| dc.description.abstract | The recent adoption of Enterprise-wide Risk Management (ERM) by organizations has resulted into the involvement of all the organizations departments in the risk management process thus requiring a change in the operations mode for each department(the internal audit function included) to factor in the new role. Since in Kenya, the ERM concept and the changing role of the internal audit function in the whole process is still at its infancy and not fully implemented/appreciated by most organizations, this study set out principally to survey the role of internal auditors in Enterprise-wide Risk Management (ERM) for quoted industrial and allied sector companies in Kenya. As a prelude the general demographics of the internal audit departments (IADs) and risk management departments (RMDs) was surveyed. To achieve the objective set, a survey involving all the internal audit departments of the sampled companies was conducted, data analysis was done, and with a response rate of 65%, it was concluded that the outcome of the study fairly represented the Kenyan industrial and allied sector internal auditors understanding of their role in risk management.
From the findings, the study concludes firstly that; Kenya‘s industrial and allied sector companies are yet to adopt ERM and the internal auditor is doing the bulk of the ERM work instead of all the stakeholders being involved in risk management. This conclusion was informed by the study‘s finding that while majority of the internal auditors of the responding companies were well aware of their core roles in risk management as evidenced by the high ratings given to the core internal auditors roles as identified by IIA (2003), the internal auditors were expending too much time on roles which they should go slow on (legitimate roles) as identified by IIA (2003) due to the lack of RMDs in their companies. Further though no respondents ranked the inappropriate roles that should not be performed by the internal auditor as core roles, these roles have been mistakenly promoted to legitimate roles and are consuming a considerable chunk of the internal auditor‘s time.
x
The second conclusion from the study is that, though majority of the internal auditors are competent, their qualifications are business biased with very few having technical and IT qualifications casting doubts as to their effectiveness in conducting operations audits. Only 36% of the companies had information systems experts working in their internal audit departments bringing it doubt their level of effectiveness in the conduct of information systems (IS) audits to mitigate the enormous risk that come with computerized systems.
Lastly from the analysis of responses on internal audit and risk management departments size, the study concludes that, despite the large sizes of Kenya‘s industrial & allied sector companies, the average internal audit department consists of 5 people since the same internal auditor is expected to perform financial, information systems and technical audits at all the organizations locations with no resident internal auditors at the locations/branches. In addition to this, though the IADs in the sector are relatively mature only a paltry number has established a risk management department to coordinate the ERM efforts leaving the internal auditors to be responsible for the organizations risk management.
From the conclusions, the study goes on to recommend that players in Kenya‘s industrial & allied sector should speed up the implementation of ERM and ensure all stakeholders are involved in risk management to relieve the internal auditor of the legitimate and inappropriate roles they are currently playing and let them concentrate on their core roles for the success of their organizations and the human resources departments of the various companies in the sector should advice management on the need to increase the pool of internal auditors skills and recruit at least one internal auditor with industry related technical and IT qualifications to improve the effectiveness of operations and IS audits. | en |
