Articles on Internal Auditing

Business Risk vs. Audit Risk
By Dan Swanson

The following article first appeared online in the IT Compliance Institute Ask The Auditor column. Used with Permission.

What’s the difference between business risk and audit risk?

Business risk relates mainly to an organization’s goals and objectives. It is essentially the potential cost incurred if the business does not achieve its strategic plans. The assessment and management of business risk has evolved into formalized enterprise risk management (ERM) in many organizations.

By contrast, audit risk relates mainly to the internal and external audit efforts to achieve its objectives; that is, provide effective, timely, and efficient assurance and consulting support to management and the board. Traditionally, audit risk has been seen as strictly the risk of incorrect audit conclusions. Contemporary views, however, include big-picture audit risks; specifically, that the internal audit function is not doing the right things or working in the best ways.

Let's look a little more closely at these two concerns…

Business Risk (a.k.a. Enterprise Risk)

Enterprise Risk Management (ERM) is defined by COSO as:

  • A process, effected by an entity’s board of directors, management, and other personal, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
  • ERM is a structured and coordinated entity-wide governance approach to identify, quantify, respond to, and monitor the consequences of potential events. When implemented by management, ERM is generally evaluated by internal auditors for effectiveness and efficiency.
  • Business risk is fundamentally the risk of an organization not achieving its objectives. A formal ERM program both enables the management of business risk and provides assurance to management and the board that risk is given due consideration in day-to-day business decisions.

Within this context, the internal audit function provides strategic, operational, and tactical value to an organization’s operations. For example, internal auditing is:

  • A resource to the board and management for making sure the entire organization has the resources, systems, and processes for operating an efficient and effective operation.
  • An assurance tool for management and the board to know all that should be done is being done. By ensuring qualified professional reviews and audits are performed, the board and management can advance its goal of overseeing the organization’s operations and ensuring its continuous improvement and success.
  • An independent validation resource that the organization’s efforts are proactive and effective against current and emerging threats.

The Institute of Internal Auditors (IIA, http://www.theiia.org) has published a position paper on the role of internal auditing in ERM (see resource side bar, below, for the direct link to this paper). According to the IIA, internal auditors—including IT auditors—should provide advice and comment on management’s decisions regarding risk, as opposed to making risk-management decisions. Auditors' responsibilities should also be documented in a company's internal audit charter and be approved by the audit committee.

In the IIA position paper “The Role of Internal Audit in Enterprise-wide Risk Management,” the IIA defines core internal audit roles regarding ERM as:

  • Providing assurance on the quality of risk management processes
  • Providing assurance that risks are being considered in day-to-day decision-making
  • Ensuring, through audits, that all risks of significance are included
  • Evaluating the reporting of key risks
  • Reviewing the management of key risks

The same source notes that auditors may perform some roles, with appropriate safeguards:

  • Facilitating identification and evaluation of risks
  • Coaching management in responding to risks
  • Coordinating ERM activities Consolidating the reporting on risks
  • Maintaining and developing the ERM framework
  • Championing establishment of ERM
  • Developing risk management strategy for board approval

And, finally, the paper notes responsibilities that internal auditing should not undertake:

  • Setting the risk appetite
  • Imposing risk management processes
  • Making decisions on risk responses
  • Implementing risk responses on behalf of management
  • Accountability for risk management

For further information, the IIA's presentation “Applying COSO’s ERM—Integrated Framework” provides sound high-level advice on implementing COSO’s ERM guidance within an organization.

Audit Risk

Now, that we've looked at the role of the auditor in assessing business risk, let's talk about audit risk. Audit risk has traditionally been defined as risk that an auditor will make wrong or misleading assessments. By following a systematic approach and practicing in accordance with the International Standards for the Professional Practice of Internal Auditing, published by the IIA, auditors can reduce this risk.

The IIA has developed the following globally accepted definition of internal auditing, as cited in its FAQ – “What is Internal Auditing”

  • Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
  • Independence is established by the organizational and reporting structure. Objectivity is achieved by an appropriate mind-set. The internal audit activity evaluates risk exposures relating to the organization's governance, operations and information systems, in relation to:
    • Effectiveness and efficiency of operations.
    • Reliability and integrity of financial and operational information.
    • Safeguarding of assets.
    • Compliance with laws, regulations, and contracts.
  • Based on the results of the audit assessment, the internal auditors evaluate the adequacy and effectiveness of how business risks are identified and managed in the above areas. They also assess other aspects such as ethics and values within the organization, performance management, communication of risk and control information within the organization in order to facilitate a good governance process.

Finally, in today’s professional practice, audit risk also includes the risk of failure of internal audit (and IT audit) at the “broader level” than just the audit conclusions. For example, audit risk now includes the risk that internal audit is working on the wrong projects and/or completing its work in an inappropriate manner.

In conclusion, practicing in accordance with auditing standards published by the IIA and the Information Systems Audit and Control Association (ISACA) will reduce the risk of failure in internal audit and IT audit efforts.

The Relationship between Business Risk and Audit Risk

The scope of an internal auditing plan should be driven by relative business risk. In other words, audit resources should generally be applied to the areas of greatest business risk.

While internal auditing can perform its own assessment of business risk, the internal auditing function should leverage management’s risk assessment process when management has a formal ERM program in place. In effect, internal auditing becomes more efficient by relying on the ERM process, and it manages its own audit risk.

Additional Guidance and Resources:

Risk-related Resources
  • COSO “Enterprise Risk Management—Integrated Framework”
  • The Role of Internal Auditing in Enterprise-wide Risk Management (PDF)
  • COSO Related Resources (from the IIA)
  • FAQs for COSO's Enterprise Risk Management—Integrated Framework
  • Applying COSO’s ERM—Integrated Framework (PPT)
Audit-related Resources
  • The International Standards for the Professional Practice of Internal Auditing (from the IIA)
    The Internal Audit Profession (from the IIA)
  • The Power of the PPF (The Professional Practices Framework) (from the IIA)
  • Frequently Asked Questions (FAQs) about the Internal Audit Profession (from the IIA)
  • Popular Internal Audit Guidance Downloads (from the IIA)
  • Extra Credit: Auditing System Conversions (from the IIA)

Dan Swanson (CIA, CMA, CISA, CISSP, CAP) is president and CEO, Dan Swanson and Associates. He is a 26-year internal audit veteran, who most recently was director of professional practices at the Institute of Internal Auditors (IIA). Prior to his work with the IIA, Swanson was an independent management consultant for more than 10 years. He has completed audit projects for more than 30 different organizations, spending almost 10 years in government auditing, at the federal, provincial, and municipal levels, and the rest in the private sector, mainly in the financial services, transportation, and health sectors.

Home | Bio  | Internal Auditing | Fraud Investigation | Request to Reprint

© 1996-2008 Mark R Simmons, CIA, CFE. All rights reserved. Updated 05-Jun-2008
Designed and maintained by Web Wise Concepts, LLC for http://www.facilitatedcontrols.com