Risk management and risk based internal auditing



Similar documents
Finance. Human resources. Health and safety. Compliance Procurement. Corporate affairs. Sales and marketing. Public relations Commercial development

Effective Internal Audit in the Financial Services Sector

Effective Internal Audit in the Financial. Services Sector. Non Executive Directors (NEDs) and the Management of Risk

How to gather and evaluate information

DIPLOMA IN DIPL FORENSIC ACCOUNTING

AUDIT COMMITTEE TERMS OF REFERENCE

IT Risk Closing the Gap

Charity Audit Committee performance evaluation Self assessment checklist. October 2014

Internal Audit Quality Assessment Framework

J O Hambro Capital Management Umbrella Fund plc. Annual Report & Financial Statements for the year ended 31 December 2013

Professional Indemnity Proposal Form Business & Management Consultants

Dacorum Borough Council Final Internal Audit Report. IT Business Continuity and Disaster Recovery

CIPFA key facts. A handy at a glance guide

Audit Committee. Directors Report. Gary Hughes Chairman, Audit Committee. Gary Hughes Chairman, Audit Committee

Internal Audit Standards

CHARITY SORP 2015 INTRODUCTION FOR LARGER CHARITIES

Application Form for Professional Indemnity and Liability Insurances Management Consultants

IHEEM WORKING WITH YOU TO DEVELOP YOUR CAREER

External Audit BV Performance Report: Delivering Change Management and Financial Sustainability

AuditNet 2012 Survey Report on Data Analysis Audit Software

Thank you for applying to join or renew membership with the UK Association of Letting Agents.

CORPORATE GOVERNANCE STATEMENT

Professional indemnity insurance Management consultants proposal form

Public Sector Internal Audit Standards

Understanding corporate statements

Association for Project Management Business Management System

Corporate Governance Statement 21 October 2015

Risk Management Committee Charter

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

Practice Note. 10 (Revised) October 2010 AUDIT OF FINANCIAL STATEMENTS OF PUBLIC SECTOR BODIES IN THE UNITED KINGDOM

IMPORTANT NOTICE REGARDING COMPLETION OF THIS MANAGEMENT CONSULTANTS PROPOSAL FORM

Internal Audit Terms of Reference

Corporate Governance Statement

GROWTH & INCOME INDEX 2013 MUTUAL FUND INVESTOR BEHAVIOUR STUDY HONG KONG

Report of Don McLure, Corporate Director of Resources

Higher audit threshold for charities

Data Quality - A Review of the Audit Committee

Public Sector Internal Audit Standards. Applying the IIA International Standards to the UK Public Sector

Proposed Auditing Standard: Inquiry Regarding Litigation and Claims (Re-issuance of AUS 508)

How To Write A Professional Indemnity Proposal Form For Management Consultants

the role of the head of internal audit in public service organisations 2010

FINANCIAL REPORTING COUNCIL AN UPDATE FOR DIRECTORS OF LISTED COMPANIES: GOING CONCERN AND LIQUIDITY RISK

Concept of and need for assurance

Electricity Settlements Company Ltd Framework Document

3 August 2012 Policy updated to reflect name changes and alignment with current Aurora Energy Group Policy standards.

Board Charter. HCF Life Insurance Company Pty Ltd (ACN ) (the Company )

Appendix 14 CORPORATE GOVERNANCE CODE AND CORPORATE GOVERNANCE REPORT

Internal Audit and supervisory expectations building on progress

Food Safety and Quality Management Skills. Providing accredited training and education to the Food Industry

OCC 98-3 OCC BULLETIN

Directors & Officers Liability Insurance for Financial Institutions

What Every Director. How to get the most from your internal audit. Endorsed by

SAI GLOBAL LIMITED Risk Management Policy

Risk committee performance evaluation

The Internal Audit fraud challenge Prevention, protection, detection

Public Sector Internal Audit Standards. Applying the IIA International Standards to the UK Public Sector

We are the nursing and midwifery regulator for England, Wales, Scotland, Northern Ireland and the Islands.

