1. Purpose
The purpose of this guidance document is to elaborate the roles and responsibilities of the Internal Audit Function[1] ("Internal Audit") in relation to risk management[2].
2. Background
Internal Audit is mandated to provide independent assurance on the effectiveness, efficiency and transparency of the institution's system of risk management. It may also provide advisory services to improve risk management. These core mandates remain unchanged with the introduction of the Global Internal Audit Standards ("GIAS"). The GIAS will replace the International Standards for the Professional Practice of Internal Auditing, upon which the previous guidance was based, from 9 January 2025. By fully understanding its role in relation to risk management as informed by relevant legislation, and read with the GIAS, Internal Auditors can execute their responsibilities more effectively and strengthen their institutions' system of risk management.
While the GIAS will come into effect on 9 January 2025, early adoption is permitted. The National Treasury encourages early adoption in light of the improvements the GIAS introduces. It integrates risk management more holistically across various aspects of internal auditing and places a greater emphasis on the strategic role of Internal Audit in understanding and improving risk management. It favours a more principles-based and flexible approach to optimising the nexus of Internal Audit and risk management. These changes aim to elevate the quality and effectiveness of internal auditing by ensuring that internal auditors are better equipped to understand and improve their institution's risk management, and consequently governance and control.
3. Legal mandate
The following prescripts provide the legal foundation for Internal Audit's responsibility for risk management:
National and Provincial Departments
- Treasury regulation 3.2.6 states that: "Internal audit must be conducted in accordance with the standards set by the Institute of Internal Auditors" (note: the standards referred to are the Standards for the Professional Practice of Internal Auditing, which is supplanted by the GIAS).
- Treasury regulation 3.2.7 states that: "An internal audit function must prepare, in consultation with and for approval by the audit committee – (a) a rolling three-year strategic internal audit plan based on its assessment of key areas of risk for the institution, having regard to its current operations, those proposed in its strategic plan and its risk management strategy.
Constitutional Institutions
- The same requirements as for national and provincial departments, as indicated above.
National and Provincial Public Entities
- Treasury regulation 27.2.6 states that: "Internal audit must be conducted in accordance with the standards set by the Institute of Internal Auditors." (note: the standards referred to are the Standards for the Professional Practice of Internal Auditing, which is supplanted by the GIAS).
- Treasury regulation 27.2.7 states that: "An internal audit function must prepare, in consultation with and for approval by the audit committee – (a) a rolling three-year strategic internal audit plan based on its assessment of key areas of risk for the institution, having regard to its current operations, those proposed in its strategic plan and its risk management strategy.
Municipalities
- Section 165(2)(b)(iv) of the Municipal Finance Management Act (Act 56 of 2003) (MFMA).
Municipal Entities
- Section 165(2)(b)(iv) of the Municipal Finance Management Act (Act 56 of 2003) (MFMA).
4. Strategic value of Internal Audit in risk management
Internal Audit is integral to effective risk management. A proper internal audit approach to risk management will contribute to the overall quality of risk management, which will have a positive flow-through effect on governance and control, and ultimately to the achievement of institutional objectives. Therefore, the GIAS advocates for Internal Audit to plan strategically, with a specific accent on the need for Internal Audit to understand the institution's risk management and base its planning thereon. Specifically, GIAS 9.1 emphasises that Internal Audit must understand and evaluate the institution's risk management processes. This standard aims to ensure that Internal Auditors provide valuable insights and recommendations to enhance the institution's system of risk management. A robust system of risk management is essential to drive effective governance and control processes.
A symbiotic relationship exists between Internal Audit and risk management. This relationship is characterized by mutual support and interdependence, where each function enhances the effectiveness of the other. On one hand, Internal Audit's work is strongly influenced by risk management processes. The formulation of an effective internal audit strategy and plan which set the foundation for assessing the institution's governance, risk management and control is highly contingent upon effective risk management outputs. Risk management also influences the audit program for specific auditable units. On the other hand, Internal Audit has a profound influence on risk management through its objective assessment of risk management processes, provision of advisory services and developing recommendations for improvement.
