International Journal of Finance and Accounting

p-ISSN: 2168-4812    e-ISSN: 2168-4820

2013;  2(2): 61-66

doi:10.5923/j.ijfa.20130202.02

Internal Audit Function in Relation to Enterprise-Wide Risk Management (EWRM)Practices

Norlida Abdul Manab 1, Mohd Rasid Hussin 1, Isahak Kassim 2

1School of Economics, Finance & Banking, College of Business, Universiti Utara Malaysia (UUM), 06010 Sintok, Kedah, Malaysia

2Faculty of Information Technology and Quantitative Sciences, Universiti Teknologi MARA (UiTM), 40450 Shah Alam, Selangor, Malaysia

Correspondence to: Norlida Abdul Manab , School of Economics, Finance & Banking, College of Business, Universiti Utara Malaysia (UUM), 06010 Sintok, Kedah, Malaysia.

Email:

Copyright © 2012 Scientific & Academic Publishing. All Rights Reserved.

Abstract

This paper examines the internal audit roles and functions in Enterprise-Wide Risk Management (EWRM) practices of Public Listed Companies (PLCs) in service sector. A triangulation approach was adopted to obtain an enriched data collection and analysis for the study. From a survey analysis, the findings showed that 85.7 percent of EWRM programs in financial companies were under the direct supervision of a risk management department as compared to only 34.1 percent in non-financial companies. This result was quite surprising, as more than half (51.3 percent) of the EWRM programs in non-financial companies were actually under the supervision of an internal audit department. However, only 47.2 percent of the companies were found to have their own internal audit, while 52.6 percent reported that they outsourced their audit activities. Quite interestingly, the overall result from a case study analysis found that the internal auditor plays a dual function, as an internal auditor and also as a risk manager.

Keywords: Enterprise-Wide Risk Management, Internal Audit, Corporate Governance, Triangulation

Cite this paper: Norlida Abdul Manab , Mohd Rasid Hussin , Isahak Kassim , Internal Audit Function in Relation to Enterprise-Wide Risk Management (EWRM)Practices, International Journal of Finance and Accounting, Vol. 2 No. 2, 2013, pp. 61-66. doi: 10.5923/j.ijfa.20130202.02.

Article Outline

1. Introduction
2. Literature Review
    2.1. Enterprise-Wide Risk Management (EWRM) Concept
    2.2. Internal Audit Function
3. Method
4. Findings
    4.1. Survey Analyses
    4.2. Case Study Analyses
5. Discussion
6. Conclusions

1. Introduction

Companies’ environment of risk and the perception towards risk have changed over the years. Most of the organizations now have moved from the traditional way of managing risks to more integrated approach to the management of risks known as integrated or enterprise-wide risk management (EWRM). This new trend of risk management program considers and manages all sources of risk, regardless of the type. It engages everyone within the entire organization, starting from the very top at the governance level, right down to the very bottom at the ordinary level of employees.
The emergence of EWRM had also caused a paradigm shift in respect of the internal audit function. The Malaysian Code on Corporate Governance (MCCG) added a new function to the internal audit role of risk management. The code itself requires the internal auditors to monitor the potential risk exposures. Such a requirement undoubtedly brought about a dramatic shift in respect of the internal audit function from a control-based approach to the risk-based approach.
The scope and functions of an internal audit have increased over time in response to the rapid environmental changes of today. Its functions have been developed in stages, starting with the review of financial statements and other accounting functions. This is followed by focusing on compliance audit, assessing the internal control and operating process, and eventually adding its role on risk management. Risk assessment as part of internal auditing is increasingly used to identify, measure, and prioritise risks so that the focus is placed on the auditable areas of greatest risks. Risk-based auditing moves the focus from the past (historical operation of internal control system) to the future, where they test the way management mitigate risks[1]. With a new function, auditors could possibly enhance their existing roles, provide better services and eventually assist corporate entities/organizations in formulating the risk management policies and effectively carry out the risk management process on the whole.
However, internal audit is independent and has traditionally been most concerned about internal control. With a new function, how would its involvement in EWRM practices ensure that the internal audit activities are not in contradiction with its original roles and functions? Also, what is essentially the internal auditors’ responsibility with regard to risk management activities or specifically leading the EWRM effort in particular? Hence, the in answering these pertinent questions, it is important to look at the two-fold objectives of this particular study. First, is to examine the role of internal audit function in respect of EWRM practices. Second, is to examine how effective is the EWRM programme under the supervision of internal audit as compared to the risk management department. The next section discusses the review of related works, the methodology used, and analysis of the findings including discussion and conclusion.

