(c) South Africa Institute of Chartered Accountants. Contact SAICA for permission to reproduce this article., Audit and Assurance, Internal Auditing

Using Internal Audit to Manage Risk

By Arlington Nchoe

Global economic fragility and concurrent changes in the market economy in recent years have necessitated an equally revolutionary change in the manner in which the internal audit is approached as a key corporate discipline. Significant changes to how the risk profiles of organisations are viewed bring with them certain demands that traditional auditing approaches and systems are not equipped to address.

The strategic positioning of the internal audit function in most organisations indicates the high degree of importance ascribed to this function. While the strategic positioning and reporting structure requirements for the internal audit function are being addressed, the question remains: does the internal audit authentically address the risk exposures of the organisation, or does it merely ‘mark the homework’ and complete a ‘fail or pass’ report?

Revolutionising the Internal Audit

A revolution is defined as a fundamental change in power or organisational structures that takes place in a relatively short period of time, often without notice. Internal audit functions and internal audit practitioners need to swiftly respond to the current changes. There is a pressing need for organisations to introduce robust preventative mechanisms to prevent the potential for corporate collapses.

The modern internal audit function has to respond by refocusing its people, systems and processes. The revolutionary internal auditor adapts to the changes by adopting a risk-centric mindset. The burning question that should always be back of our mind for internal auditors is: ‘what could go wrong?’

The Known Knowns, the Known Unknowns and the Unknown Unknowns

There is a necessary relationship between controls and risk and I have no intention to present these two aspects as converse to each other. The need for controls is driven by the risk exposure of an organisation.

In a press briefing in February 2002, Donald Rumsfeld, the former US Secretary of Defence, made this statement:

“There are known knowns; there are things we know that we know. There are known unknowns; that is to say there are things that, we now know we don’t know. But there are also unknown unknowns – there are things we do not know, we don’t know.”

Earlier in this article I mentioned the ‘homework marking’ approach to internal auditing, which is not well equipped to address the ‘unknown unknowns’. An example of this less than satisfactory approach is when an audit test is performed on the procurement process, during which certain attributes are tested. Subsequent to the test, a finding is raised regarding non-adherence to the delegation of authority requirements, e.g. an unauthorised official approved a procurement transaction.

A controls-focused or ‘homework marking’ approach will note this as a non-adherence and recommend that controls relating to delegation of authority need to be adhered to.

However, a risk-centric and more revolutionary internal audit approach will take this finding a few levels deeper to ask further questions – the answers to which will equip the internal auditor with the full facts of the observation and enable a practical and value-adding recommendation, based on:

  • What led to this non-adherence? (Root cause)
  • What could go wrong? (Impact)

The ‘known knowns’ and the ‘known unknowns’ pose little audit risk in the sense that the auditor is aware of their existence, or that symptoms exist.

It is the ‘unknown unknowns’ that should keep the internal auditor awake at night. These are risks we do not know and are unable to observe from visual evidence, or to detect through verbal evidence gained from our enquiries.

The product of revolutionary, risk-centric approaches will be internal audit reports that add value, offers practical recommendations for improvement and ensure that potential or actual breakdowns of controls do not recur due to the same causes.


There is an increasing need for the internal audit function to stretch beyond its traditional focus areas, given the new demands placed on organisations and the swiftly changing environments in which they operate. Leaders in the internal auditing profession need to show the way for internal audit practitioners to deliver an updated and value-added service. As practitioners, we must become proactive in further developing the internal audit profession and its growing relevance to a world becoming more exposed to unknown or systematic risks.

Arlington Nchoe CA(SA) is Senior Manager, SekelaXabiso.

This article was originally publish in the November 2012 issue of ASA.