The document discusses conducting risk assessment for an internal audit department. It begins by outlining the key objectives and activities of the internal audit function. It then provides a list of 27 questions and answers to map out the internal audit processes, inherent risks, and key controls. The questions cover topics like audit planning, coordination with other departments, reporting structure, budgeting, performance metrics, theoretical risks, and controls. The overall purpose is to establish a proper risk management process for the internal audit department.

1. 1
“Risk Assessment in the ‘Internal Audit’ Department – A practical approach!
Article by M RAJESHWARON
General Manager (Management Audit) - EID Parry
Introduction
Have we, as Internal Auditors, at any point of time stopped for a while and looked at our
‘own’ risk management strategies?
I thought, through this article, I would share some of my thoughts on this subject.
As Internal Auditors, we are expected to play a vital role in the organization in the area of
Risk Management. The focus on this role will depend on the “risk management status” in
the organization. For example, if there exists a structured system of Risk Management in
the organization, then the Internal Auditor takes the role of a continuous reviewer,
providing the management an on-going advice to improve the existing risk management
system. On the other hand, if the organization is in its infant stage of implementing a risk
management system, then he works with the management in providing value addition for a
robust risk management system in the organization. He then becomes a ‘facilitator’ than a
fault finder coming at the end and communicating on the inadequacies. Of course, this role
will be played keeping in mind the ‘independence focus of audit’.
While he projects himself as a ‘facilitator’ or an effective ‘Risk Assessor’, in the
organization, it is very essential that he understands the ‘risks’ in his own Internal Audit
Function and manage them more effectively.
This article dewels on the ground work required for establishing a proper risk management
process in the internal audit department.
The format I have adopted for this article is :
(A)mapping the Internal Audit processes and the inherent risks in them (A Question –
Answer section)
(B) depicting the risk matrix for an Internal Audit department (This matrix is
independent of the details discussed in (a) above)
While writing Section (A), I have kept in mind our Internal Audit Organization (EID
Parry) to facilitate easy flow of thoughts. Since the answers to these questions would
become the basis for developing an actual ‘risk matrix’ for a particular audit department,
it is expected that the Internal Auditors ensure compiling this data relevant to their own
working environment.
Section (A)

2. 2
“Questions & Answers” for clearly understanding the ‘risk scenario’ prevailing in an
Internal Audit Function
1. What are the key objectives of your Internal Audit Department?
(a) Long-term objectives ?
To Provide “World Class Internal Audit Services”
(b) Short-term objectives?
“To play an effective role in the organization as internal consultants, guided by the
philosophy of adding value to improve the operations of all the Business units” and
provide assurance to the management on Risks, Controls & Governance.
(c )Every day objectives?
Properly intertwine work schedule and the above objectives of (a) adding
value to improve the operations of the organization and (b) evaluate on a
continuous basis the internal controls operating in various business
operations of the organisation based on proper risk analysis and also
review the effectiveness of the governing processes.
Assist the line management in translating the agreed recommendations into
results by extending support through collaborative efforts.
Endeavour to continuously assess and improve the quality of people,
process and deliverables to achieve these objectives.”
2. What are the activities that are getting covered under your Internal Audit?
Review Activities
• Assurance
* General Auditing (Audit of non-Technical Operations)
- Issue based assignments /Location specific operational audit assignments
- Compliance Audits (Internal / Statutory)
- Project / CAPEX Audits
- Review of Financial Reporting system
- Specific Functional Area Audits (Insurance, Taxation, Secretarial, Funds
Management etc.)
* Information Systems Auditing & Control evaluation
- ERP related area reviews
- Legacy Systems Reviews
- Information System Division’s Activities reviews

3. 3
• Consulting
* Technical Consulting (Audit of Technical Operations)
- Energy & Fuel Audit (Steam / Power / Renewable Energy / Fossile fuel
‘POL’ (Petrol, Oil & Lubricants) / Motors / Pumps / Compressed air /
Insulation / Water etc)
- ‘SHE’ Audit
- Physical Assets Management / Maintenance Audit (Civil, Mechanical,
Electrical, Instrumentation)
- Production Process Audit (Input / Output, Mass Balance etc.)
* Business Consulting
- Improvements in Business profitability
- Marketing Activity Improvements
- R & D Activity Reviews
- Human Resources effectiveness of processes
Facilitating Activities
• Internal Controls / Corporate Governance Promotion
* Systems / Self Audit Process
- Delegation of Authority Manuals compilation / Facilitation
- Assistance & guidance to Business Units in Divisional system manual
preparation & Self Audit process
* Corporate Governance Support
- Facilitation for putting effective Internal Control system across business
locations
- Need based investigation assignment execution
- Conducting awareness program on Values & Beliefs / Code of Conduct,
Ethics Policies, Fraud policies etc.
- Promoting Good governing process at all levels
* Acting as Central repository of Business Knowledge as acquired through
various Audit Assignments
3. Have Internal Audit procedures been developed, documented, authorized,
implemented, and adequately communicated to all departments?