2. Literature Review

2.1. Enterprise-Wide Risk Management (EWRM) Concept

There are four (4) important issues in relation to the EWRM concept. First, EWRM views risk as being more complete, consistent, and collective rather than focusing only on hazard or financial risk[9]. It is engaged with all types of risk, which are currently faced by business entities. The risks are commonly categorised as hazard risk, financial risk, operational risk, and strategic risk ([8],[23]).
Second, EWRM is a framework. As in[5], EWRM framework involves a process of identifying, defining, quantifying, comparing, prioritising, and treating all types of risks facing an organization. Reference[5] added that the EWRM process requires a wide range of tools and methodologies, which helps to explain the relationship between risk profile and its impact on shareholder value.
Third, the EWRM’s definition encompass that everyone within an organisation is responsible for managing risks. EWRM actually involves the overall human resource, that is, people at all levels of the entire organization. The successful implementation of EWRM highly depends on the efficiency and the effectiveness of the management, where it is required to identify and evaluate the company’s risks and to design, operate, and control an internal control system to address those risks[22].
Finally, the EWRM underlying concept is that each type of organization whether profit, non-profit, or government agency, provides value for its stakeholders[7]. This had been stressed in the definition of EWRM and in the EWRM concept itself. The EWRM definition as in[10] and studies as in ([12],[14],[16],[20]) showed the important role of EWRM in creating shareholder value within the organization.

2.2. Internal Audit Function

The internal audit function and the role of risk management have been addressed by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in 1992 and specifically to improve corporate governance through an internal control system. Its function has moved from a control-based approach to the risk-based approach by focusing on risk management, corporate governance, and adding value at the same time[24]. The reason for the shift of internal audit function is due to the fact that risk management is too important to be left to the risk manager alone[4]. Referring to a survey by the Institute of Internal Auditors Malaysia and Ernst and Young[19], the involvement of internal audit in risk management is to provide independent assurance over risk management practices, and to develop and assist in the development of the risk management framework.
In accordance with the new role of internal audit function, Malaysian Code on Corporate Governance (MCCG) 2000[11] added a new function of internal audit role on risk management. The Best Practices Provision BB VIII in Part 2 states that the internal audit functions must be free from the activities that they audit. This provision is provided to prevent the conflicting function occurring in performing their duties. It requires internal auditors to assume responsibility for monitoring enterprise risks.
Although, the role of internal audit function and its relation to risk management are clearly stated in the MCCG 2000 or in its definition by The Institute of Internal Auditors Malaysia Code of Ethics or from other related sources, there is no specific duty yet on internal auditors that have been imposed by security laws[2]. Moreover, according to the Malaysian Institute of Internal Auditors in[21], only 50 percent of PLCs have their own internal audit.
Realizing on the important function of internal audit in PLCs and as well as its role in risk management, an amendment has been made in the Revised Malaysian Code on Corporate Governance, which was issued in October 2007[15]. The revised code requires all PLCs to have an internal audit function. So as to preserve the independence of the internal audit function, the report must be made directly to the audit committee.
However, there is an argument on the roles and functions of internal audit in EWRM. The Best Practices Provision BB VIII in Part 2 of the MCCG 2000 is aligned with the statement as in[13] (p.7) that “risk management is not a natural function of audit and is unlikely to become one”. This means that risk management should not be led by the internal audit division[17].
In conjunction with EWRM implementation, the chief audit executive and internal audit can play their roles either as educator, facilitator, coordinator, evaluator or integrator[17]. Reference[18] suggested that the function of internal auditors in enterprise risk management can be regarded as being a consultant to the senior management in order to improve the overall risk management system and the key area of business. The audit functions as a control system to ensure that the management manages the risks in their area of responsibility and make recommendations. The functions can be described as an independent insider or the in-house regulator[2]. In modern business terms, internal auditing is given a dual role in EWRM, it acts as a provider and also as an advisor[6].
Even though both internal audit and risk management provide advice and service to the top management, their functions and perspectives are different. Risk management is about managing risks as well as maximising the company’s value, whereas the role of audit is essentially as a monitoring system[13].

