Managing risk : what should internal audit do?

Abstract

Internal auditors, having the required knowledge of risk management, organisational processes and internal controls systems, could perform a number of activities for the organisation in order to assist in managing risks. The Institute of Internal Auditors provides guidance to internal auditors indicating their related roles. Previous studies (which do not include a South African perspective) suggest that internal auditors’ involvement in these roles tend to differ between countries and could change over time. Additionally, while a key role for internal auditors is to identify and evaluate risks within an organisation, little guidance is provided as to how internal auditors should achieve this. This article explores internal auditors’ involvement in consulting and assurance activities within South African private sector organisations, and secondly, how internal auditors identify and evaluate risks within organisations. Data was collected by means of an online survey instrument, directed at chief audit executives. Survey results indicated that internal auditors have a large degree of involvement in providing assurance on risk functions, a moderate degree of involvement in providing consulting activities and a limited degree of involvement in risk management roles. Internal auditors utilise previous experience and various external sources of information, when identifying risks, and consider risk impact in both a qualitative and quantitative manner. Statistical analysis reveals that the internal auditors’ degree of involvement in the various roles differs in the manufacturing and financial services sectors.