Acta Universitatis Danubius. Œconomica, Vol 13, No 5 (2017)

The Role of Internal Audit in Risk Management– Evidence from Private Sector of Kosovo

Hysen Ismajli¹, Mimoza Guda Ferati², Agon Ferati³

Abstract: The aim of this study is to examine the role of internal audit function in risk management and challenges that influence its function in private companies in Kosovo. The method chosen for the research is based on structured questionnaire survey sent to all head of internal audit of top 21 largest private companies in Kosovo and conducted several interviews with them. Based on responses received, the role of internal auditor in the risk management is perceived to be very important, but first there are many activities within the company which must be improved to have fully functional audit department. Further, results show that internal auditors understand the concept of risk management but restricted access from business owners to core and confidential information, inexperienced internal audit staff, insufficient funds allocated to develop internal audit department, and lack of management interest are barriers that leads to improper performance of internal audit in risk management and non-functional internal audit. As the role of internal audit in the private sector in Kosovo has been very rarely empirically examined, this study attempts to contribute to future studies that relate to a very important issue such as risk management.

Keywords: Internal auditing; private companies; risk management

JEL Classification: M40; M42

1. Introduction

A properly organized internal audit function can play a very important role in the company, by assessing the system of internal controls, effectiveness of key controls, governance and risk management processes. In today’s world as processes and operations have become more complex and new risks emerged, companies are now paying more attention to risk management. Developing an effective risk management program is timely and costly for the private sector considering that Kosovo is a developing country.

The internal audit function requires the organizational independence, unlimited access to information, sufficient funds, skilled personnel, management support and implementation of professional auditing standards. Therefore, the aim of this study is to examine empirically the role and challenges of the internal audit function in risk management in private sector in Kosovo and the factors that affect its function. The paper is composed of four parts:

The first part, summarises the theory behind the overall development of internal audit in the private sector.

The second part, describes the process of data collection and research methods used in the investigation.

The third part, offers empirical analysis and discussion of the results of the questionnaire, and

The fourth part, provides recommendations and conclusions.

2. Theory Behind the Internal Audit in Private Sector

Since the 2008 world financial crisis, regulatory and economic pressures are forcing organizations to do a more thorough job when conducting enterprise wide risk assessments, and increase effectiveness of risk mitigation efforts, and focus on a more comprehensive approach to risk management (The IIARF White Paper, 2011).

In today’s fast pacing world, processes and operations are more complex and challenging as new risks are evolving. Companies are trying to give more consideration to risk management, but implementation of an effective risk management approach takes time and is costly. In companies without an effective risk management function, internal audit department has been required to undertake their own risk assessments, and in many cases they have done their own assessments as a check on risk management or to ensure their independence. Moreover, according to the IIA Professional Practices Standards (Broadleaf, 2014), audit unit should also audit the risk management framework, to provide assurance to owners regarding the suitability and effectiveness. Furthermore, the IIA's International Standards define a risk as 'the possibility of an event occurring that will have an impact on the achievement of objectives'.

The role of internal audit involves three main elements: assessing and improving risk management, assessing the system of internal controls and governance processes in the company. These elements include policies and procedures to ensure proper risk assessment and compliance with applicable laws and regulations.

The main role of internal audit in risk management is assessing and monitoring risks that company faces, and providing recommendations for appropriate risk mitigation controls.

3. Data Collection and Research Methods Used

The below survey data provides a real picture of internal auditing role in risk management. Real value comes from data analysis and perspectives on how this should affect the internal audit function.

3.1. Research Objectives

The key objective of the research was to gather information on current practices in risk management in private sector in Kosovo, to provide a basis for Kosovo entities and to identify opportunities for improvement. This research is also intended to help the companies to address some of the main problems on implementing a risk management process.

3.2. Survey Participants

A major portion of the data for this research report came from a printed survey sent to 23 companies. This survey was completed by 21 participants from various companies who were either heads of audit department or senior executives in the internal audit function.

3.3. Methodology

The survey was sent to largest companies in the private sector in Kosovo. After receiving the survey responses, we analyzed the results and held face to face interviews with selected heads of internal audit to obtain a practical perspective on various topics covered in the survey.

The analysis and results are presented under the following sections in the third section.

4. Empirical Analysis and Discussion of the Results of the Questionnaire

The below survey data provides a real picture of internal auditing role in risk management. Real value comes from data analysis and perspectives on how this should affect the activities of internal audit department within a company.

Figure 1. Number of Internal Auditors in company

Source: Contribution made by the author

In each company, internal audit work was carried out by 1-2 auditors. The lack of personnel in the field of internal audit is due to lack of knowledge about the importance of the internal audit as well as the fact that most businesses in our country are family businesses where management is not separate from ownership.

Figure 2. Activities of Internal Audit Plan

Source: Contribution made by the author

To understand “What are internal auditors asked to do?”, first it is important to understand the direction that is being provided by the owners of the company or management. From the perspective of the internal audit department, from all respondents of total companies surveyed, 70% declared that Financial Reporting to KCFR is the main activity, following with audit of projects as a second activity with 19%. As third important activity was declared risk assessment with 9% and the last activity, almost not important was audit of IMS with only 2%. From responses received, we can conclude that risk assessment is less important as per management thoughts.