5. High level responsibilities of Internal Audit with regard to risk management
The core responsibilities of Internal Audit in relation to risk management are to:
- use outputs from the risk management process as inputs to Internal Audit work, be it for the internal audit strategy, internal audit plan or internal audit programs for particular auditable units
- provide assurance on the whole system of risk management
- provide advisory services to improve weak aspects in the system of risk management
- collaborate with the risk management function and other providers of risk advisory services to improve the institution's system of risk management
In order to execute these responsibilities, Internal Audit must understand risk management at the macro-institutional level. GIAS 9.1[3] is instructive in this regard. It requires that the chief audit executive must consider how the institution identifies and assesses significant risks and develops appropriate control processes. It also emphasises that the chief audit executive should understand globally accepted risk management principles, frameworks and models, as well as professional guidance. The chief audit executive should gather information to assess the maturity of the institution's risk management processes, including identifying whether the institution has defined its risk appetite and implemented a risk management strategy and/or framework. Discussions with the accounting officer/accounting authority and senior management help the chief audit executive understand their perspectives and priorities related to the institution's risk management. To gather risk information, the chief audit executive should review recently completed risk assessments and related communications issued by senior and operational management, those charged with risk management, external auditors, regulators, as well as other internal and external providers of assurance services.
Internal Audit must also understand risks at a micro or engagement level. GIAS 13.2[4], is instructive in this regard. It requires that Internal auditors must develop an understanding of the activity under review to assess the relevant risks. When the risks for an activity under review have been identified and documented in past engagements, only a review and update is required. To develop an adequate understanding, internal auditors must identify and gather reliable, relevant and sufficient information regarding:
- the institution's strategies, objectives and risks relevant to the activity under review.
- the institution's risk tolerance.
- the risk assessment supporting the internal audit plan.
- the governance, risk management, and control processes of the activity under review.
- applicable frameworks, guidance and other criteria that can be used to evaluate the effectiveness of those processes.
Internal auditors must review the gathered information to understand how processes are intended to operate and identify the risks to review by:
- identifying the potentially significant risks to the objectives of the activity under review.
- considering specific risks related to fraud.
- evaluating the significance of the risks and prioritizing them for review.
- Internal auditors must identify the criteria that management uses to measure whether the activity is achieving its objectives.
6. Risk Based Internal Audit Planning
Per GIAS 9.4[5], the chief audit executive must develop an internal audit plan that supports the achievement of the institution's objectives. The plan must be based on the documented assessment of the institution's strategies, objectives and risks. Such assessment must be informed by the chief audit executive's understanding of the institution's governance, risk management and control processes, as well as input from management. The plan must be dynamic and be updated timeously in response to changes in the institution's objectives, operations, programs, systems, controls, institutional culture and risks. These requirements ensure that the internal audit plan is comprehensive, up-to-date and focused on the most significant risks of the institution by emphasising that:
- the plan should be aligned to the institution's strategy and priorities.
- the chief audit executive's understanding is crucial for identifying and assessing risks effectively and absorbing the material aspects thereof into internal audit planning.
- regular reviews are necessary to ensure that the internal audit plans remain relevant and responsive to significant changes in the institution's risk landscape.
GIAS 13.2[6], emphasises that an understanding and assessment of risks related to the activity under review is equally important. When the risks for an activity under review have been identified and documented in past engagements, only a review and update is required. To develop an adequate understanding, internal auditors must identify and gather reliable, relevant and sufficient information regarding:
- the institution's strategies, objectives and risks relevant to the activity under review.
- the institution's risk tolerance.
- the risk assessment supporting the internal audit plan.
- the governance, risk management, and control processes of the activity under review.
- applicable frameworks, guidance and other criteria that can be used to evaluate the effectiveness of those processes.
Internal auditors must review the gathered information to understand how processes are intended to operate, and identify the risks to review by:
- identifying the potentially significant risks to the objectives of the activity under review.
- considering specific risks related to fraud.
