What is the Role of Internal Audit?
The Internal Audit role is a critical Risk Function that would typically be independent of other organisational roles, for example, while it might be common for the Chief Financial Officer to lead the financial Risk Function as well as be responsible for the organisation accounts, it would be unusual for the Chief Audit Officer to be employed in any other function within the organisation outside of the head of the Internal Audit Risk Function.
Internal Auditors are obligated to assess the appropriateness, the depth and the effectiveness of the other Risk Functions risk controls. While they might not be the final destination of each Risk Function report, it is likely they will have access to all risk reports so that they can validate and audit claims made with the report. While Internal Auditors would not expect every audit to be perfect it is generally accepted that the Risk Functions would be continually moving towards compliance.
It is unlikely the Internal Auditors will be involved in the Risk Functions, outside of the audit process, as it would be a conflict of interest for them to define risk measurements. However an organisation with a strong audit function should encourage the internal audit team to challenge defined measurements of success.
In a passive audit environment it is likely that the Audit Risk Function becomes a rubber stamping operation, which significantly reduces its effectiveness.
Internal auditors generally perform an annual risk assessment of the enterprise, although in environments with rapid changes this might occur on an accelerated schedule.
This review would be validating the risk assessments performed by each of the Risk Functions within the enterprise, reviewing previous audit results and recommendations and reviews with Risk Function owners or senior team members.
It is expected that Audit team evaluate the priories and impact each of the Risk Functions has placed on identified Risks within in their respective domains and comment on the effectiveness of risk responses. In a robust audit environment the audit team might also contain domain experts to assess any gaps that the Risk Function has not identified or filled.
A key document during the audit will be the Risk Functions Risk Register, which will have documented the perceived risk within the functions domain and assigned it both an impact and a priority.
The audit team ought to have discussed the company’s major risk exposure and managements responses it has undertaken to observe and manage the exposure.
Audit failure falls back to the Risk Function for remediation; however it is Internal Audit team responsibility to follow up any identified weakness in the system and would likely agree a schedule for remediation with the Risk Function.