Business risk relates mainly to an organization’s goals and objectives. It is essentially the potential cost incurred if the business does not achieve its strategic plans. The assessment and management of business risk has evolved into formalized enterprise risk management (ERM) in many organizations.
By contrast, audit risk relates mainly to the internal and external audit efforts to achieve its objectives; that is, provide effective, timely, and efficient assurance and consulting support to management and the board. Traditionally, audit risk has been seen as strictly the risk of incorrect audit conclusions. Contemporary views, however, include big-picture audit risks; specifically, that the internal audit function is not doing the right things or working in the best ways.
Let's look a little more closely at these two concerns…
Business Risk (Enterprise Risk)
Enterprise Risk Management (ERM) is defined as:
*A process, effected by an entity’s board of directors, management, and other personal, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
*ERM is a structured and coordinated entity-wide governance approach to identify, quantify, respond to, and monitor the consequences of potential events. When implemented by management, ERM is generally evaluated by internal auditors for effectiveness and efficiency.
*Business risk is fundamentally the risk of an organization not achieving its objectives. A formal ERM program both enables the management of business risk and provides assurance to management and the board that risk is given due consideration in day-to-day business decisions.
Within this context, the internal audit function provides strategic, operational, and tactical value to an organization’s operations. For example, internal auditing is:
*A resource to the board and management for making sure the entire organization has the resources, systems, and processes for operating an efficient and effective operation.
*An assurance tool for management and the board to know all that should be done is being done. By ensuring qualified professional reviews and audits are performed, the board and management can advance its goal of overseeing the organization’s operations and ensuring its continuous improvement and success.
*An independent validation resource that the organization’s efforts are proactive and effective against current and emerging threats.
core internal audit roles regarding ERM are:
*Providing assurance on the quality of risk management processes
*Providing assurance that risks are being considered in day-to-day decision-making
*Ensuring, through audits, that all risks of significance are included
*Evaluating the reporting of key risks
*Reviewing the management of key risks
auditors may perform some roles, with appropriate safeguards:
*Facilitating identification and evaluation of risks
*Coaching management in responding to risks
*Coordinating ERM activities Consolidating the reporting on risks
*Maintaining and developing the ERM framework
*Championing establishment of ERM
*Developing risk management strategy for board approval
responsibilities that internal auditing should not undertake:
*Setting the risk appetite
*Imposing risk management processes
*Making decisions on risk responses
*Implementing risk responses on behalf of management
*Accountability for risk management
Audit Risk
Now, that we've looked at the role of the auditor in assessing business risk, let's talk about audit risk. Audit risk has traditionally been defined as risk that an auditor will make wrong or misleading assessments. By following a systematic approach and practicing in accordance with the International Standards for the Professional Practice of Internal Auditing, auditors can reduce this risk.
*Internal Auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
*Independence is established by the organizational and reporting structure. Objectivity is achieved by an appropriate mind-set. The internal audit activity evaluates risk exposures relating to the organization's governance, operations and information systems, in relation to:
-Effectiveness and efficiency of operations.
-Reliability and integrity of financial and operational information.
-Safeguarding of assets.
-Compliance with laws, regulations, and contracts.
*Based on the results of the audit assessment, the internal auditors evaluate the adequacy and effectiveness of how business risks are identified and managed in the above areas. They also assess other aspects such as ethics and values within the organization, performance management, communication of risk and control information within the organization in order to facilitate a good governance process.
Finally, in today’s professional practice, audit risk also includes the risk of failure of internal audit (and IT audit) at the “broader level” than just the audit conclusions. For example, audit risk now includes the risk that internal audit is working on the wrong projects and/or completing its work in an inappropriate manner.
The Relationship between Business Risk and Audit Risk
The scope of an internal auditing plan should be driven by relative business risk. In other words, audit resources should generally be applied to the areas of greatest business risk.
While internal auditing can perform its own assessment of business risk, the internal auditing function should leverage management’s risk assessment process when management has a formal ERM program in place. In effect, internal auditing becomes more efficient by relying on the ERM process, and it manages its own audit risk.