- evaluating the significance of the risks and prioritizing them for review.
- Internal auditors must identify the criteria that management uses to measure whether the activity is achieving its objectives.
7. Providing Risk Management Assurance
When Internal Audit provides assurance on the risk management process, it is presumed that Internal Audit is satisfied with the adequacy of the process. In this context, Internal Audit's attention is directed at evaluating the system of risk management and, where applicable, making recommendations for improving the system. The "system" encompasses the risk management policy, processes, institutional structure, staffing and overall governance of risk management. Internal Audit provides assurance that:
- the institution's risk management culture is appropriate.
- the institution is appropriately structured to manage risk and enable control.
- the institution has established a risk management framework including key risk indicators, risk appetite and risk tolerance to monitor and manage risks proactively.
- the risk management co-ordinating function and the specialised risk functions are adequately staffed.
- the risk management co-ordinating function and specialised risk functions collaborate effectively.
- the risk register represents the institution's risks accurately and completely.
- the risk management strategy and plan are effectively implemented.
- the fraud prevention plan is adequate and being implemented effectively.
- there is continuous monitoring and review of the risk management process to ensure its effectiveness and relevance.
- risk management training and awareness programs are in place to enable employees to understand and execute their roles and responsibilities.
- there is an effective framework in place for reporting and escalating risks.
- there is an efficient process and a proactive approach to identifying, assessing and communicating significant emerging risks.
- The overall system of risk management is value-creating.
8. Providing Risk Management Advisory Services
The need for risk management advisory services would normally arise when Internal Audit concludes that the system of risk management is relatively informal and/or immature. The absence of a risk management coordination function would be a prominent clue of this. Consequently, Internal Audit cannot place reliance on the risk management processes. Internal Audit may therefore perform advisory services as directed by management. Alternatively, it may do so in the absence of direct management instruction in order to accumulate knowledge of risk and controls or to develop reliable risk management processes to fulfil its own need for reliable and timely information needed to formulate the internal audit strategy, plan and audit programs for specific auditable units.
In performing risk management advisory services, Internal Audit may:
- assist management to develop the risk management framework, policy, strategy and implementation plan.
- advise on the establishment of the risk management coordination function.
- coordinate risk management activities
- facilitate risk assessments to identify, assess and prioritise risks.
- advise on risk mitigation.
- provide risk management awareness and training.
- develop risk monitoring mechanisms.
- develop and disseminate risk reports; and
- anything else that does not compromise its independence and/or objectivity.
Internal Audit's advisory role assists the institution by enhancing its risk management capabilities and driving a proactive approach to managing risks. If Internal Audit is to later provide assurance where it had performed risk management advisory services, the chief audit executive must confirm that objectivity is not compromised and must assign resources such that individual objectivity is managed.
9. Coordination and Reliance
GIAS 9.5 states that the chief audit executive must coordinate with internal and external providers of assurance services and consider relying upon their work. Coordination of services minimises duplication of efforts, highlights gaps in coverage of key risks, and enhances the overall value added by assurance providers. The chief audit executive may choose to rely on the work of other assurance providers for various reasons, such as to assess specialty areas outside the internal audit function's expertise, to decrease the amount of testing needed to complete an engagement and to enhance risk coverage beyond the resources of the internal audit function. In a combined assurance approach, the chief audit executive coordinates the internal audit function's assurance engagements with other assurance providers to reduce the frequency and redundancy of engagements, maximizing the efficiency of assurance coverage.
If an appropriate level of coordination is not possible, the chief audit executive must inform the Audit Committee and the accounting officer/authority. When the internal audit function relies on the work of other assurance service providers, the chief audit executive must document the basis for that reliance. The evaluation should consider the providers roles, responsibilities, institutional independence, competency, objectivity, as well as the due professional care applied to their work. The chief audit executive must understand that notwithstanding the reliance placed on others, Internal Audit is still responsible for the conclusions reached.
Internal providers of assurance and advice include functions that may report to or be part of senior management, such as compliance, environmental, financial control, health and safety, information security, legal and risk management. External assurance providers may report to senior management, the accounting officer/authority or the executive authority.
