A risk-based audit model for internal audit engagements

Abstract

English: Many factors have played and are still playing contributing roles as to why internal auditors need to perform internal audit engagements more effectively and efficiently. The internal audit profession finds itself within a rapidly changing environment. The external factors affecting the profession include the various pieces of new guidance and legislation that are constantly being issued, the current global financial crisis, the occurrence of corporate and public scandals and the increased globalisation of the business environment, to name but a few. Internal factors within the organisation include management’s increased demand for internal auditing to add value, the enhancement of coordination between all the various assurance providers, such as the external and internal auditors, and the increased role of internal auditing in assisting with the management of risks that threaten the achievement of the organisation’s objectives. Within this environment the internal audit profession is growing at a tremendous rate, but at the same time it is reported that there is still a scarcity of competent internal auditors, especially in the fields of information technology and risk management. The Institute of Internal Auditors, as the governing body of the profession, is attempting to address this need by continuously issuing new professional guidance and performing research studies to provide its members with information and direction. This study investigates the evolution of the internal audit profession as well as the concepts of corporate governance and risk management, and the role of internal auditing within these fields. It specifically focuses on how internal auditors can incorporate risk in the execution of an internal audit engagement to improve their methodology; thus performing engagements more effectively and efficiently. A comprehensive literature review was conducted on these topics and a preliminary risk-based internal audit engagement model was developed based on the literature. Thereafter, organisations in both the private and the public sectors in South Africa were examined via a maturity scorecard to determine which organisations were risk mature. The top five risk mature organisations in each sector were included in the second empirical study, with the main objective of obtaining input from their chief audit executives to refine the initial risk-based engagement model. Lastly, the model was tested in a practical scenario, using a case study approach, to determine whether there may be improvements in the execution of the internal audit engagement. The results of the three empirical studies were then used to finalise the model. The study concludes that the risk-based internal audit model can be used during the planning phase of an assurance engagement, improving the process as follows: • Areas with medium to high operational risks are included in the planning of the internal audit engagement. • Low-risk areas are not included in the planning phase other than on a surprise basis according to the internal auditor’s professional judgement. • High-risk areas (inherent risk) that remain high after appropriate controls have been implemented (residual risk) are reported to management on a timely basis. The use of this model will ensure that internal auditors focus on the areas that need urgent attention and not waste time on areas that are comparatively insignificant. This will mean that scarce internal audit resources can be allocated to areas where they will add the most value to the organisation. Although it was not a main objective of this study, it was found that the risk management framework and processes, and to a lesser extent the role of internal auditing regarding risk-related aspects within the public sector, need improvement to be in line with legislation, other guidance and best practices.

Afrikaans: Verskeie faktore was en is tans nog relevante redes waarom interne ouditeure ‘n interne ouditaanstelling meer effektief en doeltreffend behoort uit te voer. Die interne ouditprofessie bevind homself tans in ‘n snel-veranderende omgewing. Eksterne faktore wat die professie beïnvloed is onder andere die konstante uitreiking van verskeie nuwe wetgewing en riglyne, die huidige wêreldwye finansiële krisis, korporatiewe en publieke skandale, en toenemende globalisasie in die besigheidsomgewing. Interne organisatoriese faktore sluit in bestuur se toenemende druk op interne ouditeure om waarde toe te voeg, toenemende koördinasie tussen die verskeie gerusstellingsfunksies, byvoorbeeld tussen die eksterne en interne ouditeure, en die toenemende rol van interne ouditering om bystand te verleen met die bestuur van risiko’s wat die bereiking van die organisasie se doelwitte mag belemmer. Binne hierdie omgewing is die interne ouditprofessie besig om teen ‘n geweldige koers te groei, maar terselfdertyd word daar gerapporteer dat daar ‘n skaarste aan bevoegde interne ouditeure is, veral in die velde van inligtingstegnologie en risikobestuur. Die Instituut vir Interne Ouditeure, die beheerliggaam van die professie, probeer om hierdie behoefte aan te spreek deur deurlopend nuwe professionele riglyne uit te reik en navorsing te onderneem om sodoende inligting en leiding aan hul lede te verskaf. Hierdie studie ondersoek die ontwikkeling van die interne ouditprofessie asook die konsepte van korporatiewe bestuur en risikobestuur, en die rol wat interne oudit binne hierdie velde moet vertolk. Daar word spesifiek gefokus op hoe interne ouditeure risiko in die uitvoer van interne ouditaanstellings (‘audit engagements’) kan inkorporeer om sodoende hul metodologieë te verbeter; dus die meer effektiewe en doeltreffende uitvoer van aanstellings. ‘n Omvattende literatuurstudie oor hierdie onderwerpe is uitgevoer, en ‘n voorlopige risiko-gebaseerde interne oudit aanstellingsmodel, gebaseer op die literatuur, is ontwikkel. Organisasies in beide die privaat en publieke sektore is hierna aan die hand van ‘n bekwaamheidskeurkaart (‘risk maturity scorecard’) ondersoek, om te bepaal of die organisasie risiko bekwaam (‘risk mature’) is. Die top vyf risiko-bekwame organisasies in elke sektor is daarna in die tweede empiriese studie ingesluit, met die hoofdoelwit om die insette van die hoofde van interne ouditafdelings te verkry om sodoende die voorlopige risiko-gebaseerde aanstellingsmodel (‘engagement model’) te verfyn. Laastens is die model in ‘n praktiese situasie, deur middel van ‘n gevallestudiebenadering getoets, om te bepaal of daar moontlike verbeterings in die uitvoer van die interne ouditaanstelling is. Die resultate van die drie empiriese studies is daarna gebruik om die model te finaliseer. Die gevolgtrekking van die studie is dat die risiko-gebaseerde interne ouditmodel gebruik kan word tydens die beplanningsfase van ‘n gerusstellingsaanstelling ten einde die proses soos volg te verbeter: • Areas met medium tot hoë operasionele risiko’s word ingesluit in die beplanning van die interne ouditaanstelling. • Lae risiko areas word nie in die beplanningsfase ingesluit nie, behalwe op ‘n verrassingsgrondslag, gebaseer op die interne ouditeur se professionele oordeel. • Hoë risiko areas (inherente risiko) wat, nadat toepaslike kontroles ingestel is, hoog bly (reswaarde risiko – ‘residual risk’), moet aan bestuur op ‘n tydige basis gerapporteer word. Die gebruik van hierdie model kan verseker dat interne ouditeure op die areas wat dringend aandag benodig fokus, en nie tyd sal vermors op areas wat vergelykenderwys irrelevant is nie. Dit kan beteken dat skaars interne oudit-hulpbronne geallokeer kan word na areas waar dit die meeste waarde tot die organisasie kan toevoeg. Alhoewel dit nie ‘n hoofdoelwit van hierdie studie was nie, is daar bevind dat die risiko bestuurraamwerk en -prosesse, en tot ‘n mindere mate die rol van die interne ouditeur aangaande risiko-relevante aangeleenthede, in die publieke sektor verbeter moet word om met wetgewing, ander riglyne en beste-praktyke in lyn gebring te word.