In implementing its goals and objectives, Organisations shall face risks that are potentially increasing and complex due to the dynamics of the development and demand, both internally and externally. Therefore, it requires a comprehensive and integrated risk management with the strengthening in the aspect of internal control.
The implementation of risk management shall be conducted by referring to the best international best practices divided in three (3) categories. First, risk management of first line of defense conducted by the working unit implementing business process. Second, risk management of second line of defense conducted by the working unit which has the risk management function and independent from the work unit conducting business process. Third, risk management of third line of defense conducted by the working unit implementing the function of internal audit to ensure the activities of risk management are performed effectively.
With the availability of this risk management in three phases, it is expected that the process of duty implementation of Organisations, in particular in decision making can be conducted by observing the aspects of prudentiality, good governance principle, and obtaining optimum result toward the performance, finance and credibility of policy.
Based on the above framework, the internal audit has the important role in the quality assurance to the overall work process in Organisations. The scope of internal audit function includes the implementation of internal audit and consultation through the provision of opinion and recommendation toward the process of governance, risk management, and Controlling.
The implementation of internal audit function of Organisations shall use the methodology of Risk Based Internal Audit. The high the audit target risk, the higher the frequency of internal audit implementation. The work process with high risk shall be audited every year, whereas the work process with medium risk and low risk shall be audited in a longer time span, namely once in 2 or 3 years.
Internal Controls – Thinking Inside the Box (COSO Cube)
As the financial year 2015-16 crosses the midway, many companies would still be in the process of coming to terms with the new ICFR (Internal Controls over Financial Reporting) in the Indian scenario.
Any new thing that comes up for implementation generally has some teething issues, simply because change management as a process is frictional and for any successful implementation; a well-defined and well managed project plan is a must.
Business as we see through the lens of Internal Audit, starts off with a vision (mostly emanating from ideas) translates into a mission with a strategy defined to achieve that mission, and strategy further rolls down to objectives (Strategic, Operational, Financial, Compliance) for each of the business processes, which are managed by people; duly supported with technology & resources to ensure that they are in compliance to the policies, laws & regulations while achieving their strategy and mission.
Simply put: Vision & Mission --> Strategy --> Goals & Objectives --> Mapped to business processes --> which are managed by people --> For ensuring achievement of Goals & Objectives --> resulting into Implementation of strategy --> resulting into achieving the mission.
The COSO framework has been used globally and is time tested and has a very rational approach for implementation. Where most companies struggle to achieve a proper implementation of internal controls is they think of Internal Audit as a value adding function / activity and are almost asking for an “Out of the box approach / thinking” and that is where some of those organizations completely miss the point. Internal Audit is not only about value creation but equally about Value Protection, and in today’s scenario, more about risk management, that is where Risk Based Internal Audits have become the fad.
The need today is not to have number of controls but to have right quality of controls, simply because there is a cost to every control you implement in the organization (in terms of time and resources involved).
Where most organizations would do well is, while doing their Enterprise Risk Management exercise, they should define their goals and objectives (which should be enablers for implementation of the strategy and for achievement of objectives) and further map each of those goals & objectives to the business processes and identify risk champions to ensure that those goals and objectives are met within the timelines, keeping in view the overall timeline for fully implementing the strategy.
Once this is done, the role of internal audit function would be enhanced qualitatively and that is where the internal auditor will have to think constructively inside the box (COSO cube), because all 5 parameters of the cube will be inextricably linked to strategic, operational, financial and compliance objectives and that is where the organizations would begin to appreciate the right set of controls being implemented for their business.
Disclaimer: The views expressed in this post are personal views
Statutory Requirement of Internal audit u/s 138
Statutory Requirement of Internal audit u/s 138
RISK CONTROL MATRIX