Methods Of Data Presentation And Analysis

Published Date: 02 Nov 2017

Introduction

This chapter discusses an overview of the research methodology adopted in conducting the research on the analysis of the role of the Internal Audit function in enhancing Enterprise-wide Risk Management. The research design, sampling procedures, data sources and data collection methods and research instruments are discussed. Lastly an outline is given of the methods of data analysis and presentation employed to meet the objectives of the research.

Research Design

This research is a survey of Enterprise-wide Risk Management, with the key emphasis on the role played by the Internal Audit function in enhancing enterprise wide risk management. A descriptive survey design was used in carrying out this research as it was deemed to be the most appropriate.

A descriptive survey design is suited to collect data for describing a population too large to observe directly and hence was selected for this research mainly because it did not require the researcher to physically get into contact with all the subjects in order to collect data. The descriptive research method also enables an assessment and measurement of attitudes within a large population and this assessment was achieved through the use of questionnaires and open and closed interviews research tools.

The research method had a mixture of both qualitative and quantitative criteria since it sought to analyse and interpret qualitative data using quantitative techniques of data processing and interpretation. This design facilitated the gathering of information to meet the research questions as it proved cost effective with only a small group of people selected to represent the population and enabled the researcher to reach respondents who were far from the researcher.

The researcher employed the non-probability techniques of convenient sampling and judgemental sampling. The researcher exercised judgement to include elements that are presumed to be typical of a given population about which information is sought. With judgmental sampling, the researcher uses his own personal judgment to identify the sample units while under convenient sampling technique; the researcher identifies the units that are most likely to give him information based on convenience.

This research involved a sample of 20 respondents and comprised of institutions from the banking sector, tertiary education, insurance industry, tourism sector, construction industry and mining sector.

Population and Sampling

Jankowicz (2000) defined a population as a full set of cases from which a sample is taken. The research population is all listed firms in Zimbabwe and all institutions with an Internal Audit function. It comprised of Internal Auditors, Risk Managers, Ernst & Young advisors and other key individuals in the management function.

The types of institutions covered in the population are as follows: an audit firm, banks, private companies and Zimbabwe Stock Exchange (ZSE) listed entities. A sample size of 20 participants was chosen.

Table 3.1 shows the sample composition.

Table 3.1 Study sample for institutions

DESCRIPTION

NUMBER OF STUDY SUBJECTS

10 Public Limited Companies

10

7 Private Limited Companies

7

1 Non- Governmental Organization

1

1 Tertiary Institution

1

1 Audit Firm

1

TOTAL

20

Table 3.1 shows how the sample has 10 public listed companies’ respondents, 7 private limited companies’ respondents, 1 Non-governmental respondent, 1 tertiary institution respondent and 1 audit firm respondent.

Data Collection Methods

The data was collected from both primary and secondary sources. Primary data was collected through questionnaires and interviews.

Questionnaires

A questionnaire presents questions in writing to the respondents and requires a written down response targeting information as per the research question. The questionnaire contained a majority of closed questions as well as some open questions and was addressed to Internal Auditors and risk management staff of institutions selected within the sample. Internal Auditors and managers were the selected respondents of choice as they are the individuals responsible for Internal Audit and risk management respectively, with Internal Auditors being in charge of identifying, evaluating, examining, reporting and recommending improvements on the adequacy and effectiveness of management's risk processes and managers are responsible for risk management. All respondents completed the questionnaire in Appendix I Subsequently the researcher conducted interviews with the respondents for further information and clarification of questionnaire responses.

Advantages

Questionnaires are easy to analyze as each respondent receives a standard set of questions which assists researcher in interpreting the responses. Questionnaires are confidential and anonymous. Questionnaires are familiar to most people and thus can be completed without apprehension

Challenges

While questionnaires can address a large number of issues and questions of concern in a relatively efficient way, the researcher might not get careful feedback as wording can bias respondent’s response.

Gestures and other visual cues are not available with written questionnaires and the lack of personal contact will have different effects depending on the type of information being requested.

Questionnaires cannot be long or complex as this puts off the respondents leading to low response rates even though they are cheaper to use.

Interviews

An interview is a one-on-one directed conversation with an individual using a series of questions designed to elicit extended responses (IAR, 2011). This method allows probing for greater depth or explanation to simple yes or no questions or fixed-response questions. The interviews were chosen as they gave depth to the data collected from questionnaires.

Advantages

This approach was chosen as it provides more interaction between the interviewer and respondent. This helped to explain specific issues and problems in considerable detail as well as exploring any complex issues arising. In addition in face-to-face interviews, interviewees were allowed and encouraged to comment freely, express their own views and make any relevant suggestions.

Challenges

Some respondents may withhold some important information for fear of breaching their confidentiality agreements. This challenge however, can be overcome by creating an environment of trust by disclosing the purpose of the study and assuring interviewee that the information obtained will be used solely for the purpose of the research

Another significant challenge is adherence to the times convenient to the interviewee. The result is interviews become time consuming to carry out.