3. Method

The study adopted a triangulation approach, a combination of a survey and a case study, as the research methodology. Quantitative and qualitative methods were adopted in this study in order to provide both descriptive and interpretive forms of empirical evidence. The survey offered empirical evidence on EWRM practices from the companies’ perspectives, which were derived from their knowledge and experience in the area. Therefore, the case study provided in-depth investigation of EWRM implementation in a real-practice context.
The sampling frame was obtained from Bursa Malaysia Listed Companies, which includes the Main and Second Boards of listed companies of all types of sectors. One hundred and thirty two (132) listed companies in the service sector were successfully contacted and 85 companies had agreed to participate. The questionnaires were mailed to 85 public listed companies (PLCs) in the service sector comprising financial and non-financial companies. Out of the 85 questionnaires mailed, only 55 companies responded, although several follow-up procedures had been made. The number of responses is considered high compared with other studies in EWRM, such as in ([3],[12]).
As for qualitative approach, four (4) companies were selected and interviewed as case studies. The selection of the case study was based on the uniqueness of the companies in terms of the status of EWRM implementation; the types of company; and the department in charge.

4. Findings

4.1. Survey Analyses

Almost all companies (98.0 percent) acknowledged that they had an internal audit. All financial companies reported that they had an internal audit and similarly, 97.4 percent of the non-financial companies did the same. Although the companies mentioned that they had an internal audit, some companies actually outsourced external party/consultant for their internal auditing.
Table 1 shows that from all the companies (100 percent) that had an internal audit in financial companies, 78.6 percent had their own internal audit and the remainder (21.4 percent) pointed out that they hired a consultant for internal auditing purposes. But, in non-financial companies however, the result showed that from the total of companies that had an internal audit, only 47.4 percent of the companies had their own internal audit and 52.6 percent of the companies reported that they outsourced their audit activities.
With regard to EWRM, the study found that 47.27 percent of the EWRM programmes were placed under the risk management department, 40.0 percent of the programmes were under the supervision of internal audit department, followed by finance department, and other departments.
The result also showed that 85.7 percent of the EWRM programmes in financial companies were under the supervision of the risk management department as compared with 34.1 percent in non-financial companies. The result indicated that the placement of EWRM programme depended on type of company, where it appeared that 85.7 percent of financial companies placed their EWRM programme under the risk management department.
Table 1. Internal Audit and Department in Charge on EWRM According to Type of Company
     
The result was quite surprising, particularly in non-financial companies where more than half (51.3 percent) of EWRM programmes were under the supervision of internal audit department, 12.2 percent under finance department, and 2.4 percent under other departments. From the percentages of the companies that assigned the internal audit department to look after the EWRM efforts, 52.6 percent of them outsourced their internal audit activities. The result also showed that the rest of 14.3 percent of EWRM programmes in financial companies were placed under internal audit and finance departments.