Direct Line Insurance Group plc (the Company ) Board Risk Committee (the Committee ) Terms of Reference

Application for membership

STATISTICAL DATA RETURN USER FEEDBACK

Accounting and Reporting Policy FRS 102. Staff Education Note 14 Credit unions - Illustrative financial statements

Revised October 2013

University recruitment effectiveness survey 2013

COCA-COLA HELLENIC BOTTLING COMPANY RISK MANAGEMENT POLICY

Guidance for audit committees. The internal audit function

SCOTTISH CENSUS INDEPENDENT SECURITY REVIEW REPORT

Directors Report 2013

Health and Safety Policy and Procedures

ORDINANCE 22 UNIVERSITY OF LONDON RISK MANAGEMENT POLICY

STAGE 1 COMPETENCY STANDARD FOR ENGINEERING ASSOCIATE

Directors & Officers Liability (D&O) Insurance. Benchmarking Report 2013

AGN INTERNATIONAL. Yo u r D o o r t o Wo r l d w i d e B u s i n e s s

EUROPEAN CONFEDERATION OF INSTITUTES OF INTERNAL AUDITING (IVZW)

INTERNATIONAL STANDARD ON AUDITING (UK AND IRELAND) 501 AUDIT EVIDENCE ADDITIONAL CONSIDERATIONS FOR SPECIFIC ITEMS CONTENTS

Building a framework for operational risk management: the FSA s observations

Namibia Internal Audit Survey

IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT

Foundation Degree (Arts) International Hospitality Management

Academic Associate application form

Transcription:

Heads of Internal Audit Service Benchmarking Report Risk management and risk based internal auditing Introduction This report contains the results of the HIAS survey entitled Risk management and risk based internal auditing. The results include answers from all respondents who took the survey in the 9 day period from 25 January 2008 to 2 February 2008. Fifty eight completed responses were received during this time from a broad cross section of private and public sector organisations, the majority of whom employ over 1000 employees. Risk management The results show that risk management has a high profile within most of the organisations that participated in the survey, with 81% having a stand-alone risk policy or an internal control policy that incorporates risk. Leadership We asked where the leadership responsibility for the design and implementation of a risk strategy lay. 66% of organisations have leadership at senior level having either appointed a Director of Risk Management (30%) or allocated the responsibility to either the Chief Executive, or the Finance Director, each standing at 18%. A further 16% of organisations have entrusted this duty to a committee or steering group and 5% to the Company Secretary. We would expect high profile senior leadership to provide a firm foundation for the delivery of risk management and the survey results confirm organisations have demonstrated a strong commitment; 70% of respondents strongly agree or agree that risk management has received management support. A total of 58% of respondents have also declared that their organisation has developed risk management to the point of being risk enabled or risk managed. Whilst this is encouraging, the results also show that there is further work to be done to improve risk management processes. 13% of organisations have assigned the leadership responsibility for risk strategy to the Head of Internal Audit. 42% of organisations have only just begun to think about, plan or implement risk management and, within this group, one-third of respondents (8 in total) felt that their organisation was not showing a strong commitment to risk management. Scope It is apparent from the chart below that where risk management has been implemented it is applied to wide range of activities. Areas of risk activity Health, safety and environment Finance IT security Strategic objectives Project management Insurance Customer service Partnerships and joint ventures Acquisitions and mergers Other (fraud) 0.00% 20.00% 40.00% 60.00% 80.00% 100.00 %