Interviews will be conducted with interviewees who are the same respondents filling in questionnaires so as to illicit in depth responses on questions that cannot be answered in depth in a questionnaire.

Instrumentation

The research employed self-administered questionnaires as research instruments and interview schedules.

3.5.1 Questionnaire

A pilot survey was conducted using the structured questionnaire covering the objectives of the research. A Pre-testing exercise was carried out to establish the usability of the questionnaire using three participants from Ernst & Young as test users. This enabled the researcher to remove certain questions which were misleading and mistakes that had potential to cause great changes in meaning and interpretation. After reviewing the questionnaire, all areas of concern were discussed with the test users to ensure suitability and reliability of the questions. The questionnaire in this case was modified taking into account adequate wording, consistent meaning to all respondents and validity as shown in Appendix I.

The sample group was initially contacted by telephone to establish if they would be interested in responding to the questionnaire and then subsequent face-to-face interview before dispatching the questionnaires. Some of the questionnaires were then dispatched via email and their responses were also received by email, in the other cases the researcher dispatched and collected completed printed copies.

3.5.2 Interview Schedule

The interview schedule used to collect in-depth data on Internal audit’s role in enhancing Enterprise-wide risk management is shown in Appendix II. The face-to-face interviews were used to illicit detailed responses on questions posed in the questionnaire that did not allow for non-standardised answers beyond a yes/no or positive/negative response.

Methods of Data Presentation and Analysis

The questionnaires were scrutinized to ensure completion and accuracy. All the responses gathered from respondents were classified, analyzed and interpreted according to their meaning. Both the frequencies and percentages of respondents helped in identifying the key issues in enterprise wide risk management. The data was analyzed in the form of bar graphs, tables and pie charts generated in an excel spreadsheet application.

Conclusion

This chapter discussed the research methodology that was used to answer the research questions. It outlined the interview and questionnaire techniques used to collect, present, synthesize and analyze the data.

CHAPTER IV

PRESENTATION, ANALYSIS AND DISCUSSION OF RESULTS

4.1 Introduction

In this chapter the researcher focuses on data presentation and analysis. The collected data is analysed using tables, pie charts and bar graphs. The chapter presents and analyses data obtained from questionnaires and interviews which are used in the study. This is conducted in light of the research questions stated in chapter 1.

This chapter provides an evaluation of the primary and secondary data gathered with a view to analyse the role of the Internal Audit function in enhancing Enterprise-wide Risk Management. A questionnaire was designed to suit the Internal Audit department and risk management department respondents so as to clearly bring out the roles of Internal Audit in enhancing ERM and the benefits of enhanced ERM on an enterprise by getting both these parties’ views.

The questions were presented in such a manner that the intended results are obtained equally from both Internal Auditors and risk managers. Data collected through interviews were meant to provide the missing link on the data collected through questionnaires. In the analysis of results, the results of questionnaires are firstly analyzed noting the Internal Audit function’s perception of its role in enhancing ERM and then risk management’s perception of Internal Audit’s role in enhancing ERM is analysed. The effects of Internal Audit within ERM are then discussed. The prescriptions on how ERM can be made more effective through Internal Audit facilitated enhancement are then analyzed from both the Internal Auditors’ and risk managers’ points of view. Finally, the major findings of the study are summarised.

4.2 Background Information on Respondents

A questionnaire was used to collect primary data from the respondents. A sample of 20 organisations was randomly selected. At each organisation a questionnaire was given to the Risk Manager or a Risk department representative and Internal Audit manager or an Internal Audit department representative.

Table 4.1 – Response Rate

Description

Number of study subjects

Number of responses received

Percentage response (%)

Risk Managers

8

7

87.5%

Internal Auditors

12

10

83.3%

TOTAL

20

17

85%

Source: Processed data from distributed questionnaires

As depicted above in Table 4.1, from the twenty (20) questionnaires distributed, seventeen (17) were responded to, which gives a response rate of 85% from all participants. Two questionnaires were not reasonably completed which rendered them unworthy for the purpose of carrying out this research and one Risk manager did not return a questionnaire.

Table 4.1 shows a response rate of 85%. This was considered reliable according to Hart (1998) who indicates that 70% is the minimum acceptable questionnaire response rate for research findings to be considered valid and reliable. This response rate suggest that the current study therefore has a reliable and valid response rate.

4.2.1 Evaluation of the Sample

By the nature of this research, there is minimum direct implication of gender and education on the role of the Internal Audit function in enhancing Enterprise-wide Risk Management and vice versa, however the questionnaire contained a section on characteristics of the sample population in order to obtain a baseline understanding of the sample characteristics.

4.2.1.1 Gender of Respondents

The nature of the sample in terms of gender was as indicated in Table 4.2 below

Table 4.2: Gender of Respondents

Gender

Number of Respondents

Female

8

Male

9

Total

17

Source: Processed data from distributed questionnaires

Table 4.2 shows that approximately 53% of the respondents were male, while 47%, were female. Analysis of responses from the respondents did not reflect any inclination based on gender.