4.2. Case Study Analyses

Table 2 presents the information on a personnel and department in charge of EWRM activities of the four (4) case studies conducted. The EWRM activities in Company A and B were supervised by the head of risk management under the risk management department whereas in Company C and D, the activities were controlled by the Internal Auditor under the internal audit department.
Table 2. Department and Person in Charge and Type of Company
     
Company A and B which represented the non-financial and financial companies respectively, placed their risk management activities under the supervision of the risk management department. It is rather convincing to note that these companies were extremely serious in their risk management efforts. To effectively implement the EWRM, the companies were very concerned with the selection of the right people with a specific unit or department to supervise the risk management activities.
Another two (2) non-financial companies, Company C and D assigned the internal audit department to monitor the EWRM activities. Even though the role of internal auditor in risk management was just as a risk coordinator or as in-house risk management consultant, there was a serious concern about the internal auditing functions in EWRM. Basically, both individuals in Company D and C who were responsible for risk management disagreed that the risk management programme should be placed under the supervision of the internal audit department. Conflicting functions occurred between their original function of internal auditing and the new function of risk coordination. There were biases and no segregated activities when the same person performs both jobs. Internal Audit Executive of Company D commented the functions of internal audit in managing risks:
“When EWRM is under audit function, it is not a burden, because it is a simple job. But the problem is in terms of the validity of the data. You might be bias if the same person does both jobs...as a risk coordinator and also as an internal auditor. If risk management and audit is under one department, then it is a problem when we do risk assessment and also audit, because there are no segregated activities.”
In terms of implementation, Company C and D were not satisfied with their current risk management practices, but as for Company C, even though it was not satisfactory, the implementation was in progress. Consequently, both companies agreed that the risk management programme should be separated from internal auditing since both functions were important for the organization. The Internal Auditor of Company C hoped that by having a separate department, the work load could be reduced and the risk management department would have the authority to effectively implement the EWRM programme. Internal Audit Executive of Company D stressed the importance of having a separate department. Through this department, the risk management implementation could be more focused. However, there was no requirement for companies to have a separate department.
In fact, the internal audit functions in risk management were clearly stated in a document of Risk Management manual or policy and procedure of both companies as to validate the results of the EWRM process. For example in Company C, the Group Internal Audit function was to provide “independent assurance in preserving the integrity of risk management framework”. As for Company D, an internal auditing was defined as “an independent, unbiased function, which contributes by means of auditing and consultancy for proper assessment of the risk situation, vulnerability, value enhancement, and business process improvement”.
It is therefore important to mention here that in respect of the overall risk management practices, these companies were still lacking in terms of EWRM implementation and not much effort was made to improve it, especially at the subsidiary level. The subsidiaries did not identify their own risk. Thus, it had to be identified by the audit people. Such a situation might be due to the conflicting role and function between internal audit and risk management.
The Internal Audit Executive of Company D mentioned that “personally, I do not really satisfy with EWRM implementation because we cannot hundred percents concentrates on that”. This might be due to the EWRM programme being taken over by the internal audit people where they admitted that they cannot really focus on it. In addition, based on the observation and the judgment during the interviews, the researcher discovered that the internal auditor and the internal audit executive in Company C and D respectively did not have sufficient knowledge and relevant skills to supervise the EWRM programme as compared to the Head of Risk Management Department in Company A and B.
Auditing was in fact their original duty and not the task of managing risks. It was suggested that by having a separate department, the EWRM programmes in Company C and D would be more focused and effectively implemented.
The findings of this study have assisted the researcher in obtaining a real picture of internal audit function in EWRM practices, particularly in the PLCs and generally in Malaysia through the triangulation approach adopted. In this study, the qualitative method was applied as a confirmatory method as established in the quantitative method.

