internal audit
{money}
Risk and
the Internal
Audit
function
By Christos Tsolakis
E
xperience tells us that while for
many organisations in Cyprus,
the Internal Audit function exists
only in order to comply with Laws
and Regulations, there are a few in
Cyprus that correctly perceive Internal Audit as
an aide in dealing with the four key areas of risk
that they face:
• Financial Risk to the effective financial operations of the organisation.
• Commercial Risk to the commercial success
of the organisation.
• Organisational/Operational Risk to the tangible and intangible assets of a company.
• Compliance/Regulatory Risk that exposes
the organisation to compliance issues or external
litigation.
Internal Audit can assist a company’s management in achieving its business objectives and
greatly contribute to the management of risk,
fraud prevention and detection, operational and
financial control efficiency, compliance with
policies and procedures, accurate and reliable
financial and management information and financial reporting.
PwC’s 2012 global study on the State of Internal Audit indicates that, year-on-year, business
executives expect their Internal Audit to play
an increased role in helping them navigate the
rapidly-changing risk landscape. Business executives accordingly invest (with people, tools and
training) in the Internal Audit function to enable
it to meet these expectations.
According to the study:
• Data privacy and security now form the single
most requested area for increased Internal Audit
focus with 46% of stakeholders asking for added
capabilities in this area.
• Regulations and government policies form the
second largest requested area for increased focus,
with 32% of stakeholders asking Internal Audit
to become more involved in supporting the business in understanding and managing associated
risk.
It is apparent that companies that manage
risk well have Internal Audit functions that go
beyond the traditional role of exclusively providing assurance over financial controls. Our study
found that management nowadays demands increased Internal Audit involvement in risk identification and the management of risk. Successful
Internal Audit departments create plans through
comprehensive, top-down risk assessments in
which the entire enterprise risk management
process is taken into consideration. According
to the survey results, 45% of organisations still
do not create their audit plans using this robust,
top-down risk assessment approach. A majority
of respondents cited organisational and cultural
resistance as the most common barriers to Internal Audit’s active involvement in a fully comprehensive risk management function, followed
closely by a lack of Internal Audit resources and
expertise.
The report finds that Internal Audit teams
in leading companies provide stakeholders with
advice on risks and controls rather than merely
reporting on any gaps. Some 78% of the survey respondents whose company were better at
managing risk say their chief audit executives
have a more active role in the executive meetings, compared to only 61% in companies that
are lagging behind.
Most Internal Audit departments in Cyprus
are not actively involved in a fully comprehensive risk management function to identify and
info: Christos Tsolakis is a Partner in PwC Cyprus specialising in Risk Assurance Consulting.
68 Gold the international investment, finance & professional services magazine of cyprus
manage risks. The key barrier to this is the lack of
resources, expertise and tools. The active involvement of the Head of Internal Audit in executive
meetings and the education of the executives regarding risk management, fraud prevention and
detection and compliance issues would greatly
contribute to a more efficient and effective Internal Audit function.
PwC understands that significant risk is rarely
confined to discrete areas within an organisation
but rather tends to have a wide-ranging impact
across the organisation as a whole. As a result,
PwC’s Risk Assurance practice has developed a
holistic approach to risk that protects business,
facilitates strategic decision-making and enhances efficiency. This approach is complemented by
the extensive risk and controls, technical knowledge and sector specific experience of its Risk Assurance professionals.
PwC’s Risk Assurance practice provides companies with significant technical expertise and
deep knowledge across all industries. Skilled
team members assist companies in developing
risk and compliance programmes, building and
running Internal Audit functions, supporting
the needs of high-performing Internal Audit
functions with audit control and subject matter
expertise, and creating internal control processes
around business performance issues, IT systems
as well as strategy and contingency planning.
The end result is a risk solution tailored to meet
the unique needs of clients.
Most Internal Audit
departments in Cyprus are
not actively involved in a
fully comprehensive risk
management function