PART A. Control models

Respondents were asked, “How much do you agree or disagree regarding control models into the company’s risk management processes?” The answers were quite surprising:

Table 1. Control models (5-Strongly agree ;4-Agree; 3-Netrual ; 2- Disagree ; 1- Strongly disagree )

Source: Contribution made by the author

PART B. Practices for risk assessment and risk based audit

Figure 3. Risk assessment process in the company

Source: Contribution made by the author

Over 73% of the analysed companies responded that their companies do not perform activities specific to the risk management process, 18.5% responded that their companies already have started; and the remaining 8% responded that they are in the process of implementing such practices. Considering the above responses, we can conclude that companies in Kosovo have not yet understood the importance of risk management. Further, we were interested to know by whom was the risk assessment performed in the companies surveyed and the answers to this question were as follow:

Table 2.Risk assessment is the company

Source: Contribution made by the author

As we can see from the responses received, in more than 70% of the companies surveyed, the risk assessment is carried by external consultants in collaboration with internal auditors and management while in only 23% of the companies surveyed this process is carried out by internal auditors. In conclusion, this makes us believe that not enough trust and competence is given to internal auditors in risk assessment.

Figure 4. Areas of implementation of risk assessment activities

Source: Contribution made by the author

Regarding the scope of the risk assessment, over 80% of activities taken by internal audit in all companies surveyed are related to other than finance, production and IT.

Table 3. Preparation of internal audit plan

Source: Contribution made by the author

Based on the results obtained, in 78% of the companies surveyed management has a huge impact in preparing the audit plan based on their recommendations and views of what is important and what internal auditors should cover, while only 22% of the audit plan is based on risk-based approach.

Table 4. Risk factors to consider during audit planning based on risk

Source: Contribution made by the author

Even though a small part of the companies embark on a risk-based internal audit plan, even those companies do not consider the most important risk factors at the appropriate level.

5. Conclusion

We have observed the role of internal auditing in risk management in the Kosovo's private companies and have noticed that private sector activities are becoming more complex due to the emerging risks they are faced with in daily basis. Companies that provide risk management have increased their attention, but implementing effective risk management requires knowledge, effort, and time.

Risk is inherent doing business, and businesses grow and thrive by fully understanding their risks and assuming acceptable levels of those risks. But it is the effective identification, assessment, management, monitoring, and reporting of such risks that allow businesses to know that their response should be to a given risk. Organizations are incorporating lessons learned in recent years into formal risk governance processes. By sizing and resourcing the internal audit function to fit its needs, and focusing its resources as part of an overall approach to enhanced risk governance, a company can maximize its ability to leverage risks that will create value and effectively manage risks that can decrease value (Clifton, 2013).

As almost all large private companies in Kosovo are family businesses and their impact on the activities and decision making of the company is very large, it is difficult for an internal audit department to operate in the right manner giving it great importance to risk management.

Having analyzed all responses received from the head of internal audit of largest Kosovo private companies, makes us understand that trust in internal audit is not yet in the right level.

To implement an effective risk management, owners of all private companies should fulfill the below recommendations:

• Increase leader’s awareness about the role of the internal auditor and the importance of its recommendations;

• Review the internal controls and procedures, as this process is unavoidable in all companies to ensure that risk management is effective; and

• Prepare and implement policies and procedures for all company processes.

6. Bibliography

Cosserat, G. (2008). Modern Auditing.Chichester.UK: John Wiley & Son, Inc. 2^nd Edition.

Mebratu, Agumas Alamirew (2015). Internal audit function and its challenges in public sector governance: Empirical evidence from Amhara National Regional State. Ethiopia, AshEse Journal of Economics ,Vol. 1(1), pp. 001-012.

Allegrini, M. & D'Onza, G. (2003). Internal Auditing and Risk Assessment in Large Italian Companies: an Empirical Survey. International Journal of Auditing, Vol. 7 No. 3, pp. 191-208.

Dessalegn, Getie Mihret & Khan, Ashfaq Ahmad (2013). The role of internal auditing in risk management. Seventh Asia Pacific Interdisciplinary Research in Accounting Conference, Kobe 26-28 July, 2013.

Gherai, Dana Simona & Balaciu, Diana Elisabeta (2013). Role of internal auditing in risk management in the public sector and local entities – case study bihor county. The annals of the University of Oradea, Economic Sciences,TOM XXII. 1st issue.

*** Relationship between internal audit and risk management. Online available: http://broadleaf.com.au/resource-material/relationship-between-internal-audit-and-risk-management. Accessed 20 April 2017

*** Risk Management. Online available: https://www.iia.org.uk/resources/risk-management/. Accessed 02 May 2017.

*** The IIARF White Paper/March 2011. Online available: http://www.oracle.com/us/solutions/corporate-governance/ia-role-in-rm-345774.pdf. Accessed 28 May 2017.

The Role of Internal Audit in Risk Governance. Online available: http://www.claconnect.com/-/media/files/white-papers/theroleofinternalauditinriskgovernancecliftonlarsonallen.pdf, Accessed 17 April 2017.

Refbacks

• There are currently no refbacks.