4. 4
Yes. Ours is an ISO 9001: 2000 Certified Audit Function. We have an approved Apex
Quality / Procedures Manual. Manual shared with all Business Divisions and also
placed on the Intranet Home Page of the Internal Audit Division.
4. What is the process followed for approval of the internal audit plan?
A detailed risk based audit planning exercise is done in consultation with the audit
customers at the year beginning and the key focus areas are determined. The Audit
Plan is reviewed by the CAE (Chief Audit Executive) along with the Audit Customers,
changes and comments are incorporated as per customers’ requirements. The CAE
then finalises an Audit Focus document for the ensuing year and puts up to the Audit
Committee for its formal approval. (For conducting this exercise standard Risk based
Audit Planning software is deployed)
5. How is the system of co-ordination achieved with the other departments ie. Your
audit customers?
Structured involvement of Audit Customers at the,
* Audit Planning stage
* Pre-Audit stage
* Final Audit discussion stage
* Follow up stage
* Audit Committee Discussion stage
6. To what level does the internal audit observation get elevated?
All audit observations will be discussed with Senior Management of the Business and
the Significant audit observations / unresolved issues and areas where the Internal
Auditor feels that the residual risk is high in his opinion will get escalated to the Audit
Committee. Broad materiality parameters used for this purpose.
7. What is the process of follow-up for the observations in internal audit?
All agreed audit recommendations will be converted into ‘Tasks’ which will be
placed on the automated audit process management software system called
“WEBMARS”. WEBMARS will trigger mail messages at various stages as follow-up
reminders for completion of all tasks. Close monitoring of this system will ensure
completion of all tasks in the normal course. The system also generates Task Status
reports for appropriate escalation. A detailed follow-up audit also takes place during
the next cycle of audit to ascertain the status of all pending issues. Periodical Action
Taken Report (ATR) is also solicited from the auditee departments.
8. How does the department ensure completeness of all areas planned?
* The comprehensive audit plan with areas such as Technical, Systems and General
Auditing and the structured Risk area analysis is discussed & agreed by auditees at the
beginning of the year.

5. 5
* Mid Audit Reviews and Audit Process management mechanism help in identifying
gaps in execution.
* Additional resources required are deployed through internal / external skill sourcing
wherever required.
* Periodical internal review meetings ensure a ‘progress chasing’ system.
9. How would you rate the independence of the department? Whom do you report
to?
* Board grants and Management acknowledges to the Internal Audit Function full
and complete access to all records, personnel, physical properties or information of
the organisation deemed necessary in accomplishing its audit activities. This is part
of the Audit Charter approved by the Board.
* Audit staff have no direct responsibility for or any authority over the activities that
they review.
* The CAE reports to the Audit Committee Chairman - functionally and
administratively to the Managing Director of the Company.
* Audit Team is encouraged to report all those issues which in the Internal Audit’s
opinion deserves top Management attention.
The above conditions ensure full independence of the Audit Team.
10. What are the significant reportings that have come up?
* These vary from suggestions for operational improvements to process improvements
to high cost saving potential to escalating a High Risk Area. It also includes reporting
on efficiency improvement in certain functions as well as effective facilitation / co-
ordination among Business Units to achieve synergies.
11. Is there a budget prepared for your department?
Yes, The Financial Budget is made as soon as the Audit Plan for the year is freezed
by the Heads of all the three Audit Functions namely General Audit, Systems Audit
& Technical Audit. This is then cleared by the CAE and put up to Management /
Audit Committee for approval.
12. How is your budget reviewed and monitored? What is the frequency of such
review?
The financial Budget is compared with actuals on a monthly basis and reviewed by the
CAE. This is also reported in the Audit MIS folder.

