January 24, 2025

TRENDING

Integrating Internal Audit with the Organization’s Risk Management Processes

Google+ Pinterest LinkedIn Tumblr +

By CPA Peter Kibet Kitur

Integrating Internal Audit with risk management is important for strengthening an organization’s ability to create, protect, and sustain value (The definition components align with the new Global Internal Audit Standards). Internal Audit provides the board and management with independent, risk-based, and objective assurance, advice, insight, and foresight, aligning seamlessly with the principles of risk management. This integration focuses on understanding and mitigating potential adverse impacts on the organization’s objectives, ensuring strong risk management strategies and effective responses to unforeseen events.

Consequence in Risk Management

Consequence is a critical outcome or impact of an event. Internal Audit contributes by independently reviewing and assessing the potential consequences of decisions, strategies or plans, ensuring organizations are better prepared to mitigate adverse effects and respond effectively to unforeseen events. Through its independent assessments, Internal Audit helps identify potential consequences and ensures that risk management strategies are robust and effective.

Risk and Its Identification

Risk is defined as the uncertainty of outcome, where an event may occur and adversely affects the achievement of objectives. Risk identification is the process of determining what might happen that could impact these objectives, understanding why and how it might happen. Inherent (gross) risk refers to the status of the risk, measured through impact and likelihood, without considering existing risk management activities. Internal Audit plays an important role here by providing objective assurance and insights into the identification and evaluation of risks, thereby laying a solid foundation for risk analysis and management. Internal Audit’s independent perspective helps ensure that all potential risks are identified and evaluated comprehensively, aiding the organization in anticipating and preparing for adverse events.

Control and Residual Risk

Control refers to measures or management actions taken to minimize negative risks or enhance positive opportunities, effectively mitigating risks. These controls include the policies, procedures, reporting, and initiatives carried out by an organization to ensure the desired risk response is implemented. Residual risk, the status of the risk after accounting for risk management activities, is essential for understanding the effectiveness of controls. Internal Audit evaluates these controls, providing assurance on their effectiveness and identifying areas for improvement, thus enhancing the organization’s risk management framework. By continuously assessing the effectiveness of controls, Internal Audit helps the organization ensure that residual risks are managed within acceptable levels.

Risk Appetite, Tolerance, and Management

Risk appetite refers to the level of risk an organization is prepared to accept in pursuit of value, while risk tolerance indicates the extent of variation relative to achieving an objective that an organization is willing to accept. The Enterprise Risk Management Policy outlines the organization’s approach to managing risks and sets the standard for risk tolerance, measuring risks in terms of impact and likelihood. Risk management is an iterative process involving steps that enable continual improvement in decision-making. Internal Audit supports this process by offering foresight and advice, ensuring that the identification, analysis, evaluation, treatment, monitoring, and communication of risks are conducted systematically. This enables the organization to minimize losses and maximize opportunities, effectively navigating potential challenges and sustaining value creation. Internal Audit’s independent assurance and consulting activities provide critical insights that help the organization align its risk management practices with its risk appetite and tolerance, promoting effective decision-making and risk mitigation strategies.

Principles of Risk management.

An efficient and effective risk management system is built on key principles guiding entities in creating and maintaining a scalable, context-specific framework that supports performance. According to ISO 31000:2018, there are eight essential risk management principles:

Integrated: Risk management must be integral to all entity activities, including governance, planning, and performance management, at both strategic and operational levels.

Structured and Comprehensive: A structured, comprehensive approach ensures consistent and comparable results across the entity, addressing both opportunities and threats from interrelated, dynamic risks.

Customized: The risk management framework should be tailored to the entity’s internal and external context, aligning with its specific objectives.

Inclusive: Involving internal and external stakeholders in risk management activities ensures their knowledge, views, and perceptions are considered in identifying risks and designing treatments.

Dynamic: Risk management should be responsive and adaptable, as risks can change with shifts in the entity’s external and internal context.

Best Available Information: Effective risk management relies on the best available historical, current, and future information.

Human and Cultural Factors: Considering human behavior and cultural factors is crucial, as they can both facilitate and hinder achieving the entity’s objectives. A tolerable level of risk matching the entity’s criteria is necessary.

Continuous Improvement: Entities should continuously improve their risk management maturity through framework reviews, monitoring results, external reviews, and ongoing learning.

Internal Audit is essential in enhancing an organization’s risk management framework. Providing independent assurance and insights ensures that risks are identified, assessed, and managed comprehensively. Internal Audit supports informed decision-making and risk mitigation strategies by evaluating controls’ effectiveness and aligning risk management practices with risk appetite and tolerance. By adhering to risk management principles, including integration, structure, customization, inclusivity, dynamism, best available information, human and cultural factors, and continuous improvement, organizations can effectively navigate potential challenges and sustain value creation.

This holistic approach ensures that risk management processes are not only efficient but also adaptable to the ever-changing risk landscape.

CPA Peter Kibet Kitur is a Tax consultant with Bon and Drew Associates, serves in public sector, is the ICPAK Central Rift Region’s Branch Chairman and a member of ICPAK’s Devolution sub-committee.

pkitur.cpa@gmail.com

Share.

About Author

Leave A Reply