Role of Internal Auditing in Enterprise Risk Management - Corporations in Qatar - Research Proposal Example

• • • Abstract

This main reason for this research proposal is to examine how the internal auditing interacts with the enterprise risk management. The roles of internal auditing will be discussed in detail in the study and the impacts of the internal auditor’s actions on the enterprise risk management. The study will also look at the extent at which the internal auditor is supposed to make decision and advisory services in relation to the ERM. The survey will look at the methodologies used to research on the internal auditing roles in relation to enterprise risk management.

• • • Introduction

The enterprise risk management is the process by which the organizations management use in strategy formulation in an enterprise with the aim of identify potential undesirable events and coming with ways as to which the events may be managed (Institute of Internal Auditors (IIA), 2006). It is therefore the work of the internal auditor to provide the assurance of the ERM. The internal auditors are supposed to evaluate the appropriateness of the ERM, report matters that arise from it and recommend on how the ERM can be improved so that it can be effective in risk management process. The ERM was developed by the Committee of Sponsoring Organizations of the Tread way Commission (COSO) in the year 2004.

Qatar is one of the frontier regions in the development of corporations. The region has ample environment for such practices owing to the laws and regulations that makes the playing ground level for both national and multinational corporations. The increase in corporation means that the industry must institute measures that places checks on the good governance of organizations. Therefore, organizations have realized that the strength of governance depends on the effectiveness of the strategies employed in the management of risks because risks are part of the growth, as organizations grow so are the risks. Most of these organizations experience the growing pressure of identifying all the risks associated with their business portfolios. Some of the risks relates with aspects like operations, financials, environmental, ethics, and social factors. Although organizations have unique risks, which correlates with their business and areas of operation, some factors cuts across business hence the need to apply certain approaches that are universally accepted in risk management like enterprise risk management framework. The identification is essential in the process of explaining how such risks can be managed and subsequently managed using the system. Recent development in risk management has seen the expansion of the Enterprise risk management system because most organizations have come to the realization that such a framework has advantages when compared to the conventional methods of risk management, which in most cases are less coordinated and may hamper the overall process of managing risks.

Organizations are living systems and that they involve activities, which keep changing over time. These changes may occur due to market forces, financial requirement, customer demands, and other inherent managerial factors. Risk management is essential in such a setting because it gives the individuals with the right training the potential of identifying, carrying out assessment, managing, and controlling current and foreseen risks, situations, or events that may hinder the venture from attaining its mission. The risks can present itself in one form or multiple facets. For instance, the market risks may present risks that limit the opportunities available to the organizations.

Internal auditing process involves assessment of the financial materials and the validation of such materials as bearing correct and authentic information so that shareholders and other parties can assess the strength of the organization based on their financial reporting. Therefore, the internal auditing plays a critical role in consulting and assurance, which contributes to the aspect of risk management. According to the Institute of Internal Auditors of the UK, these professionals play a key role in the provision of guidance, role that safeguards the members as well as permissible roles that protect their objectivity and independence. These elements of auditors’ working terms are essential tenets that define their ability to issue and endorse correct financial information without the interference from the top management of the organization. Therefore, the incorporation of Enterprise risk management framework seeks to give a platform to the internal auditors to exercise independence and objectivity in their daily chores thereby playing a part in the risk management.

Literature review

Several years have passed since the revision on the definition of internal auditing by the Institute of Internal Auditors in 1999 (Institute of Internal Auditors [IIA], 1999). The revision took into account the need to incorporate the aspects of consultancy and assurance in the control, governance, and risk management areas. The development was followed by the inception of enterprise risk management framework, which was released by the COSO (2004). These developments shaped the path toward the risk management using the enterprise approach. The roles such as consultancy and assurance, which are provided by the internal auditors’ plays a critical role in shaping these developments at the organizational level in the process of managing risks as early described by Sarens and De Beelde (2006). Although the engagement of internal auditors in the ERM is seen as an asset because it adds value to the entire process, there are high possibilities that it could also lead to instances where objectivity and independence becomes compromised (). Therefore, these findings informed the institute of internal auditors to issue another paper that describes fundermental roles of these professionals with respect to ERM. The paper was delineated in three categories as the core roles, legitimate roles for safeguarding, and roles that they should avoid as shown below (Table 1)