Processes Spreadsheet is by far the most common platform for documenting risks, either in stand-alone format or a central group of spreadsheets available via a shared network drive. This accounts for half the risk management activity recorded in the survey, with a further 20% using an in-house designed process that is networked using an intranet. Approximately one-third of respondents reported the use purchased risk management software. The overwhelming majority of respondents, 72%, indicated that their chosen method of risk documentation supported and helped the effectiveness of risk management. Although a lower level, 53% expressed the view that there is clear evidence to support positive or significant improvements within the business arising from risk management. There is a mixed set of results in relation to risk practices as indicated in the table below. While the majority of respondents feel there is sufficient clarity around risk terminology, definition of risk appetite and analysis of risk scores a significant number are unsure or disagree. This is most marked with regard to quantifying the financial impact of risk indicating this is an area of difficulty in most organisations. Question My organisation has: Strongly agree/ Agree Strongly disagree/ Disagree Neither agree nor disagree A cleared clearly defined risk terminology 67% 16% 17% Consistently analyses/scores risks 62% 22% 16% Set a risk appetite 55% 25% 20% An effective method to quantify financial risks 32% 34% 33% Risk management and internal audit The survey results shown in the tables below provide an insight into the roles and priorities that internal audit adopt in relation to risk management. Most prominent among these roles is giving assurance that risk management processes are applied and that risks are being managed providing an indication of the extent of risk based internal auditing within organisations. Roles in relation to risk management Count Percent Giving assurance that risk management processes are applied 51 87.9% Giving assurance on the management of risks 47 81.0% Giving assurance on the reporting of risk 40 69.0% Facilitating the identification & evaluation of risks 40 69.0% Implementing risk management procedures 11 19.0% Implementing risk responses 4 6.9% None 2 3.4% Page 2

Key priorities of the internal audit plan Count Percent Assurance on the management of risks 46 79.3% Assurance there is compliance with financial controls 43 74.1% Assurance there is compliance with IT controls 41 70.7% Assurance that risk management procedures are being applied Assurance there is compliance with legal and contractual requirements 40 69.0% 40 69.0% Assurance on the reporting of risks 32 55.2% Providing consulting services to management 20 34.5% Other 0 0.0% In addition to the tables, 75% of respondents indicated that the priorities they have established are closely related to areas where the audit committee and senior management have requested assurance. The overwhelming majority of respondents, 79%, also feel that they have developed the skills and experience in needed in their organisation to perform risk based internal auditing. Only a small percentage, 9%, has expressed the view that internal auditors in their organisation are not equipped to take on this role and responsibility. Conclusions The survey results show that most organisations have a strong commitment to risk management and have established roles, responsibilities and processes that cover a wide range of activities. However, while many are developing a risk culture there remains a minority where progress has been slow or in some cases a reluctance to embrace risk management. There is a mixed set of results in relation to risk practices indicating that further work is required in some organisations to define terminology, risk appetites and scoring to ensure consistency and clarity. It would also seem that there is significant uncertainty about how to quantify the financial impact of risk indicating this no simple universally accept method. On the whole internal auditors are applying risk based internal audit practice providing assurance that the risk management processes designed by management are being applied and providing assurance that risk are being managed in accordance with audit committee and senior management requirements. However, it is apparent from the results that some internal auditors are also involved in implementing risk procedures and responses. Page 3

1) What is your industry sector (choose one from this list): Banks and building societies Insurance Other financial services Food and drink Manufacturing and engineering Media and leisure Retail Telecommunications Utilities High technology Other private sector Voluntary/charity Education Central government Local government Health Other public sector None of the above 2) How many employees are employed in your entire company, including all plants, divisions, branches and subsidiaries? 1-24 25-99 100-249 250-499 500-999 1,000-9,999 10,000 or more 3) Does your organisation have a risk policy with objectives, roles and responsibilities? No No - planned or in progress Yes - a stand alone risk policy Yes - as part of a combined policy eg Internal Control 4) Who has leadership responsibility for the design and implementation of a risk strategy? Chief Executive Company Secretary Finance Director/Financial Controller Director of Risk/Risk Management Director of Internal Audit/Chief Internal Auditor Page 4

