One of the key things to establish when developing an internal audit function is for the internal auditor to get to grips with the key risks facing an organisation, the attitude of the organisation to accepting and managing those risks, and the key controls that have been designed to mitigate them.
Business-specific internal audit functions lay out the powers of internal auditors.The specifics of this will be unique to individual organisations but we can get some idea of how this should all work by looking at an example.
One sector where internal audit potentially plays a big part is banking.
Businesses such as HSBC have their own internal audit functions and charters which lay out the responsibilities and powers of internal auditors.
Specific risks will vary from bank to bank depending again on its own unique situation but there are some generic risks that will cut across most if not all banks.
Let's take two possible areas of risk focus for banks – and in practice there will be many more. One key risk for banks to manage is that investments they make follow certain rules to manage the risk that they might otherwise be inappropriate or excessively risky.
One only has to recall the banking crisis of 2008 and the collapse of Lehmann Brothers along with the effective nationalisation of many other banks around the world to be aware of just how catastrophic the consequences of getting investments wrong can be.
So in a bank, one would expect to see some very strong controls around investment management to guard against a repeat of the 2008 situation.
Another key risk area for a bank is around liquidity. The key consideration here is to ensure that a bank has sufficient funds available to make pay-outs when they are required. This is not as easy as it sounds.
Banks often hold accounts with millions of individuals and businesses (HSBC for example has around 40 million customers) and have amazingly high values of assets involved (in 2019 it was reported that HSBC had over $2.7 trillion of assets). Now, of course, in effect this money is not really theirs; it represents the investments of others who effectively lend them their funds and one day will want them back again.
The key risk here is to ensure that the bank has enough money to pay investors back as and when they are required. In practice it is inconceivable that all of HSBC's investors will want their $2.7 trillion back on the same day. But it is possible that an extreme event such as that of 2008 will lead to a run on the bank where greater amounts of repayments than normal are required.
Guarding against risk
To guard against this risk – the specific risk being that the bank runs out of money - the bank will need to run stress tests which show how they would cope with such a situation. These stress tests are in practice a key internal control.
These risks around investment management and liquidity are just two of a number that are likely to feature as high risk/high potential impact categories for many banks. The internal auditor would need to fully assimilate these and factor them into the internal audit planning process.
These high risk/high impact categories should define the content of annual internal audit plans for the upcoming period.
By concentrating the plan on conducting assignments in these critical areas the internal auditor ensures that they themselves become a key part of the risk management process. This means that they are playing a key part in helping to ensure that the risks of corporate failure are mitigated against.
Wayne Bartlett is an author for accountingcpd. To see his courses, click here.