The Global Financial Crisis has all too clearly shown the results of relaxed approaches to risk management. BDO’s Leoni Markel provides an in-depth explaination of Risk Based Internal Auditing.


The focus of internal audit has evolved over the past decade. There has been a migration from systems based auditing to process based auditing and now the current emphasis is on Risk Based Internal Auditing.
The key starting point in a Risk Based Audit is to examine the organizations business model, risk strategy, and risk appetite.

Risk appetite
Risk appetite is the amount of risk exposure, or potential adverse impact from an event, that the organization is willing to accept or retain. Management judge their risk appetite against the potential for profit, seeking returns     commensurate with the risk.
Once this has been done the next stage is to ensure that appropriate   objectives have been set by the organization and then to determine whether or not the business has adequate processes, systems and procedures in place for identifying, measuring, and managing the risks that impact  the  achievement of these objectives.

Role of internal audit
The role of internal audit is to assess the extent to which a robust risk management approach is adopted and applied, as planned, by management across the organization to reduce risk to a level acceptable to the Board. The current definition of internal audit is that it is:
“An independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization      accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and     governance processes”
While internal audit’s main contribution is to provide assurance on management’s treatment of risk (through governance and control processes) it may also advise management on other aspects of their response to risk such as decisions to avoid, transfer, retain or control risks. Internal audit can also assess the efficiency and effectiveness of controls, further adding value to management.

Risk Based Internal Audits in Banks
Banks are exposed to various kinds of risk - both financial and non-financial. The profitability of every bank depends on how effectively a competitive risk adjusted return on capital is generated. Effective Risk Management and internal control systems are crucial to the conduct of the banking business, not   only to maximize bank profitability, but also to be in compliance with prudential guidelines.
Bank Regulators and the bank management need assurance of risk  management compliance. Modern internal audit must add demonstrable value in the current competitive banking environment and the increasing expectations of regulators, governments and professional bodies reflect the growing importance placed on the function.

Compliance with Basel II
The Basel Committee on Banking Supervision’s Internal Audit Principles, and the standards from
the Institute of Internal Auditors show two of the most    significant developments to affect bank internal audit in recent years. Add to this the implications of Basel II Capital Accord and the requirements for the formal management of operational and other types of risk, the various challenges facing the banking sector become obvious.
Basel II is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision. The purpose of Basel II, which was initially published in June 2004, is to create an international standard that banking regulators can use when creating regulations about how much capital banks need to put aside to guard against the types of financial and operational risks faced.
Advocates of Basel II believe that such an international standard can help protect the international financial system from the types of problems that might arise should a major bank or a series of banks collapse. In practice, Basel II attempts to accomplish this by setting up rigorous risk and capital management requirements designed to ensure that a bank holds capital      reserves appropriate to the risk the bank exposes itself to through its lending and investment practices. Generally speaking, these rules mean that the greater risk to which the bank is exposed, the greater the amount of capital the bank needs to hold to safeguard its solvency and overall economic stability.

The future outlook
The Global Financial Crisis contains many lessons for both regulators and the financial industry. The recommendations of the G20 and the Turner Report help to underscore the need for sound risk management, effective internal controls and strong corporate governance at financial institutions. Effective Risk Based Internal Auditing can add considerable value if performed correctly and more compliance and regulation is inevitable.
Knowing your risks has always been an important management requirement, but with the complexities of the financial instruments traded risks had become obscure.  The future will see bank management required to understand and disclose risks to the market, and internal audit providing assurance that risks are understood and managed within management’s parameters.