5) What is the level of your organisation's risk maturity? Risk Naive - no formal plans for risk management Risk Aware - consulting & planning to implement risk management Risk Defined - early stages of implementation Risk Managed - established risk management with planned extension/development Risk Enabled - fully established & effective risk culture at all levels 6) In which areas/activities is risk managment applied in your organisation? (tick all that apply) Strategic objectives Finance Hazards (health, safety & environmental) Insurance Customer Service IT Security Project Management Partnerships & Joint Ventures Acquisitions & Mergers 7) How do managers in your organisation document risks? using a stand alone spreadsheet using a stand alone purchased software package using an in-house designed intranet/networked system using a purchased intranet/networked system Page 5

8) Does the method for documenting risks, highlighted in the previous question, help or hinder the effective managment of risks? It helps It hinders I don't know 9) In general does risk management increase the likelihood of achieving business objectives/outcomes for the organisation? no evidence limited evidence of improved performance clear evidence of positive improvements clear evidence of very significant achievements 10) To what extent do you agree with the following statements? strongly agree agree neither agree or disagree disagree strongly disagree My organisation has a strong commitment towards risk managment My organisation has clearly defined its risk terminology My organisation has set a risk appetite or risk appetites as appropriate. My organisation has a consistent approach to analysing/scoring risks My organisation has an effective method for quantifying the financial impact of risks 11) What roles does internal audit perform in your organisation in relation to risk management? (tick all that apply) None Giving assurance that risk management processes are applied Giving assurance on the management of risks Giving assurance on the reporting of risk Facilitating the identification & evaluation of risks Implementing risk management procedures Implementing risk responses Page 6

12) What are the key priorities of your Internal Audit Plan? (tick all that apply) Assurance that risk management procedures are being applied Assurance on the management of risks Assurance on the reporting of risks Assurance there is compliance with legal and contractual requirements Assurance there is compliance with financial controls Assurance there is compliance with IT controls Providing consulting services to management 13) To what extent do you agree with the following statements? strongly agree agree neither agree diagree strongly or disagree disagree Internal auditors in my organisation have sufficient skills & experience to apply risk based internal auditing? Internal auditors in my organisation devote enough time to the internal controls that The Audit Committee and senior management want assurance upon? There is sufficient flexibility and contingency time in our internal audit plan to look at the adequacy and effectiveness of internal controls for new risks as they arise? Page 7

The Institute of Internal Auditors UK and Ireland (IIA) The IIA has been leading the profession of internal auditing for over 60 years. We are the only body focussed exclusively on internal auditing and we are passionate about supporting, promoting and training the professionals who work in it. Every year we help thousands of internal auditors at every stage of their career with training, qualifications and technical resources enabling them to deliver exceptional results for their organisations. Our International Standards and Code of Ethics unite a global community of over 130,000 IIA internal auditors. These Standards mean that employers can be sure that IIA members across the world operate with integrity and to the highest levels of professional competency. About Heads of Internal Audit Service benchmarking reports The IIA recognises that heads of internal audit need specialist information and support to help them respond to the demands of a competitive and increasingly regulated business climate. The Heads of Internal Audit Service is a complete and exclusive service designed specifically for the leaders of the profession to keep them up to date and to provide them with introductions to their contemporaries and opportunities to discuss successes and concerns in confidence with their peers. Other services include access to technical updates, a quarterly newsletter, a series of professional forums, and specifically commissioned research. The benchmarking reports are designed to help HIAS members make the most of the Service's networking opportunities. Service members can pose a question to other Service members to help them identify best practice on a particular issue. Service members can submit a question for consideration as an Enquiry by emailing chris.baker@iia.org.uk or technical@iia.org.uk Disclaimer This material is not intended to provide definitive answers to specific individual circumstances and as such is intended to be used only as a guide. The IIA recommends that you always seek independent expert advice relating directly to any specific situation. The IIA accepts no responsibility for anyone placing sole reliance on this guidance. www.iia.org.uk The Institute of Internal Auditors UK and Ireland Ltd 13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX Tel 020 7498 0101 Fax 020 7978 2492 Email technical@iia.org.uk Registered in England and Wales, no. 1474735 Information can be made available in other formats

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information