5. Discussion

The effective and successful implementation of EWRM programme depends highly on the person in charge and the department concerned. The top management requires the capability in terms of skill and knowledge in risk management in order to assist them in making effective risk management decisions and to successfully influence the staff to be more proactive in respect of risk management implementations.
However, the study found that less than fifty percent (47.3 percent) of the risk management programme in PLCs are placed under the risk management department. The percentages are only slightly higher than those in charge by the internal audit department (40.0 percent). Compared with type of company, it was found that 85.7 percent of the financial companies have risk management departments as compared to only 34.1 percent in the non-financial companies. The study also showed that the percentages of non-financial companies that assign other departments to supervise the risk management activities are quite high, which are 65.9 percent. From this figure, 51.3 percent of them had assigned the internal audit department to supervise the risk management programme.
Even though the function of internal audit had moved from a control-based approach to risk-based approach[24], the function only added the control activities. Thus, by assigning the internal auditor to supervise the risk management programme not only contradicts with the Best Practices Provision BB VIII in Part 2 of the MCCG 2000[11], which stressed that the internal audit is free from activities that they audit, but it also opposed the company statement on EWRM guidelines and policies. Such findings confirm the statement in ([4],[13],[17]) that risk management should not be led by the internal audit department.
On the other hand, there appear to be no regulation imposed to prevent the Internal Auditor from managing the risks[2] or for companies to have a risk management department. Although the amendment has been made on the MCCG (Revised 2007) in the Best Practices Provision BB VII in Part 2[15] to preserve the independence of the internal audit function, the Revised Code only stresses on the internal audit reporting. Based on the result of these case studies, two non-financial companies have placed its risk management activities directly under the internal audit department. The Internal Auditor, who is responsible for the activities, plays a dual role, one as an internal auditor and the other as a risk manager. The result nevertheless contradicted with the role and function of internal audit in EWRM as in The Institute of Internal Auditors Standards and as suggested by several authors and researchers ([2],[6],[17-18]).
In respect of EWRM implementation, several problems occur when both functions are under the same department:
● there are no separate activities in doing risk management and auditing;
● there are biases when the same person does both jobs of auditing and managing risks;
● as internal auditors, they focus more on internal auditing rather than managing risks;
● subsidiaries conceal reporting on certain risk management problems to the risk coordinator, who is also the internal auditor;
● subsidiaries implement risk management for the sake of requirement but not for best practice; and
● subsidiaries depend on internal auditor in identifying risks and preparing a risk management report.
The findings also indicated that 52.6 percent of non-financial companies used an external consultant for internal audit, whereby 51.3 percent of the companies assign an internal audit to supervise the risk management activities. The outcome is in-line with the report made by the Institute of Internal Audit in[21] that only fifty percent (50%) of PLCs have their own internal audit. This may be due to the Best Practices Provision BB VII in Part 2 of the MCCG 2000, which does not stress on the existence of the internal audit function in companies. Thus, realizing the importance of internal audit function, the Revised Code on Corporate Governance (2007)[15] stressed that all companies are required to have an internal audit function.
Based on the empirical findings on this issue, assigning an internal auditor to supervise the risk management program not only contradicts with the internal audit primary functions, but also conflicts with the Best Practices Provision BB VIII in Part 2 of the MCCG 2000[11]. Briefly, the findings provided valuable contribution to the existing literature on the roles and functions of internal audit in EWRM.

6. Conclusions

The emergence of EWRM involves changes in the internal audit function and introduces a new position of risk management experts. On a positive note, the new standard of internal auditors had shifted the paradigm of the internal audit function from a control-based internal auditing to a risk-based internal auditing. The Malaysian Code on Corporate Governance also added a new function of internal audit role on EWRM practices. The code requires the internal auditors to assume the primary responsibility for monitoring enterprise risk exposures.
This particular study adopted a triangulation approach to evaluate the internal audit function in EWRM practices. The overall result showed that the primary function of internal audit actually contradicted with the Best Practices Provision BB VIII in Part 2 of the MCCG 2000. The provision stated that the internal audit functions must be free from the activities that they audit. One of the key findings revealed that the sentiment is still strong in asserting that the risk management activities on the whole should not be led solely by the internal audit division. Although internal audit and risk management provide advice and service to the top management, their functions are totally different. It is therefore highly important to note that such findings of empirical evidence strongly suggested that risk management is not supposed to be placed directly under the internal audit department. The internal auditors should play their role as internal control in respect of EWRM. EWRM activities should be under the supervision of the risk management personnel’s who are more knowledgeable and skilful in that particular area.

