Internal Audit and Risk Management simplified
This is the first in a series of articles where our resident specialist, Louw van der Merwe, explains and clarifies on a very practical level exactly what value can be added by Internal Audit and Risk Management within your organisation.
What are controls?
At its most basic level, any organisation converts inputs into outputs. The one that does so most effectively and efficiently would be the most successful. Inputs are converted into outputs via a process, and controls govern the effectiveness and efficiency of processes. It therefore follows that the organisation with the best controls would be the most successful.
There are many definitions of internal control. The simplest remains the original COSO definition, stating that controls can be classified as either financial, compliance or operational.
Financial controls are actions such as bank reconciliations, authorisation limits, etc. These controls are the simplest to review, as they are largely generic across all industries. Compliance controls are those actions that ensure that the organisation adhere to all applicable laws and regulations.
By far the most difficult to review are the operational controls. These are controls that ensure operational objectives are achieved. An example would be the quality review functions at a processing plant. These controls are largely specific to every organisation, and represent the majority of controls within the control framework.
What is the role of Internal Audit?
Internal control, in other words actions to ensure we manage our risks and achieve our objectives, is the responsibility of the Board of Directors, who delegate its implementation to management.
Assurance that the controls that are implemented are in fact appropriate; and have been adhered to is requested by the board from management, who in turn receive that same assurance from those that report to them.
Additional assurance is requested from Internal Audit. Although Internal Audit reports directly to the board via the Audit Committee, the assurance from the results of their activities should therefore be utilised by all levels within an organisation.
Typical Internal Audit review
Any Internal Audit review has 2 main objectives:
- Are the controls that are implemented the most appropriate under the circumstances, in other words do they result in the most efficient and effective conversion of inputs into outputs? This is also called the efficiency and effectiveness review.
- Are the controls that are supposed to be implemented in fact adhered to on a consistent basis; and are we sure that they are not being applied by personnel with other indivisible duties? This is also called a compliance review.
As it includes assessing operational and compliance controls, the first part of the review, the effectiveness and efficiency review, is quite difficult and a person with a large degree of experience and knowledge is normally needed. The output from this review is a list of potential inefficiencies or gaps in the current control framework, as well as recommendations to address those. Another output is a listing of key controls, in other words those controls that are absolutely essential to ensure achievement of objectives.
This listing of key controls are then utilised to form the basis of the compliance testing part of the review. A person of lesser experience can therefore be utilised to conduct this stage.
Next newsletter – more on the Internal Audit planning process, and Risk Management made practical.
For more information contact Louw van der Merwe on tel. (021) 882 8140 or e-mail louw@exceed.co.za.