May-2015
May-2015
May-2015
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
AUDITING<br />
products. Similarly, an incentive scheme that does<br />
not provide an incentive unless a stretched target is<br />
achieved and provides significant bonus for achieving<br />
results (say, production and sales) higher than the target<br />
creates stress on internal controls. Therefore, internal<br />
audit focuses on sales return and complaints on product<br />
quality (as quality may be compromised to achieve<br />
and surpass the target), particularly in years of subdued<br />
demand for the product.<br />
The debate on whether the internal audit should<br />
work with or around ERM is yet to be settled. The<br />
main reason that has triggered this debate is that many<br />
firms are yet to establish a fully blown up ERM system.<br />
In an ERM system that has attained high maturity<br />
level, every decision-maker understands the risk-appetite<br />
established by the Board and risk management<br />
is embedded in decision-making. At a low maturity<br />
level, risks are managed in silos and enterprise-wide<br />
approach is absent. This has serious implications. Managers<br />
lack understanding of the risk appetite and the<br />
firm fails to develop risk-culture 9 . When risks are managed<br />
in silos, the combined impact of different risks in<br />
different segments are not assessed, and as a result the<br />
firm is exposed to high risks that deserve significant<br />
management attention. The concept of optimising<br />
‘portfolio of risks’ 10 cannot be implemented resulting<br />
in difficulties in formulating risk strategy.<br />
In view of different maturity levels of ERM systems<br />
that the internal auditor encounters, a pragmatic approach,<br />
although not the ideal solution, is to participate<br />
in establishing the ERM system in a firm where<br />
ERM system is at a low-maturity level and to plan<br />
audit around the ERM system where ERM system has<br />
attained a high maturity level.<br />
Internal Audit With ERM<br />
Internal auditor, because of the nature of his work,<br />
develops a clear understanding of risks that the firm is<br />
exposed to. Therefore, he is in the best position to support<br />
developing the ERM system. In the initial years<br />
of developing the ERM system, the internal auditor<br />
may get directly involved in identifying risks, assessing<br />
their impact, and developing risk responses(treatment)<br />
and designing controls, all in collaboration with<br />
managers. Although, this process has the danger of<br />
9 Risk culture refers to shared-understanding of risks.<br />
1O ptimising ‘Portfolio of risks’ refers to the optimization of overall risks to which<br />
the firm is exposed, taking into account risks retained by different segments and<br />
strengths of various controls.<br />
obscuring audit objectivity in audit of controls and<br />
other components of the ERM system, the benefits<br />
are more than the costs. Involvement of the internal<br />
auditor helps accelerating the process of developing<br />
the ERM system and achieving high level of maturity.<br />
The internal auditor can champion the ERM and help<br />
in developing the risk culture much better and faster<br />
than any other actor because of his understanding<br />
of business and risks, relationship with managers at all<br />
levels and superior communication skills. Of course,<br />
this is true, only when the internal auditor could build<br />
his image as a ‘friend, philosopher and guide’ and not<br />
as one who carries the policing function, and when<br />
the internal audit occupies a place of respect in the<br />
organisation.<br />
Internal Audit Around ERM<br />
In an ERM environment, the internal auditor aims<br />
to provide an assurance that the ERM system is adequate<br />
and operating effectively. Therefore, he should<br />
test the whole process by using random sampling<br />
technique. He should audit selected decisions to test<br />
whether risk management is embedded in decision<br />
models and whether decision-makers have understood<br />
the risk-appetite correctly. He evaluates the risk-identification<br />
and impact assessment process by using the<br />
interview technique, that is, by interviewing managers<br />
for collecting evidence (information). He also<br />
evaluates whether risk responses, including mitigation<br />
plans, are in sync with the risk strategy and whether<br />
they have been implemented effectively.<br />
Social audit<br />
Social Impact of Business<br />
Social audit refers to the audit of the social impact<br />
of the strategy and operations of the firm. A firm’s<br />
business has positive social impacts, for example, employment<br />
generation, augmentation of economic activities<br />
around firm’s facilities resulting in community<br />
development through increase in purchasing power<br />
and development of social infrastructure. Firm’s products<br />
and services may also have positive social impact.<br />
For example, when accompany makes hygiene products<br />
available at an affordable price to those who are at<br />
the ‘bottom of the pyramid’, it helps building hygiene<br />
culture and developing healthy communities. Other<br />
business strategies might also have positive impact. For<br />
example, Hindustan Unilever Limited’s ‘shaktiamma’<br />
project, which aims at achieving low-cost penetration<br />
66 the MANAGEMENT ACCOUNTANT MAY <strong>2015</strong><br />
www.icmai.in