A survey of internal Auditors risk management practices in the banking industry in Kenya
Wanyoike, Charles Kibara
MetadataShow full item record
Internal audit departments (IAD) have played a major role in their organizations enterprise risk management (ERM) activities since the birth of internal audit. A paradigm shift is however being witnessed as most institutions are now establishing risk management departments (RMD) to drive the ERM process, while internal audit departments are now being required to act as referees in the whole ERM process. This study sought to establish banking internal auditors’ perception of their distinct role in the bank wide ERM process, and whether there is any conflict between internal audit and risk management departments being established to take over the ERM process. Bank internal auditors risk assessment practices in Kenya were also probed. To achieve the objectives set, a survey of involving all heads of internal audit departments in the banking industry in Kenya was conducted. Data analysis was done, and with response rate of 52%, it was concluded that the outcome of the study fairly represented the banking industry internal auditors’ practices and perception of risk management. The findings indicated that seven banks out of twenty one (33%) had not established a separate risk management department. It also emerged that only 14% of the internal auditors could clearly list the distinct role of IAD and those of RMD. For institutions both departments, a conflict was already brewing between IAD and RMD in 29% of the institutions. The conflict centered mainly on lack of clarity on the distinct roles to be played by those two departments in the whole ERM process. The ideal core roles of internal audit department in risk management process as identified in the literature review are; giving assurance on risk management processes, giving assurances that risks are evaluated correctly, evaluating the risk management processes, evaluating the reporting of key risks and finally, reviewing the management of key risks. The roles of risk management department in summary include, creating or recommending enterprise wide risk policies and procedures, developing and implementing methodology for measuring risks across the institution in a consistent and uniform manner. To reduce the conflict noted in the study between the two departments, the two departments’ distinct roles should be agreed upon and documented in the form of an approved board charter. RMD should take charge of the whole ERM process while the IAD department should only act as a referee, assuring the boar and the management that the ERM process is on course. The study found that, most banks in Kenya were in process of drafting the ERM process and strategies. This was consistent with developments all over the world as noted by Greuning (2003), who asserted that organizations were at different stages of implementing ERM process. On internal auditors risk assessment, it emerged that the practice by internal auditors was quite varied. This was attributed to the fact that risk management is an emerging discipline whose concepts and philosophy has not be fully appreciated by all the stakeholders in the banking industry including internal auditors. The study recommends that more workshops and seminars facilitated by the industry regulator, Central Bank of Kenya (CBK) and Kenya Bankers Association (KBA), would go along way in ensuring that the risk management strategy is understood by all stakeholders, including internal auditors.