Title: Risk Management and Internal Control: the Changing Role of Internal Auditor

Malaysian Institute of Accountant

2002 Essay competition

Title: Risk Management and Internal Control: The Changing Role of Internal Auditor.

Ahmad Zamri bin Osman @ Hussin

G0114313

Department of Accounting

Kulliyyah Economics and Management Science

International Islamic University, Malaysia.

Jalan Gombak, 53100,

Kuala Lumpur

Introduction

The rampant mismanagement of corporation has introduced to us the ethical question of corporate governance. Researchers, academia as well as practitioners (either professionals or regulators) are and have been searching for the cause of the collapse of governance. Where does it go wrong; whether the people entrusted (board of director and management) or insufficient regulation (securities commission guidelines, stock exchange requirement etc) or other factors such as the industry itself, demographic or firm-characteristics. Prior researches have investigated some variables that are associated with corporate governance as well as how some corporations are perceived to have good corporate governance. Among them are size of corporations, rigorous requirements, audit committee, external auditor, role duality, cross-directorship and presence of internal auditor to name a few.

Importance of Corporate Governance

The governance of corporation is as important in the world economy as government of countries (Wolfensohn, 1999 as quoted by Gregory and Simms, 1999). This simply underscores the importance of corporate governance to our daily life such that private sectors are given the role to be the engine of growth. The term corporate governance is narrowly defined as relationship between managers, directors and shareholders and extended to stakeholders and society. A more broad definition would encompass the combination of laws, regulations, listing rules and voluntary practices that enable the corporation to attract capital, perform efficiently, generate profit and meet both legal obligations and general expectations (Gregory and Simms, 1999). Essentially it concerns the means by which corporation assures investors that it has well-performing management in place and that corporate assets provided by investors are being put to appropriate and profitable use. Therefore, the assurances are at the heart of what effective corporate governance is all about.

Meanwhile, the internal auditing as defined by the Institute of Internal Auditors (IIA) is:

“an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes”.

The IIA adds consulting activities to the more traditional assurance services in characterizing the work that internal auditors perform. In addition, the definition emphasizes the concept that internal auditing should add value to the organization. Furthermore, besides the familiar topic of internal control, two additional areas, i.e. risk management and governance, are specifically mentioned.

Both, the process of assurances and consulting are where internal audit fits in though general responsibility rests on board of directors. It is therefore the role of internal auditor as the eyes and ears of management and board to ensure that shareholders as well as stakeholders interest are fulfilled. To illustrate the role of internal auditor, the Dey report issued by Toronto Stock Exchange provides a practical definition of corporate governance in our context of discussion,

"… thestructure and the process used to direct and manage the business affairs of the corporation with the objective of enhancing shareholder value…"

The intertwined relationship between internal audit and corporate governance is unique as it can influence or be influenced each other. Effective corporate governance creates a strong internal audit. Governance is the responsibility of the board that set the tone at the top through Vision, Mission and Values statements supported by code of ethics. Any board of directors who concern on the overall management and governance of a corporation take every possible measure in ensuring the running of business is not only efficient, effective and economic but also ethical. Thus instead of running solely on the “Efficient Market Hypothesis” ground, the ethical filter must be visibly considered. In fact ethical consideration must form the foundation of corporate activity (Chapra, 1992). Should ethical consideration be undertaken, the corporate governance would stand strong since the corporate governance is very much centred on ethical consideration. The above approach in relation to board-internal audit department relationship is considered a top-down approach in inculcating corporate governance.

On the other hand, good internal auditor may spur good governance. This is rather a bottom-up approach where the awareness and concerns are sowed by internal audit professions through the professional body’s prevalent concern. Since internal audit is a subset of or a unit in a corporation, it can exert influence to a certain extent within a company on the good governance practice. (See Appendix 1)

The Role of Internal Auditor

The Malaysian Code on Corporate Governance (the Code) in Best Practices Provision AA I Part 2 has clearly outlined six boards’ specific responsibilities in discharging their stewardship responsibilities. Reviewing all six responsibilities, two of those six have a very endearing feature to internal audit which it could play an effective and meaningful role. (See Appendix 2)

-Identifying principal risks and ensure the implementation of appropriate systems to manage these risks

-Reviewing the adequacy and the integrity of the company’s internal control systems and management information, including systems for compliance with applicable laws, regulations, rules, directives and guidelines.