References

[1]  Alijoyo, F. A., “Risk Management's Role in Corporate Governance”, Paper presented at the Panel Discussion on Corporate Governance: Accelerating The Implementation of Good Corporate Governance through Board Independence, Yogyakarta and Bandung, Indonesia, 2002.
[2]  Anwar, Z., “The Role of Internal Audit Function in Good Governance”, Paper presented at the The Institute of Internal Auditors Malaysia 2006 National Conference of Internal Auditing, 18 September 2006, Kuala Lumpur, 2006.
[3]  Beasley, M. S., Clune, R., & Hermanson, D. R.. “Enterprise Risk Management and the Internal Audit Function.. Online Available:http://www.mgt.ncsu.edu/faculty/accounting/workshop%20papers/Beasley%20workshop%20paper.pdf.
[4]  Benoit, C., “Corporate Governance and Risk Management”, Price Water House Coopers, 2003.
[5]  Blake, M. A. “Taking a Holistic Approach with Enterprise Risk Management”, Rural Telecommunications, vol. 22, no. 6, pp 58-61, 2003.
[6]  Bonic, LJ, Dordevic, M., “Potential of Internal Auditing in Enterprise Risk Management”, Facta Universitatis Series: Economics and Organization, vol. 9, no.1, pp. 123-137, 2012.
[7]  Committee of Sponsoring Organisations of the Treadway Commission (COSO), “Enterprise Risk Management Framework: Draft”, Online Available:http://www.enterprise_wide_risk_management+&+De+Loach+html.
[8]  D'Arcy, S.P., “Enterprise risk management”, Journal of Risk Management of Korea, vol.12, no. 1, pp. 207-228, 2001.
[9]  Davenport, E.W. & Bradley, L.M., “Enterprise risk management: A consultative perspective”. Online Available ://www.casact.com.
[10]  Deloach, J.W., “Enterprise-Wide Risk Management: Strategies for Linking Risk and Opportunity”. London: Financial Times, Prentice Hall, 2000.
[11]  Finance Committee on Corporate Governance Malaysian Code on Corporate governance: Securities Commission, 2000.
[12]  Kleffner, A.E., Lee, R., & McGannon, B., “The Effect of Corporate Governance on the Use of Enterprise Risk Management: Evidence from Canada”, Risk Management and Insurance Review, vol. 6, no.1, pp.53-73, 2003.
[13]  Knight, K. W., “Risk Management a Journey Not a Destination”, Paper presented at the Executive Meeting 2006, Hotel Do Frade & Golf Resort, Angra Dos Reis, Brazil, 2006.
[14]  KPMG, “Strategic Risk Management Survey: A survey of contemporary strategic risk management practices in Australia and New Zealand”, Online Available: http”//www.kpmg.com.au.
[15]  Malaysian Code on Corporate Governance (Revised): Securities Commission, 2007.
[16]  Miccolis, J., & Shah, S., “Enterprise Risk Management: An Analytic Approach”, Tillinghast-TowersPerrin Monograph. Online Available: http://www.tillingast.com.
[17]  Protiviti, “Guide to Enterprise Risk Management”, Protiviti Inc., 2006.
[18]  Staciokas, R., & Rupsys, R., “Application of Internal Audit in Enterprise Risk Management”, Engineering Economics, vol. 2, no. 42, pp. 20-24, 2005.
[19]  The Institute of Internal Auditors, “The Role of Internal Auditing in Enterprise-wide Risk Management”, Online Available: http:// www.theiia.org
[20]  Tillinghast-TowersPerrin, “Enterprise Risk Management in the Insurance Industry: 2002 Benchmarking Survey Report”, Online Available: http://www.tillinghast.com
[21]  Utusan Malaysia Online, “Separuh PLC Tidak Memiliki Audit Dalaman”, Online Available:http://www.utusan.com.my.
[22]  Waite, B., “Managing Risk and Resolving Crisis”, London: Financial Times Prentice Hall, 2001.
[23]  Walker, P.L., Shenkir, W.G., & Barton, T.L., “Enterprise Risk Management: Putting it All Together”, Altamonte Springs, FL: Institute of Internal Auditors Research Foundation, 2002.
[24]  Walker, P. L., Shenkir, W. G., & Barton, T. L., “ERM in Practice”, Internal Auditor, Vol.60, pp. 51-54, 2003.