Internal Audit's Role in Managing Risk
Managing risk across the University is a responsibility for all of the University's managers and staff. Internal Audit already has an accepted role to review the adequacy and effectiveness of arrangements and controls put in place by managers - the management of risk is no different in this respect.
Developments in internal audit practice have meant that we are increasingly aligning ourselves with the major concerns of the University's senior managers by focusing on those areas that are critical to our success. In practice, this means that our work is heavily influenced by the key objectives that the University has set itself, as articulated through the University strategic framework. As advisers in risks and controls, we aim to help University managers in identifying and assessing risks and helping them to develop appropriate ways of controlling or mitigating these risks.
It is important to distinguish between assisting managers in developing ways to manage risks and actually being responsible for the development of such approaches. In effect, weact as facilitators and consultants within the overall risk management process by:
- Offering advice about the adequacy and effectiveness of the systems and arrangements developed; and,
- Guiding managers through the use of particular tools and techniques to help them manage risks (specific methods include techniques such as Control Risk Assessment).
How do we audit the management of risk?
When reviewing this area of management we consider:
- The University's objectives, plans and strategies; and
- How University managers identify, analyse and manage risks that may threaten the successful achievement of our organisation's objectives.
As risk affects all areas of the University's work, its management is an integral part of our organisation's activities and this means that we have to adopt a cross-cutting, organisational approach against which we can assess how risks are being managed. The scope of all audits is guided by the institutional risk register and local risk registers held by budget centres.
Where we find that controls are not helping the organisation to effectively manage those risks that the University faces, we make recommendations to improve the management of those.