Even though internal auditor could act and play a positive role in every aspect of corporate governance as set out by the Code’s best practice in the six specific responsibilities of the board, it is in the risk management and internal control function where internal audit could contribute the most in materializing the objective of enhancing shareholder’s value and safeguarding company’s asset. The ability of internal auditor to identify risk in the process and assessing the available control hence recommending the relevant control activities and monitoring mechanism to the risk identified would definitely tone down possible larger losses. This would have a direct bearing on the bottom line and subsequently increase shareholder’s wealth. The notion of the higher the risk, the higher the return necessitates any corporation to have a well-organized entity to control risk through risk assessment process. This process is indispensable for corporation if they want to fulfill the objective of corporation (enhancing shareholder’s value) since risk cannot be completely eliminated; just mitigated.

Risk Management and Internal Auditor

Risk management is fast becoming a new area where internal audit should focus on. The contemporary internal auditing is based on the identification of strategic, operational and financial risks facing the corporation and the way management mitigates those risks within a dynamically changing context. In developing new area (in this case risk management identification) internal audit can either directly (as part of a project team) or indirectly involved (i.e. as a consultant) in ensuring corporate objective of enhancing shareholder’s interest and safeguarding company’s asset is achieved. Whichever hats the internal auditor puts on, he should continuously be involved in monitoring and reporting on the process that are established within organizations to ensure significant risk exposures are understood and managed appropriately. The Basel Committee on Banking Supervision stated that:

“Banking supervisors should require banks to have an effective system in place to identify, measure, monitor and control operational risks as part of an overall approach to risk management….Supervisors should consult with the internal and external auditors, as appropriate, to determine the adequacy of the risk assessment methodology used by the bank”.

The above statement by the committee on the need to consult the internal auditor, support the recommendation by the Blue Ribbon Committee (BRC) to have an audit committee as a more effective and more efficient vehicle for strengthening corporate governance. The added responsibility to audit committee would necessitate the creation of a support structure designed to facilitate the audit committee function and assure compliance with the BRC recommendations. The internal audit department (IAD) is ideally suited to provide such a support structure. Internal auditors are experts in risk assessment and internal control evaluation, including control compliance monitoring (Lightle and Bushong, 2000). Furthermore, the IAD is often organizationally independent of management with a direct reporting line to the board of directors or audit committee.

In order to ensure that the objective of optimizing and safeguarding shareholders’ wealth is achieved, the IAD is expected to contribute through helping management to identify risks and providing feedback on the effectiveness of risk management activities. In this area, internal audit department can play both roles as a consultant as well as provider of assurance but at different stage of implementation. The contribution towards helping management identifying risks is more of a consultative in nature while providing feedback on the effectiveness of risk management activities is more of assurance-providence task.

The IAD which understand the complexities of the industry in which the corporation operates and also the quality of the corporation itself is probably the best entity for management and board to turn to for consultation on managing risk. Consulting is most appropriate during the introduction of risk assessment methodology phase where IAD devises a risk profile based on among others; the analysis on the prevailing “mood” of industry; the benchmarking standards in the industry (and also best practices); and the analysis on each critical process. In other words during this phase, IAD provides the management and board with the systematic ways of identifying, locating and monitoring the risk inherent in the industry thus providing them a much better insight on any decision to be made. Therefore, internal auditor ensures that management has a formal process by which risks are identified and assessed and this process has a framework that ensures completeness of the risk assessment. After the first phase of identifying risk and inform it to the management, there is a need to assess the risk. This is an area where control self assessment is often used. During risk assessment, internal audit by virtue of the profession can recommend to the management on the method of evaluating the risk management activities against recognised control models (e.g. COSO, CoCo). This is to enable the best practices is adopted and to provide a basis for directors to report on the effectiveness of controls as this is increasingly required by corporate governance disclosure.

Meanwhile the process of providing assurance is actually the extension of the earlier phase of identifying risk (in which IAD was involved as consultant). Since management are answerable to shareholders in achieving the objective of corporation, the management should conduct regular independent evaluation of the company’s strategies, policies, procedures and practices related to risks activities. This would generally encompass among others the effectiveness of company’s risk management process and overall control; the systematic ways for monitoring and reporting risk exposures; the procedures for timely and effective resolutions; and the effectiveness of risk mitigation effort. All the tasks above if put into practice would mainly be the task of internal auditor. They would assess the results of the risk analysis to ensure the strategic objectives are appropriately covered by the risks evaluated. While evaluating the effectiveness of risk management is the role shouldered by management, any identified reasons found to be hindering the effectiveness of it should necessarily come from the assurance exercise performed by internal auditor. This feedback could assist management in further understanding the risk faced and plan the direction of business accordingly. In order for business plan to be executed smoothly, internal auditor with the endorsement from board and senior management (including audit committee) needs to establish an audit plan that links to the risk assessment where internal audit have the necessary skills in providing the relevant assurance. Management and board would also want to receive the feedback through proper mechanism with the highest possible degree of independence. Since the internal auditor has already had the mechanism of informing management through audit committee with some level of independence and unbiasedness (as compared to directly-involved staff), the reporting mechanism on risk management is best suited to IAD. They could perform and report the planned work in a manner that addresses the identified risk and enhances the understanding of the risk itself. In addition, they need to ensure continued relevance of the risk management framework and audit plan.

