Nowadays, it is becoming increasingly difficult to ignore the concept of Internal Audit in the business world. Among the well known definitions of IA, there is the Institute of Internal Auditors (IIA) (2009) which defined it as: "An independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes." This definition embodies a complete view of IA with regard to "risk management, control and governance" (Leung et al., 2011). The Internal Audit Function (IAF) should thus not only examine the effectiveness but also aid in the improvement of the risk management process" (Pickett, 2010).
1.1.2 A brief history of internal auditing in Mauritius
In Mauritius, the recent developments in the field of IA have led to a renewed interest in this particular concept. In the past decades, IA was seen "as a mechanism to double-check the thousands of financial transactions that were posted to the accounts each week" (Owusu, 2012). In contrast, today's IA facilitates the development of suitable controls as part of a wider risk strategy, and provides assurances on the reliability of these controls. In the present and future Mauritian business environment, the IAF can no longer retain the "traditional transaction-based role" (Pickett, 2003). However, this shows a need to react more quickly in today's global marketplace where companies are trying to achieve its strategic goals. It is thus critical in identifying opportunities, risks and exposures that can determine success or failure.
Besides, PricewaterhouseCoopers (PwC) (2005) in Mauritius provides a range of IA services, from outsourcing and co-sourcing, to Sarbanes-Oxley services and Quality Assurance Reviews that go above traditional financial reporting to help IA realise its full strategic potential. It is worth noting the role of IA is evolving because of economic conditions, new and emerging risks. These scenarios are creating a dynamic environment and a new opportunity for IA to demonstrate its worth in managing risk. In this fluid environment, many companies are struggling to handle or even to identify the complex risks they face.
1.2 Background of Research
In view of the compelling nature of the 2011 financial crisis which has had a negative effect in Mauritius and many other countries across the globe, firms are being persuaded to do a more in depth work with a more holistic approach to risk management. As organisations struggle for success after the crisis, many are asking: "What is, and what should be, the role of internal auditing in risk management?"
Correspondingly, in the aftermath of corporate scandals and the global financial crisis, corporate governance has received huge attention from regulators and the public. The past decade has seen the rapid development of IA in risk management. Regulatory responses have focused on increasing disclosure requirements relating to corporate governance and this has, in turn, driven increased awareness and demand for internal assurance on corporate governance processes, especially, internal control and risk management. Having a unique position within the organisation, the internal audit function (IAF) is well placed to provide this assurance and is an essential component of the corporate governance mosaic.
Accordingly, the role of IA has evolved considerably. Primarily, in the past, IA focused on internal control while today, it emphasized on business risk. Secondly, there is a change form an independent appraisal function towards an integrated risk management. IA is also becoming a real management advisor while involving in an objective and consulting activity.
1.3 Internal Audit and Risk Management
There is considerable interest in the research of IA and risk management. The risk management is however believed to be a key responsibility of management. This issue refers to the way by which an organisation analyses, exploits, finances, and monitors risks from all sources so as to add to the firm's short and long-term value to its stakeholders.
Nevertheless, organisations are being pressurised to identify all the business risks they face such as social, ethical, environmental as well as financial and operational risks. They need to explain how they reduce the risks to the minimum level. Meanwhile, firms have acknowledged that the growing involvement of IA and risk management is important. This is because, the IA has to verify the adequacy of the risk management process that is, whether management has planned and designed it appropriately by ensuring that it provides reasonable assurance that the organisations' objectives will be achieved.
Despite IA's natural interest in risk management, there is debate as to their combination. Undoubtedly, the internal auditors varied roles and emphasis on risk management are dependent on the maturity of the risk management process in the firm. Accordingly, there is an urgent need that safeguards are put in place to ensure that the entire company especially, internal auditors fully understand management's responsibility towards risk management.
However, this has lead to a new concept dealing with the improvement of the traditional concept known as the Enterprise Risk Management (ERM). Accordingly, the IA profession has become a key driver of ERM which is defined by the Committee of Sponsoring Organisations (COSO) (2004) as: "a process, effected by an entity s board of directors, management, and other personnel; applied in a strategy setting and across the enterprise; designed to identify potential events that may affect the entity; and manage risk to be within its risk appetite to provide reasonable assurance regarding the achievement of entity objectives." This definition has included all aspects related to an effective risk management.
1.4 Problem Statement
Indeed, many organisations exist to achieve their own specific goals and objectives. Unfortunately, goals are not always achieved as expected, because they have to be achieved in an environment of risk. Certainly, no entity operates in a risk-free environment, and risk management will not create such an environment. In this perspective, risk management is an area of paramount importance to a firm. Because every company is exposed to risks, effective risk management is necessary for the progression of a business entity. Risk management will, however, help management to operate more effectively in an environment filled with risk. A new approach to risk is now called the ERM. However, part of the dealing with risks includes the IAF, which exists to examine and report on risk exposures and the organisation's risk management efforts. Hence, a question that arises is whether the IA is an important player in risk management.
Nevertheless, there is also a real danger of IA losing their independent status within organisations if they merge too much into risk management functions. There is also a great need to investigate how this involvement of IA in risk management can raise any threats to IA objectivity and independence.
1.5 Research Objectives:-
As a result, the main research objectives of this study are as follows:-
To examine on how the role of IA has changed in the recent years by stressing on its importance in organisation.
To critically analyse how IA regard itself as an important player in risk management within the Mauritian companies, by emphasizing on its significance.
To investigate how this involvement of internal auditors in risk management can raise any threats to internal auditors' objectivity and independence.
To determine the extent to which ERM is implemented and used in the entities of Mauritius as well as to analyse the different roles that IA can or cannot undertake in relation to risk management.
Nonetheless, this project is structured as follows: the next section reviews the literature which further develops our research methodology. This is followed by the section that analyses the research findings and finally comes the conclusion and recommendations section.