Table 1: Role played by the internal auditor with respect to enterprise risk management framework

Cores in ERM

• Assuring that risks management processes were followed appropriately

• Assuring that risks were evaluated correctly

• Evaluation of the processes of risk management

• Reviewing the key risks managed

• Evaluation of the risks reports

Legitimate safeguarding roles

• Facilitates the identity risks

• Providing guidance to the management on ways of response

• Coordination of activities relating to ERM

• Consolidation of the risk reports

• Development and maintenance of the ERM framework

• Proposing the establishment of the framework (ERM)

• Seeking the approval of the board after developing strategies of risk management

Roles to be avoided by the internal auditors

• Settlement of the risks appetites

• Imposing the process of managing risks

• Acting on behalf of the management to implement responses to risks

• Making decisions relating to responses towards risks

• Accountable for the management of risks

• Assuring managers on the risks

Institute of Internal Auditors (2004)

The statement by IIA supports the fact that internal auditing plays a critical role in the implementation of ERM (IIA, 2004b). the statement acknowledge that these professionals have a duty of assisting the audit committee and the management in undertaking duties toward the management of risks as well as the oversight roles, which may involves duties that examines, recommends improvements, reports, and evaluates the effectiveness and the adequacy of the risks processes instituted by the management. Previous studies that utilized empirical data demonstrate that internal auditors have high tendency to resisting pressure from the management especially when there is a functional audit committee, which validates their objectivity and the independence (Gul and Subramaniam, 1994). Besides, Adamec et al. (2005) demonstrated that a direct involvement of the audit committee in handling the reports improves the aspect of internal auditing, thereby eradicating the possibility of experiencing threats associated with social pressures especially when the professional is liable to offer management report as demonstrated by Cohen et al. (2004). Other study by Bailey (2007) asserts that certain privileges indicate whether an audit committee can report negative behaviors exhibited by the management. For instance, if the committee has the power of approving support work presented by the auditors, if it can approve the budgets, meets frequently, compensates, fires, or hiring a member without consulting then its ability to exercise independence is high.

The increase of internal auditor involvement in the ERM and the possibility, which raises concerns on their roles, accountability, assurance, management issues, such steps could have negative effects on the objectivity and the independence of the auditors, is the basis of the current study. Therefore, it is important to evaluate and review the roles played by auditors in managing key risks, reporting such risks, and assess whether they possess any role in the management assurance on risks. Besides, the study will establish the action of auditors on ERM and the entire organizations. Finally, it is important to assess whether auditors have a role in taking accountability on the risk management process

• • • Hypothesis and Objectives

Do internal auditors have any role in enterprise risk management? The main objectives of this research is to find out the roles that the internal auditors are supposed to perform so as to ensure that the ERM is effective to a risk profile that is acceptable to an organization. The research seeks to establish whether the internal auditor has any responsibility in providing assurance and consulting related services in regard to the enterprise risk management (Gramling and Myers, 2006).

The survey will establish whether the internal auditor has any role in regards to facilitating identification and evaluation of risks in an organization, whether the auditor is involved in setting up the risk appetite of the organization and whether he is supposed to take any decision on the risk management.

In the survey, the role of auditor when evaluating and reviewing the reporting and management key risks will be established and further check whether the auditor has any role in the management assurance on risk within the organization. Further in the study, the impacts of auditor’s action on the ERM and the entire organization will be established, as well as whether the auditor is supposed to implement any risk mitigation activity on behalf of the management (Pickett, 2013). Finally, it will seek to find out whether the auditor is supposed to take any accountability on the risk management process and the extent to which he is supposed to interact with the ERM in an organization.

