to help ensure the risk
responses are effectively carried out.
7. Information and Communication
Relevant information is identified, captured,
and communicated in a form and timeframe
that enable people to carry out their
responsibilities.
 Components of ERM… Cont’d
8.Monitoring
The entirety of enterprise risk management is
monitored and modifications are made as
necessary.
 Enterprise Risk Mgt … Cont’d
4.3. Responsibility for ERM
• The board (mgt as delegated body) has overall
responsibility for ensuring that risks are
managed.
• Board/Management should incorporate risk
mgt unit (Risk manger)
 Enterprise Risk Mgt … Cont’d
4.4 Benefits and Activities of ERM
• Greater likelihood of achieving those
objectives;
• Improved understanding of the key risks and
their wider implications;
• Greater management focus on the issues that
really matter;
• Fewer surprises or crises;
 Enterprise Risk Mgt … Cont’d
Benefiters of ERM …..ctd
• More focus on doing the right things in the
right way;
• Increased likelihood of change initiatives being
achieved;
• Capability to take on greater risk for greater
reward and
• More informed risk-taking and decision-
making.
 Enterprise Risk Mgt … Cont’d
4.5. Risk Response/Risk Management
• The purpose of assessing and addressing risks is
to constrain them to a tolerable level within the
risk appetite of the organization. So what can we
do about risks? Response to risks can be of the
following types
i. Avoid Risk/Terminate Risk
ii. Transferring Risk
iii. Tolerate them, and plan contingencies
iv. Tolerate them, without planning any
contingencies.
 Enterprise Risk Mgt … Cont’d
Risk Response… Cont’d
(i)Avoid Risk/Terminate Risk.
• Management’s response to some risk by
avoidance of risks, for example by not
undertaking/starting up a given business.
• This happens if the cost of managing the risk
does not make the activity viable.
– When cost of risk mgt is greater than its benefit
Q. Provide an example of this type of risk from
your Company point of view
 Enterprise Risk Mgt … Cont’d
Risk Response…ctd
(ii) Transferring Risk to other party (the best
example being insurance).
• Insure your importable/exportable goods
• Insure your valuable assets (physical and human)
(iii) Tolerate them, without planning any
contingencies. These are the ‘asteroid hits earth’
type of risk
– The company cannot plan contingency plan to
prevent/to minimize the risks
 Enterprise Risk Mgt … Cont’d
(iv) Tolerate them, and plan contingencies.
• These are the ‘hurricane/storm destroys
factory’ type of risk.
• This option, of course, may be supplemented
by contingency planning for handling the
impact that will arise if the risk is realized.
 5. Steps to Effective Enterprise Risk
Management
Step 1: Define Management’s Role
• Management’s role is to engage in risk
assessment and prioritization through purely
qualitative assessment
Step 2: Establish/Defining the risk Management
Context
• This involves setting the scope and boundaries of
the risk assessment process, including the time
frame and specific project or activity.
• The context is the level at which management
feels the need to set strategy and assess risk.
 5. Steps to Effective ERM
• A context could include the entity as a whole,
a business unit/department/division, a line of
business/product line, a geographic area or all
of the above.
• The context is the level at which mgt feels the
need to set strategy and assess risk.
 5. Steps to Effective ERM

Step 3: Identify and Prioritize Enterprise

risks/Events
• The goal of risk or event identification is to
produce a list of risks or events categorized
according to their severity to affect the
achievement of goals.
• For the risks or events identified, management
should consider the severity, the probability
and the impact of time on the event.
 5. Steps to Effective ERM

Step 4: Assess How Existing Processes Mitigate

Risk and Exploit Opportunities
• Enterprise risk assessment identifies areas
where management systems and processes
(such as internal control system) are required
to support the achievement of objectives.
 5. Steps to Effective ERM

Step 5: Link Enterprise Risk Management to

Overall Governance risk compliance
Effective operational risk management
ensures the tactics necessary to support the
strategies are in place and functioning at an
acceptable level of risk.
6. Risk maturity and Measuring Risks

• Risk Maturity is the extent to which a robust

risk management approach has been adopted
and applied.
• The degree to which the organization
understands risks and has implemented risk
management is known as its risk maturity.
6. Risk maturity and Measuring Risks

• The degree to which the organization

understands risks and has implemented risk
management is known as its risk maturity
• What degree of Risk maturity beneficial to
your company?
Choose correct answer
a. Higher level of risk maturity
b. Lower level of risk maturity
6. Risk maturity and Measuring Risks

6.2. Levels of risk maturity

• The Chartered Institute of Internal Auditors (IIA –
UK and Ireland) publication on ‘Risk Based
Internal Auditing’ defined five levels of risk
maturity:
i. Risk enabled,
ii. Risk managed,
iii. Risk defined,
iv. Risk aware and
v. Risk naïve
 6. Risk maturity and Measuring Risks

(i) Risk enabled

An institution under this risk levels has the ff Characteristics:
• Mgt has good understanding of risk mgt (identification,
measurement and control) and has sophisticated
monitoring and evaluation system
• A complete risk register is available for audit planning.
• Risks are prioritized and communicated to all level of the
organization.
• Risk management and internal control fully embedded into
operations.
• Organization is ready to convert market uncertainties into
opportunities.
6. Risk maturity and Measuring Risks

ii. Risk managed

An institution under this risk levels has the ff
Characteristics:
• Enterprise wide approach to risk management
developed and communicated.
• Risk Register in place.
6. Risk maturity and Measuring Risks