6. 6
13. What kind of Reports / MIS is generated by the Internal Audit department? What
is the frequency of generation and review of these reports?
MIS reports are prepared on a monthly basis for the three streams of Management
Audit ie. General Audit, Systems Audit and Technical Audit. The contents of these
reports include status of all audit assignments, planned assignments vs actual
assignments taken-up, details of training programmes undertaken and action plan for
implementation of learnings, financial expenditure incurred against budget, Status of
cost savings recommended vs implemented and any other important milestones
crossed by these three streams of Audit in developing / strengthening the audit
processes
14. What key statistics / measures do you use to gauge the performance of your area?
(any comparison with international norms/benchmarks)
* The division has adopted the Professional Practices Frame Work (PPF) issued by
the Institute of Internal Auditors Inc. the only global body promoting the
profession of Internal Auditing.
* The Division is an ISO 9001:2000 certified organization and periodical
Surveillance audits are conducted to ensure compliance with all the quality process
requirements.
* “WEBMARS” (an Audit Process Management Software) depicts the on-going
progress based on which performance against targets are monitored.
* Measurement of Performance (MOP) model adopted for the Department also helps
in evaluating the Division’s performance on a year to year basis. The Internal Audit
Balanced Score card system helps in collecting inputs for this measurement.
* At the end of the year a ‘customer satisfaction’ survey matrix is also prepared (as
part of the ISO Quality System) for taking corrective actions. This also becomes a
basis for evaluation.
(Periodically the above measures are compared with global best practices)
15. What are the significant theoretical risks associated with your area of operation?
* Risk of inadequate audit coverage
* Risk of not identifying the right areas for audit
* Risks of audit completion delays
* Risks of deploying incompetent audit teams conducting audits
* Risks of gaps in the knowledge / skills possessed by Team Members
* Risks of not being able to balance between conflicting customer requirements
* Risks of not using appropriate IT Audit Tools
* Risks of not having a structured Audit Systems / Processes
* Risks of not accepting a challenging assignment when offered
* Risks of not meeting Standards, SEBI guidelines, Audit Committee requirements

7. 7
* Risk of not studying / adopting to the Corporate culture / Organisation Dynamics
* Risks of not knowing the ‘best practices’ in Internal Audit
* Risks of not getting adequate ‘resources’ for audit
* Risk of not ‘innovating’!
16. How would you classify these risks into the following categories?
People?
Eg:
* Risks of deploying incompetent audit teams conducting audits
* Risks of gaps in the knowledge / skill possessed by Team Members
Processes?
Eg:
* Risks of audit completion delays
* Risks of balancing between conflicting customer requirements
* Risks of not using appropriate IT Audit Tools to capture relevant data for forming
an audit opinion
Systems?
Eg:
* Risks of not understanding Business Systems / Controls
* Not having a structured Audit Systems / Processes
Competition?
Eg:
* Risks of not accepting a ‘challenging assignment’ when requested.
* Risks of not keeping abreast of development in Internal Audit Profession.
Regulation?
Eg:
* Risks of not evaluating compliance with Standards, SEBI guidelines, Audit Committee
requirements
Corporate Culture?
Eg:
* Risk of not studying, understanding & adopting to the Corporate culture, Code of
conduct, Ethics Policy etc.
17. What would be the impact of these risks and the likelihood of the risk occurrence?
Eg:

8. 8
Impact : Could be severe in the case of Audit knowledge / skill level related risks as this
will directly affect the Audit deliverables.
Likelihood : risk happening will be certainif no proper care is taken at the recruitment, on
the job moitoring and year end performance stages.
18. What do you consider to be the key controls over these risks? [Issues discussed in
(17) above]
People?
* Adopting the Audit Skill Matrix at entry level, middle level & at Senior
levels
* Structured Training – Cognitive / Behavioural skills
* Continuing Professional Education for Team Members
* Team Members exposure to leading Professional organisations for
knowledge updation / Best Practices sharing
Processes?
* Dynamic Audit Processes with adequate process controls built in.
* ISO 9001 :2000 requirement compliance & periodical external audits
* Professional Practices Adoption / Monitoring
* Proper assessment of ‘Customer requirements’ and need based focus on
varied expectations.
* Customer Feedback system / corrective action monitoring
Systems?
* Proper updation of ‘Business Knowledge’ by all Team Members
* Comprehensiveness of Audit Plans & Timely Execution
* Guest Audit Pool expertise for specialized areas (in-company experts
team)
Competition?
* Readiness to face new audit requirements / continuous skill updation.
* On-going enhancement of Audit Activities in different areas
Regulation?
* Appropriate training to Audit staff, organizing internal seminars on
topical subjects.
* Close co-ordination with Corporate Secretarial, Legal & Taxation
Services