• • • Methodology

Introduction

The survey uses several methods to gather the relevant data. Questionnaires are to be given to twenty certified internal auditors; this will help survey on how they expect the internal auditors to handle the ERM. This was also to know the relationship between the auditor and the audit committees from the management perspective. The study will be comprised of organizations in Qatar. The study will also use experiments and designs so as to gather relevant descriptive data on the effectiveness and the use of the ERM.

Location of the Study

The research limits its location to include all corporate organizations with certified internal auditors. The size of the corporations will not be taken into consideration as long as the internal auditors from the corporation implement the use of ERM in the management of risks. These selections provide reliable data relevant to the study objectives.

• • Research design

The study will use a quantitative approach, which uses a survey technique to collect data. The data will be collected using a structured questionnaire to make it easy for the target respondents to provide relevant information that can be amenable to the research objectives. A monkey survey online platform (www.monkeysurvey.com) will be used for the collection of data. The questionnaires will be sent to target auditors with the certification who resides in the corporate organizations and requested for their response. Prior to that, a formal request will be made requesting them to accept taking part in the research and that the information provided will only be utilized for scientific and academic purposes. Those who accepts taking part in the study will be acknowledged and send the questionnaire with the research questions.

Target sample size

Although the study aims to involve the twenty certified internal auditors, it is important to acknowledge that not all the target ones may choose to take part in the study. Therefore, the initial piloting study, which aims to establish the willingness of the internal auditors to take part, will involve more than 40 internal auditors so that the number can be cut to 20 later on upon assessing the progress of the respondents. The target respondents will be the certified internal auditors with at least one year experience in the industry, this population has the experience and can provide reliable data that can be utilized for making inferences.

Research instrument

A structured self administered questionnaire was utilized for the collection of data. The questionnaire contained five parts, which include the background information of the respondents that assess their education, qualification, sex, and years of practice. The three objectives each had a part to assess the respondents’ perspective, while the last part gave the respondents a chance of giving their views. The questions were structured using a strategy that requires response using a five point likert scale that ranged from strongly disagree (5) to strongly agree (1) in that order. The scores were used for assessing the response.

Data Collection

The study involved the collection of primary data by targeting certified internal auditors from corporate organizations listed in the Qatar or those operating within the boundaries. These involved sending an online survey using the online platform (www.monkeysurvey.com). The survey was a self administered and only targets the certified internal auditors who uses the ERM system in the management of risks.

Data analysis and presentation

The data collected were thoroughly checked to ensure appropriate editing is done for accuracy and completeness. The edited data will be ready for software analysis. The analysis used statistical package for social Scientist (SPSS) version 20.0 for Windows. This assisted with the analysis to obtain inferential and descriptive statistics, which includes the standard deviations, medians, and the mean. Correlation between various independent variables and dependent variable were done based on the Pearson square at alpha 0.05 to assess any statistical significance.

Discussions and conclusions

Our finding reveals that the internal auditors are involved in the implementation of ERM. However, the level of involvement determines their willingness to reporting the risk procedure breakdown to their auditing committee as opposed to scenarios when they are less involved. The assessment of the role of internal auditors in the ERM indicate that the means score of those implementing the framework (high involvement group) in their daily work is higher (3.8) than the contrary (low involvement group) (1.1). However, the study unravels that weak association with the audit committee may lower their involvement with the ERM platform as opposed to situations of strong association. These findings indicate strong evidence that internal auditors have a role in enterprise risk management and that their levels of involvement determines the success of the platform. Four core roles had the highest involvement from majority of the internal auditors. These include assurance that risks were evaluated correctly (3.4) or that appropriate methods were followed (3.2). Besides, they evaluate processes involved in undertaking risk management (3.6) and the evaluation of risk reports (3.35). The involvement of internal auditors in these roles illustrates that internal auditors have a role in enterprise risk management to establish acceptable risks profiles for the organization. Besides, it indicates that they play an assurance and consulting services concerning the enterprise risk management, which subscribes with the previous study Gramling and Myers, (2006). The survey establishes that the internal auditor has role in regards to facilitating identification and evaluation of risks in an organization because they are involved in setting up the risk appetite of the organization.