What is Risk and Control in Internal Audit?

A risk is the possibility of an event (internal or external) occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. There are some risks that are inherent within the business, simply by the industry it’s in.

A control is an action taken to manage a risk whilst achieving a goal (e.g. strategic). Some risks cannot be fully eliminated (unless you exit the business), therefore, management are willing to accept limited risk, which they define within their risk appetite. The control should limit the risk within its appetite.

An effective control is one that is designed effectively to meet its objective and operates in line with no exceptions in achieving its objectives.

There are two popular controls frameworks – COSO and COBIT.

COSO is commonly used within a firm, which is used to assess and manage risks. It has five components for an effective internal controls system: 

1. Control environment
2. Risk assessment
3. Control activities
4. Information and communication
5. Monitoring activities

COBIT is an IT governance framework guiding firms on aligning IT with business goals, compliance and managing risks. Case studies demonstrating its benefits and uses.

A control can be described in the following categories:

Operational Controls: Operational controls are controls over the initiation, recording, processing and reporting of transactions designed to operate at a level of precision that would achieve the control objectives (Completeness, Accuracy, Validity, Restricted Access) to mitigate one or more relevant risks. Operational controls are generally preventive in nature. They are part of the 1st line of defence.

Supervisory Controls: Controls effected at the management level to oversee the activities of their staff. These controls enable managers to have an overall picture of the risks and adherence to policies and procedures within their area of responsibility. Supervisory controls are usually performed after-the-fact and therefore have a detective character. They are designed to verify the effectiveness of operational controls executed by employees. These controls are part of the 1st line of defence.

Independent Controls: Controls performed by a body or unit within the organisation which is independent from the unit originating the transaction and usually performed after-the-fact with a detective character. Independent controls usually form the 2nd line of defence but can also be performed by control functions within the 1st line of defence.

Governance Controls: Those controls designed to ensure appropriate management of underlying business processes and contribute to the effectiveness of controls.

The control must be designed to address the risk and keep it within its appetite. The design of the control includes certain attributes in performance that helps address the risk. These are:

• Scope of the control (global/regions/legal entities/products);
• Control location (geographical);
• Control type (Operating, Supervisory, Independent or Governance)
• Whether it is preventive or detective;
• Frequency of operation;
• Level of automation (automated/semi-automated/manual);
• Reliance on systems or system generated reports;
• Business Line, Control Owner and Control Performer;
• Risk tolerance (if applicable)

The attributes mentioned above assists the internal auditor in assessing and opining on the design of the control. The following questions can help the internal auditor to assess the attributes of the control:

1. What - type of control (Operating, Supervisory/Independent, Governance control, automated/semi-automated/manual, preventive/detective) and what is it trying to achieve?
2. Who - is the business line/control owner/performer, is the department/person(s) appropriate / competent? Is the scope of the control appropriate?
3. When - does the control operate? Is the frequency appropriate or is it too late (timeliness)?
4. Why - does this control exist? What is the risk the control is addressing? Is the control responsive to the risk?
5. How - does the control work and what are the key components (e.g. reliance on systems or system-generated reports)? Is this an efficient / appropriate method? Does the control operate within risk tolerance?
6. Where - does the control take place and is this appropriate? (Different department or office location, is there segregation of duties)
7. What if (exceptions handling and escalation) - Is the way exceptions are handled and escalated going to resolve the issue (corrective actions)?
8. Control evidence - Is the control evidence appropriate to demonstrate that the control operated effectively? (reliability of information)

A daily reconciliation is performed by the finance team between the credit system and the accounting system in order to detect differences between both systems. Every reconciling item above £ 10,000 are investigated by the finance team. The daily reconciliation is produced automatically by the system XYZ. The list of reconciling items is reviewed and cleared by a staff of the finance department, who sign-off physically the reconciliation after performance of the control.

Why – to detect differences between credit and accounting systems

What – reconciliation between credit and accounting systems

How – reconciling item above £10,000 is investigated. The reconciliation is produced automatically on a daily basis by system XYZ. 

Who – performed by the finance department

When – daily

Control evidence – sign-off of the review of reconciling items.

There can be many risks to the type of business, industry it’s in and should be analysed as so. Some of the common broad categories of risks can be bucketed within the following:

Finance – capital, liquidity, funding, accounting, tax, regulatory reporting, payment

Regulatory – financial crime and fraud, conduct, regulatory compliance, legal and litigation, people

Technology and Change – change management, technology and physical asset, cyber and information security

Credit – arrears and write-off, modelling

Operational risk – fraud, recovery and resolution

These risks can be further expanded in relation to the business model of the firm and should be more specific when conducting an audit.

Internal audit often gets confused when performing audits by reviewing a process against a risk identified rather than assessing the control of the risk.

A process is a detailed step-by-step of what to do. It is focused on the operational steps. 

A control is a specific action, that can be a part of a framework, designed to ensure that risk is contained within the level a firm is willing to accept.

If we take an example of a cash reconciliation, the process is the detailed step-by-step of which extracts are taken, spreadsheets to be opened, checked.

A control is the independent reconciliation to identify the out-of-tolerance breaks which are escalated and reported.