The risk management function, being a critical provider of assurance in the institution, and vital to the work of internal audit, is a natural partner for Internal Audit's coordination and reliance. When Internal Audit and the risk management function work together smartly they enhance the institution's overall risk management framework:
- Internal auditors should coordinate with the risk management function to align their activities to avoid duplication of efforts, ensure comprehensive coverage of risk areas and the availability of information at the time it is needed.
- Internal auditors can place reliance on the work performed by the risk management function, provided it is assessed as reliable. This involves evaluating the quality and effectiveness of the risk management processes. The final decision to place reliance or not requires the chief audit executive's professional judgement.
- Ongoing communication between internal audit and the risk management function is crucial to ensures that any significant changes in the risk landscape are promptly identified and incorporated into the internal audit plan.
- Mature coordination and reliance are exemplified through:
- synchronizing the nature, extent and timing of planned work.
- establishing a common risk language, techniques and methods.
- providing access to each other's work programs and reports.
- using management information to provide joint risk assessments.
- agreeing on a shared risk register.
- combining results for joint reporting.
10. Communicating Results
GIAS 11.3 requires timely and accurate communication to the accounting officer/accounting authority, senior management and those responsible for the activity under review of significant risk exposures and control issues identified in audit engagements. This information should also be shared with the risk management function as it would enable the risk register to be updated and for risk managers to extend assistance to manage the risk exposure.
11. Communicating the Acceptance of Risks
GIAS 11.5 requires the chief audit executive to communicate unacceptable levels of risk. This transpires when the chief audit executive concludes that management has accepted a level of risk that exceeds the institution's risk appetite or risk tolerance. This conclusion may have been derived through the chief audit executive's professional judgement. If the chief audit executive determines that the matter has not been resolved following a proper understanding of the issue and engagements with the responsible management, the chief audit executive is compelled to escalate the matter to the accounting officer/authority.
12. Evaluation of Findings
GIAS 14.3 requires that Internal auditors must evaluate each potential engagement finding to determine its root cause and significance. To determine the significance of the risk, internal auditors must consider the likelihood of the risk occurring and the impact the risk may have on the institution's governance, risk management or control processes. If internal auditors determine that the institution is exposed to a significant risk, it must be documented and communicated as a finding. Internal auditors must prioritise each engagement finding based on its significance, according to the Internal Audit methodology.
13. Recommendations and Action Plans
GIAS 14.4 requires that Internal auditors must determine whether to develop recommendations, request action plans from management or collaborate with management to agree on actions to:
- resolve the differences between the established criteria and the existing condition.
- mitigate identified risks to an acceptable level.
- address the root cause of the finding.
- enhance or improve the activity under review.
The National Treasury favours that internal audit should develop recommendations in consultation with the management of the activity under review. Should a disagreement arise, internal audit must capture their own position and rationale as well as that of management, to allow an informed resolution through the accounting officer/authority and Audit Committee.
14. Follow up on the Implementation of Recommendations or Action Plans
Another critical Internal Audit role, captured in GIAS 15.2, is confirmation that management has implemented Internal Audit's recommendations or management's action plans, through:
- inquiring about progress on the implementation.
- performing follow-up assessments using a risk-based approach.
- updating the status of management's actions in a tracking system.
The extent of these procedures must consider the significance of the finding. The chief audit executive is responsible for determining whether management, by delay or inaction, has accepted a risk that exceeds the risk tolerance, and deal with it according to paragraph 11 and GIAS 11.5.
[1] The Global Internal Audit Standards describe the Internal Audit Function as a professional individual or group responsible for providing an organization with assurance and advisory services.
[2] Risk Management" means a systematic formalised process to identify, assess, manage and monitor risks.
[3] GIAS 9.1: Understanding Governance, Risk Management and Control Processes
[4] GIAS 13.2: Engagement Risk Assessment
[5] GIAS 9.4: Internal Audit Plan
[6] GIAS 13.2: Engagement Risk Assessment