Managing risks in organisations

The public should know that, it is fully the responsibility of management to put in place controls in their organisations, so as to manage risks.

The public should know that, it is fully the responsibility of management to put in place controls in their organisations, so as to manage risks.

Risks are those events interfering with the attainment of the organisation’s objectives.

Auditors whether external or internal are there, only to oversee the appropriateness and compliance of the controls.

But they do not involve themselves in the implementation or preparations of controls for fear of self review threat.

This means you can not challenge the controls they have contributed to.

So you need to safeguard your objectivity.

Fraud has been detected in some banks including the National Bank of Rwanda, Bank of Kigali, Rwanda Commercial Bank (BCR), and some other institutions.

What management needs to look into critically are the controls in place. Yes, controls may be there, but weak.

If such controls are neither adequate nor appropriate, there is a fear that money launderers may dance to their tune. Remember banks are more prone to money launderers than any other entity.

Stakeholders are increasingly demanding assurance that organisations are managing risks and employing effective control systems.

Internal auditing function therefore, is part of the controls.
For control these questions are crucial and need particular attention.

They include:  Is the work of internal audit section taken seriously throughout the organisation? Do you have professional and competent staff in the internal audit department?

Internal audit function is usually benchmarked to support audit committees in discharging their responsibilities.

Internal auditors are expected to work with integrity, objectivity, confidentiality, and should be competent.

Measuring risks
Management is wholly responsible for maintaining an adequate and appropriate (quality and quantity), system of internal controls.

It is thus not the responsibility of auditors. Internal audit appraises and evaluates the value for money control systems.

They therefore make recommendations on their review, to management in improving controls.

So, you can see the reasons why you need to have professional and competent staff in the internal audit.

If you have mediocre staff, then you may never improve. 

Proper identification and measurement of an organisation’s risk is a prerequisite for good corporate governance and an effective internal audit function.

Internal audit should constitute of highly qualified internal auditors, if you can not get professionals in house, better outsource; considering the issue of cost effectiveness.

Internal audit has a particular interest in investigating and evaluating the company’s risk management structure.

So, internal auditors do help in giving recommendations on the adequacy, appropriateness and improvement of controls.

Actually internal audit’s role in the context of corporate governance, to manage risks and overall organisation’s control, will include assisting management by suggesting ways in which these objectives can be achieved, and by monitoring progress in the implementation.

Planning is the most important in audit. The planning phase begins with the initial meeting in which internal audit staff meets to discuss issues say about the audit process, the tentative scope of the audit, operations, and any questions or suggestions you may have for the audit, most importantly the most risky areas.

The most important thing is to understand the entity and its environment. During the remainder of the planning phase, the auditor will use various resources to learn more about your operations, including interviewing staff and reviewing strategic procedures.

At the conclusion of the planning phase, the auditor will perform an audit risk assessment based upon the information gathered.

This risk assessment will help the auditor to write an “audit programme” that is specifically tailored to your unit’s unique operations and risks.

An audit programme is simply a detailed list of test steps that the auditor will perform during the fieldwork phase in order to evaluate your unit’s processes and internal controls.

Fieldwork stage
Auditors are not watchdogs; hence employees should have no worry when they see a team of auditors in the organisation. During the audit fieldwork phase the auditor carries out the test steps outlined in the audit programme.

The auditor will select and examine samples of transactions, observe processes, and conduct additional interviews, as needed.

To avoid any surprises at the end of the audit, the auditor will let you know throughout the audit as he or she identifies concerns or areas for improvement.

Reporting involves summarising all the auditor’s observations, and meeting with you to discuss at one time all the observations you have been notified about throughout the audit.

At the” observations meeting”, you will come to a common understanding of the concerns noted and the auditor will provide his or her suggestions on how to make improvements.

After the observations meeting, the auditor will draft an audit report, concisely describing each condition and the tentative plan of action for rectifying the conditions.

The auditor will then schedule another meeting called an “an exit conference” with you to review the draft audit report in detail, ensuring the conditions are presented factually, and the action plans accurately reflect your intentions. Together you and auditor will establish feasible target dates by which each action plan will be implemented.

After finalising the draft audit report, the auditor will provide it to you once again for review before the report is issued. Once you are in agreement about the presentation of the report, the auditor will issue the final audit report to you the shareholders.

Internal audit follow-up reviews consist of requesting from applicable management a report on the status of action plans.

So, note that management is responsible for fragile controls and auditors are responsible for monitoring and reviewing the efficiency, effectiveness, of the controls.

If you have a good team of internal auditors, then they will help oversee the loopholes within the system and make recommendations.

It is unfortunate for those organisations without competent and professional internal audit staff.

Instead of holding the team that is incompetent in all aspect, better out source the internal audit function.

Otherwise, you will not be cost effective, thus affect the objectives of your entity.