Director Magazine—for business leaders

As the pressures on organisations grow, how well they handle the operational and financial risks they face will determine their success. Enter the internal auditor

There's nothing like an economic crisis to push risk management up the business agenda. This time around, because the widespread view that the crisis was caused by poor governance at financial institutions, there is a sense that organisations have to take a different approach to controlling risk.

Instead of a kneejerk reaction and a focus simply on areas of highest financial risk, as seen post-Enron, directors are treating organisational risk management as a business process in its own right.

For the first time many are employing internal auditors, skilled professionals who can evaluate the controls in place to manage an organisation's risk across all areas of the business, not just finance. Internal auditors are often confused with external auditors, yet the roles are very different. While the external auditor's remit is limited to the financial aspects of the business, internal auditors have knowledge of all aspects and evaluate all the relevant controls over time.

Phil Gray, communication and advocacy director at the Institute of Internal Auditors (IIA) says: "While most business risks are financial, there are also risks in IT, operations, customer management, and reputation. The key to being effective as an internal auditor is having an understanding of your firm. Some internal auditors come from an accountancy background, but most come from line management or operational roles."

Internal audit might involve anything from assessing the reputational risk to a company from it using cheap foreign labour, or the strategic risks of stretching resources through over production. Phillip Ratcliffe, president of the IIA and head of internal audit at paper and packaging multinational DS Smith, says: "There is a lot going on in many organisations, including investment in new equipment, reorganisation and restructuring. New management teams, and business leaders need to have confidence in each of these situations and be sure they are under control and operating as well as they can."

Central to efficiency of internal audit is the independence of the function. Although they are employees, internal auditors must be independent from line management. This enables them to be objective in their judgments on the effectiveness of risk management controls. They also have to be able to confirm whether the controls in place are working well or identify where there are weaknesses that are exposing the company to risk.

This becomes even more important when covert risks—those that are known about but ignored—are brought to the attention of management. A good example, says Virginia Merritt, managing partner at organisational change consultancy Stanton Marris, are risks that occur when there is a breakdown in relationships between members of the senior team.

As Merritt says: "This may not be recognised as an organisational risk, but left to fester it can be as potentially damaging as any operational or technical risk. In difficult times, companies rely on a cohesive performance from their senior management team and any risk to this has to be dealt with."

Where internal auditing differs from more specific forms of risk control is in its breadth of remit. So, while a quality manager in a manufacturing firm will ensure the quality of finished products, and a health and safety manager on a construction site would keep an eye on health and safety, neither will look at broader issues affecting the firm.

Indeed the scope of internal audit is such that some see it as one of the four essential components of good corporate governance-the others being executive management, non-executive management and external audit. As part of its stewardship role, the board is ultimately responsible for managing all the risks facing an organisation. And non-executive directors provide checks and balance to the executive. They rely on external audit reports on the financial position of the business. But assurances on how well any risk management controls across the wider business are working will ideally come from the internal auditor.

But the lines of internal audit reporting are the subject of an ongoing debate. In some organisations, the internal auditor reports to senior management via an audit committee. In others, they report directly to the executive team.

"There are still questions about where the internal audit function sits within an organisation," says Dr Roger Barker, head of corporate governance at the Institute of Directors (IoD). "If the internal auditor is reporting solely to the CEO, there could be potential for an atmosphere of mistrust. A solution would be to have a dual approach, reporting to both the CEO and the audit committee," he says.

Internal audit may be perceived as the preserve of the large organisation, but measuring exposure to risks and implementing controls to manage those risks, is increasingly important for smaller organisations, says Merritt.

She says: "One company we worked with, which has around 100 employees, found itself in a key position to take on some government work. They had been under pressure to control costs, which they suddenly realised had created a huge exposure to risk around key people. Businesses are becoming increasingly aware of the need to manage risk because they can't afford to fail."

Internal audit helps to avoid unpleasant surprises that can be disastrous for small businesses. But when is a firm big enough to justify a dedicated in-house function?

"What's important is that all businesses, regardless of their size, understand the impact of risks on their business and have effective systems and processes in place to keep the business protected," says Gray.

Below a certain size of company, it's obvious that the costs of a full-time internal auditor may be hard to justify. Some businesses opt for outsourcing, and many accounting firms offer business risk assessment services. But the IoD's Barker maintains that the detailed company knowledge held by an employed internal auditor, coupled with their vested interest in the success of the business, makes keeping the role in-house a better option.

The presence of an internal auditor can in itself be a catalyst for best practice, something Ratcliffe describes as the "mother-in-law syndrome".

"You know there are things that need doing, and you do them because you know the mother-in-law is coming. The principle of internal audit is the same. If you get a good report from the internal auditor, it is still of huge value because it means that you are not missing anything."

HAVE YOUR SAY >Send us your views

Debate >Is a degree necessary to succeed in the business world?

From the editor >Responsible capitalism and collaboration

Iqbal Wahhab >Ignore the nation's obesity epidemic at our peril

Graeme Leach >Will the Euro crisis ease or worsen?

John Elkington >The sustainability agenda

• Your technology resolutions for 2012

• Jacqueline Gold

• Unemployment: It's our responsibility

• Win a mini break to Cornwall's most luxurious boutique hotel