9. 9
Corporate Culture?
* Internal Team discussions on Corporate culture, understanding the
Organization’s Values & Beliefs.
19. How would you rate the effectiveness of the key controls in your organisation?
1. Excellent 2. Very Good 3. Good 4. Fair 5. Poor
2. Very Good
20. How do you identify, evaluate, and monitor / control these risks?
Meetings?
* Monthly MIS Review Meetings
* Quarterly Management Review Meetings
* Audit Committee Meetings
* Audit Customer Feedback during periodical Meetings / Presentations
Quantitative/Qualitative Analysis?
* Customer Feed Back Index (Quantified)
* Quantification of Audit Benefits
* Skill Matrix for Team Members
* Audit Performance Measurement Format
* Audit Plan vs Actual Execution statistics
Internal Reports?
* Monthly MIS Reports
* Annual consolidation reports
* Training Programme / Action Taken Reports schedules
* Planning Documents
* WEBMARS – Status Reports on various Audits
* Team Member Performance Appraisal Reports
External Information?
* IIA Inc. (Institute of Internal Auditors) guidelines
* Best Practices from Research work done by Professional Organisations
* Experience Sharing Workshops
* Study Reports on the Profession
* World ‘CAE’ Forum – (‘CAE’ is a member of this forum)
* ISO Quality Auditor - Reports
21. What recent or planned changes are there in your area of responsibility?

10. 10
* Audit Customer base enlarged.
* Additional responsibility of providing support to Group Companies.
* ‘WEBMARS’ – the internally developed software application is going to be
marketed by the Division to outside Professionals / Companies
* Technical Audit stream got the approval for conducting mandatory Energy Audits
for HT Industries - A revenue model emerging.
22. What issues result from:
Complexity or size of the operation?
* Requirement for more number auditors with special area skills
* Time management in preparing for and attending Audit Committee
Meetings on a quarterly basis
* On-going updation of status on Audit issues
* Comprehensive coverage of all locations
Communication of information between business functions /
operational units?
* Parallel Communication with different layers of management across
geographically dispersed units in terms of key audit issues on a timely basis
has impact on timely reporting, accuracy, correct status etc.
23. Is the current “Delegation of powers” adequate or commensurate with the
Division’s objectives?
* Yes – Independence & Objectivity of the function facilitated through adequate and
defined Responsibilities / Authority - Audit Charter & Structured Reporting lines
24. Are you comfortable with the current level of computerization and the adequacy
of hardware and software in the performance of your function?
Yes – All the Team Members have computers - “CAATS” softwares effectively used
by Team Members.
25. Are you using any application tool in the performance of the function?
Yes – Internally developed Audit Process Management Tool (WEBMARS), Risk
Ranking Tools, Control Evaluation Tools and Transaction Analysis Tools are
deployed.
26. Is there an Ethics or Business Conduct policy? What is your understanding of the
Company's Ethics Policy and Code of Conduct?

11. 11
* Individual & Business Ethics well understood by all Team Members. Regular internal
discussions take place on this subject. IIA’s / ICAI’s Code of conduct & Company’s
Values & Beliefs statements, Policies etc. are read and understood by all.
27. Do you know how to voice ethical concerns? Do you feel comfortable voicing
ethical concerns?
* Yes – The ‘Whistle Blower’ Policy (CARO) when fully implemented will provide the
methodology, protection and a structured process for all whistle blowers. Audit
supports this initiative in taking up, investigating complaints in a logical manner
through appropriate audit methodology.
28. Has any concern on ethical issues been raised over the past two years and how has
the same been addressed?
* No such instances
29. What, in your view, are the strengths and weaknesses of the Ethics Policy and
Code of Conduct?
Strengths
* Positive outlook
* Professionalism
* Transparency
Weaknesses
* May be looked at as a threat by the reporting employee
* May have impact on the ‘Trust’ aspect
* All ‘People’ may not understand / perceive the implications of this policy effectively.
30. How do you monitor implementation of changes, if any, to Management policies
and procedures?
Changes in the management policies and procedures are communicated to Audit
Division and a compliance review is under taken for evaluating the effectiveness of
implementation of all changes
31. Do you have all the resources you need to effectively perform your job – in terms
of manpower, infrastructure and support facilities?
Yes, We have.
32. Do you outsource a part of your activity? What is the process followed in the
selection and approval of such source?