Internal Control and Internal Auditor

Another factors ensuring good governance is closely related to the more traditional role of internal audit i.e. internal control. Broadly, internal control is a process effected by a company’s board of directors and management, designed to provide reasonable assurance regarding the achievement of company’s objectives. This definition provided by the IIA Malaysia is in the same spirit with the corporate governance definition by the Dey report earlier in the paper. In essence, the corporate governance process in relation to both controls and risk management is composed of “the procedures utilized by the representatives of the organization's stakeholders (e.g., shareholders, etc.) to provide oversight of risk and control processes administered by management” (Colbert, 2002).

In Malaysia, the importance of internal control in the corporate governance process is evidenced through Kuala Lumpur Stock Exchange (KLSE) listing requirement in paragraph 15.26 and 15.27, where a listed issuer must make a statement on the state of internal control in its annual report as a group. This was further stressed in the “Statement on Internal Control: Guidance for Directors of Public Listed Companies” issued by the Taskforce on Internal Control.

The above requirement basically stresses on the disclosure issues whereby it provides guidance to directors of public listed companies in making disclosures in its annual report. In order for the board to issue such statement with reasonable assurance, the very ground task must be performed and the responsibility of providing such assurance rests primarily on internal auditor’s shoulder. When performing assurance engagements, the internal auditors independently design and execute the work. Because assurance service engagements yield an objective examination by the internal auditors, they receive more attention from external auditors, management, and board members than consulting services. The emphasis by KLSE on the reporting of internal control is seen as a potent weapon in the ongoing fight to protect shareholders and the investing public. To ensure effective reporting, internal auditing should report to the audit committee on the adequacy and effectiveness of internal controls. The report should be coordinated and drawn on the representations from management about the sufficiency of internal controls, the result of control system tests performed by internal auditors. The audit committee should then evaluate the adequacy of the report and make appropriate recommendations to the board for public reporting.

The results of a preliminary survey conducted during final quarter 1999 by the MICG, the IIA and Ernst & Young on risk management and the internal audit function revealed the need for public listed companies to establish their own internal audit function and risk management in order to promote good corporate governance. With greater internal controls, public listed firms can operate more efficiently, which in turn would increase their bottom-line as well as shareholders' value. The survey on 120 listed companies show that 28% did not have an in-house internal audit function. Of the 28% which did not have an in-house internal audit function, 14% indicated that they outsourced their internal audit function. Additionally 73% did not indicate how internal audit function was performed in their companies.

On risk management, 95% of the listed firms indicated that they were familiar with its importance, some 85% said that they had processes in place to identify and assess risks while 90% claimed to have assessed major risks and 58% claimed to have risk mitigation strategies. Further, current public reporting on controls generally is limited to accounting controls concerning financial reporting and does not address the issue of organizational risks. This survey indicates that internal auditor has a very important role to ensure that internal control and risk management is properly addressed

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) publication of “Internal Control-Integrated Framework” defines internal control broadly and does not limit internal controls to accounting controls concerning financial reporting. While financial reporting (as normally performed by external auditor) is important, the other aspects of the business relating to resource protection, operational efficiency and economy, and compliance with rules, regulations, and policies (normally undertaken by internal auditor) also are exceedingly important. Further, COSO drives home the point that effective internal controls are management’s responsibility and require the participation of all persons within an organization to be effective.

The organization’s report on internal controls should be sufficiently comprehensive to provide the audit committee with a reasonable basis for drawing conclusions about the adequacy and effectiveness of internal controls. In order to provide this comprehensive information and to ensure that multiple viewpoints are considered, the report on controls should be based on information from a variety of sources including independent evaluationsof risk and control systems performed by internal auditors; reviews of internalcontrolsperformed during the external audit; management opinions on significant risks and the sufficiency of controls and associated reports provided to the board of directors; and other activities that could have a material impact on the board’s consideration of risk management and the sufficiency of internal controls.