(iii) Risk defined

In this type of Organization:
• Strategies and policies are in place and
communicated.
• Risk appetite is defined.
• But
– understanding of risk management is patchy
(irregular/erratic or inconsistent) and
– the list of risk may not have been complied into
complete risk register
6. Risk maturity and Measuring Risks

(iv) Risk aware: (Scattered silo approach to risk

management)
– No risk register is available for a company
– Only a few managers (dept heads) will have
determined their risks.
– Risk not communicated across enterprises
(v) Risk naïve
– No formal approach developed for risk
management.
 7. Measuring Risks
We have now identified many of the risks threatening our objectives.
The next stage is to document the response to those risks which
should reduce them down to a level the board considers acceptable.
Risk measurement encompasses scoring and measurement of the
effect of control. So at this stage we need to:
a. Set up a system which measures the threat of the risk.
b. Score the risks using this system.
c. Set a risk appetite so that we can identify those risks we need to
manage.
d. Identify an owner of the risk, who has the responsibility of
ensuring it is managed with internal controls.
e. If necessary, deciding if the internal control is so important that
its operation needs monitoring.
 7. Measuring Risks
• Scoring is a first stage in measuring Risks
• One common method of scoring risks is to
consider two characteristics:
– The Likelihood (also called probability) of the risk
occurring.
– The Consequence (also called impact) when a risk
occurs.
 7. Measuring Risks
The measurement of the likelihood/probability
of occurrence of the of risk is
normally against five levels on a scale of 5, viz.
– Remote (score 1).
– Unlikely (score 2).
– Possible (score 3).
– Likely (score 4).
– Almost certain (score 5).
 7. Measuring Risks
Risk consequences can also be against five levels
on a scale of 5, viz.
– Insignificant (score 1).
– Minor (score 2).
– Moderate (score 3).
– Major (score 4).
– Catastrophic (score 5).
A risk with the lowest level of likelihood, i.e.,
remote (score 1) can nevertheless have the
highest level of consequences, i.e., catastrophic
(score 5).
 7. Measuring Risks
• Risk score for a risk is a numeric multiple of
the likelihood of the risk and the risk
consequences.
For example1
• Take the risk that a machinery of a given
company may break down. If the consequence
of damage in machine is be medium (scores 3)
but the likelihood could be high (scores 4),
significance or score would be 12 (3 x4= 12)
 7. Measuring Risks
Example 2: Mesfin Industrial Engineering
• The likelihood (probability of occurrence) fire
loss in Mesfin Industrial Engineering can be
'remote' risk (it is assumed that the company
has appropriate fire system) but the
consequences of damage (if it occurs) can be
'catastrophic'.
• Risk score= remote of occurrence (1) X
catastrophic impact (5)= 5
 7. Measuring Risks
Example 3: Trans Ethiopia
• For example, take the risk that a truck of Trans
Ethiopia may break down. Assuming we have
only three, old trucks (Lorries), the impact or
consequence could be medium (scores 3) but
the likelihood could be high (scores 4), giving a
significance of 12.
 7. Measuring Risks
• As an example the Board may have a risk
appetite of 12 and any risk with a score
above 12 becomes significant risk and to be
included in the audit plan.
 7. Measuring Risks
• There are five levels applied to each
characteristic, defined as below:
Risk Scoring
Risk score Table 1
8. What risks are the boards prepared
to accept?
• One method of deciding which risks to accept
is to place them on a grid of likelihood and
consequence (see Fig. below).
• This enables the board to define the action it
requires management to take for each
likelihood/consequence combination.
See Grid
• The boundary between the acceptable risks
and those which require managing is known
as the ‘risk appetite’
• Note that the board has determined that a
risk with catastrophic consequences and rare
likelihood requires action to manage it, even if
it only has a score of five.
• Of course that action may be to ‘tolerate’ the
risk if it cannot be cost-effectively reduced
7. The impact of risk maturity on role
of Internal Auditor
General role of Internal Auditor:
• Internal Audit’s core role is to provide an
opinion (assurance service) to the
management and board on the effectiveness
of risk management.
• Risk management is role of the board or Mgt
6. The impact of risk maturity on role
of Internal Auditor
1. Risk Aware and Risk Naïve
In such organizations there is no risk register
and risk mgt framework
IAs may provide (in consultation with mgt)
consultancy services, not assurance on risk
mgt
That is he/she Identifies risks and consult the
possible risk mitigating controls
6. The impact of risk maturity on role
of Internal Auditor
2. Risk Defined: In this type of organization
• Understanding of risk management is irregular or
inconsistent
• No complete risk register across the company (only
some depts do).
• Under this situation IA provide the ff consultancy
services:
– facilitate the compilation of complete risk register
from the list already compiled by the management,
NOT RISK BASED AUDIT
– In areas where risk management is well defined, the
internal auditor may use RBIA
I
6. The impact of risk maturity on role
of Internal Auditor
3. Risk Enabled and Risk Managed
• This type of organization represents a high level
understanding on the management of risk.
• A complete list of risk (risk register) is available
for audit planning
• The work of IA focuses on whether risk
management process is working effectively
– Apply RBIA approach (assurance on effectiveness of
risk mgt)