12. 12
Yes, part of our activity is co-sourced. In order to identify the right source, first the
requirements are analyzed for various types of audits planned for the year.
Then from the data bank available with the Division, the outside service providers are
evaluated and selected to match with the above requirements. (The outside service
providers data kept updated in the Division on a continuous basis during the year,
before engaging them for assignment). There is a structured evaluation process to
decide the appropriateness of the co-sourced agency.
There is also a continuous monitoring mechanism and an year end evaluation system
for such outsourced services.
(The above system is a subject of ISO Quality Audits under supplier evaluation)
33. How do you find the morale in your area? What do you attribute this to?
* Independence & objectivity for Auditors have to come from within first
* Honesty and characters are very important
* Both at entry level as well as during the tenure - effective assessment is done and
feedback given to all Team Members
* An on-going performance appraisal also facilitates this.
* Due to the challenging work environment & empowered situation, the ‘morale’ is high
in the Division
34. What training, formal or informal, is offered to employees who report to you? Do
you participate?
* Structured Training Plan (External as well as Internal) exists. Formal Feedback sheets
prepared by Team Members and this helps in monitoring. Skills are divided into two
categories for training purposes
i. Cognitive skills and
ii. Behavioral skills.
Wither support from Corporate HR the programs are conducted.
35. What metrics do you use to evaluate your staff who report to you?
(1) Key Result Areas and Personal Objectives identification for all the Team Members
at the year beginning. Continuous assessment of this with the help of Corporate
Personnel and year end rating.
(2) Number of Training Programs attended in the areas identified for further
development.
(3) On-going Feedback by CAE / Actions Plan by Team Members

13. 13
(4) Training Activity based on the earlier year’s appraisal document for all team
members
(5) Continuous bench marking with Brikket etel. 1999A study on ‘Skills required for
Internal Auditors (entry level, middle level & senior level) a document released by
IIA, USA.
(6) Team members are encouraged on the ‘self learning’ process by motivating to
pursue professional courses in their respective work areas.
(7) Team members participate in Professional Workshops / Seminars / Conferences as
participants as well as faculty. Technical skill development programs are identified
by CAE whereas the Behavioral related skill develop is done by the Corporate
Personnel.
(8) Periodical administration of personal quality / skill testing methodology with the
help of corporate personnel and evaluation of the same.
36. Who evaluates your performance and what are the key components?
* Self Appraisals completed by the individual & submitted to the Initiating
Officer (immediate boss) and then it goes to the Reviewing officer.(Boss’s
Boss)
* Functional Reporting officer’s form will directly go to the Reviewing Officer
(Officer who had interacted more during the year with the Executive)
* Reviewing Officer will finally approve the ratings and forward to Corporate
Personnel.
* PARC (Performance Appraisal Review Committee) will meet during June
every year and finally approve the ratings for the Executive.
* Periodical – 3600
feed back and other HR evaluation methodologies are
undertaken to measure soft skills.
On Data Collection:
The Questions with sample answers given above are only illustrative. Each Internal
Audit Department could attempt to ask similar questions and provide answers pertinent
to their work environment. This will become the basis for developing a risk
assessment model for the Division.
The purpose of a very detailed information as above is to identify all the risk elements
and list them down activitywise. After analyzing the answers to the questions as above
the key risk areas should be identified and listed. Then a risk matrix as shown below
could be prepared to understand the high, medium, & low risk areas.

14. 14
Section (B)
A Sample Risk Matrix (Independent of the environment described in the foregoing
Question & Answer session)
The above boxes can then be classified into 1,2,3 categories denoting High,
Medium & Low risk areas.
Way Forward :
Once risks are classified as above, the control mechanism in operation in the Division
to address them need to be plotted against each such risk area. This would then lead to
a list of risk mitigation actions.
Catastrophic
*Gaps in Audit
Technology
Major
* Risks connected
with not
understanding the
customers'
expectations
*High dependency
on external
resources
Moderate
* Inadequate
Resource
Allocation
* Skill sets of Audit Team
Members
Minor
Insignificant
Rare Unlikely Moderate Likely Almost Certain
SIGNIFICANCE
"Risk Exposure Matrix"
3 2 1
* Balancing between
Assurance Audits & value
added audits

15. 15
The actions would focus on bridging the gaps in the above selected areas.
This exercise needs to be repeated every year so that the trend could be captured and
continuous corrective actions / improvements take place in the Internal Audit
Department. Like any other system this also needs to be audited by a ‘third party’ at
periodical intervals.
This structured methodology in the ‘Internal Audit Department’ will thus effectively
demonstrate that the Internal Audit Team practices what it preaches to all its Audit
Customers.
------