This appears to suggest that the roles played by the Internal Auditor in enhancing ERM is not affected by one’s gender.

4.2.1.2 Level of Education of Respondents

Figure 4.1 presents the nature of the sample in terms of level of education was as indicated in the following graph:

Figure 4.1- Highest Level of Education of Respondents

Source: Processed data from distributed questionnaires

Figure 4.1 indicated that approximately 29% of the respondents had a highest level of education of a postgraduate degree. Interesting to note was that no respondent had a level of education lower than a degree with 0% having a diploma as their highest educational qualification while the 71% majority of the sample had an under-graduate degree as their highest level of education.

These results indicate a very academically sound base for the sample respondents who possess adequate educational backgrounds and qualifications to understand the purpose of the research and accurately complete questionnaires.

4.3 Findings and Discussions

4.3.1 The Existence of Enterprise-wide Risk Management in Organisations

The first question asked was if the organisation had a documented Enterprise-wide risk management policy to determine if the organisation had a defined risk management approach documented in an Enterprise-wide Risk Management policy.

Figure 4.2: Enterprise-Wide Risk Management Policy

Source: Processed data from questionnaires

Figure 4.2 reflected that a majority of respondents’ organisations of 40% had fully implemented Enterprise-wide Risk Management policies, 35% were in the process of implementing the policy. A minority of 5% did not have a documented policy and where not considering producing one however 20% of respondents’ organisations without a documented policy had the issue under consideration. These results show that there is a definite move towards implementing ERM which illustrates what (Frigo and Anderson, 2011) describe as organizational focus on developing Enterprise-wide Risk Management strategies that enable the business to be competitive.

From interviews it was found that respondents in organisation without ERM policies or in the process of implementing ERM felt that there first needed to be a company-specific operational framework in place for which the ERM policy could ease into. A challenge highlighted was data integration as many respondents felt Integrating ERM data into a meaningful document for all parties required a specialised skill set that is often not available internally within the enterprise.

These findings appear to suggest that while there is a definite move towards ERM in organisations, there is s need for Internal audit to champion the need for ERM and assist in its implementation.

4.3.1.2 The Existence of Enterprise-wide Risk Management in Organisations

To ascertain if the risk management policy was indeed an Enterprise-wide Risk Management policy, the researcher sought to discover the main method of communicating the ERM policy throughout the organisation.

Figure 4.3 below presents the level of policy distribution within the entity:

Figure 4.3: Methods of ERM Policy Communication

Source: Processed data from questionnaires

Responses in Figure 4.3 indicated that the broadest methods of distribution where the most applied in promulgation of the ERM policy with 35.29% placing the policy on the intranet, 23.53% through meetings conferences and entity wide distribution of the document/manual. 17.65% communicated the policy through training courses and workshops while the remaining 5.88% employed means of the annual report.

In interviews when asked to explain the reasons why certain media where chosen as a means of communicating the policy, respondents most commonly responded that the aim was ease and comprehensiveness of distribution. A challenge highlighted however, pertaining to this question was that even when ERM policy was readily available few employees outside the Internal Audit function and risk department ever actually consult it as they do not fully understand that their individual input plays a part in making ERM a success.

This appears to suggest that organisations are using the best methods within their means to promulgate ERM policy. However, the Internal audit function has a part to play in educating employees outside of the Internal audit and risk specialisations as to the value of the ERM policy in their day to day business.

4.3.1.3 The Accountability of Enterprise-wide Risk Management in Organisations

The researcher sought to determine the credibility of ERM within an organisation by establishing if ERM processes were subject to audit or other quality assurance mechanisms. Figure 4.4 presents the levels of accountability discovered.

Figure 4.4: ERM Accountability

Source: Processed data from questionnaires

Figure 4.4 illustrates that ERM processes do not occur in isolation or in a bubble with no checks and balances. The Internal Audit function featured as a quality assurance mechanism with 35% of respondents indicating that ERM was solely accountable to Internal Audit, 41% to both internal and external audit. 24% indicated that they were subject to other party quality assurance mechanisms and the remaining 6% subject to External audit quality assurance only.

Respondents felt that accountability to another party was good as with all processes, validation of their endeavours by other parties made ERM more credible both within the entire organisation and externally too. This data appears to suggest that ERM processes would be considered credible as they are subject to audit or other quality assurance mechanisms.

4.3.2 To investigate the impact of Internal Audit on Enterprise-wide Risk Management.

The researcher sought to discover if Internal audit has a positive effect on ERM. Data collected to determine this is depicted in figure 4.5 below:

Figure 4.5: The impact of Internal Audit on ERM

Source: Processed data from questionnaires

Figure 4.5 illustrates that 94.12% of respondents felt Internal Audit had a positive impact on the implementation of Enterprise-wide Risk Management while 5.88% felt that the impact was negative.

The majority of interviewees felt Internal Audit had a positive effect as it made ERM more efficient by assuring it was working well as well as being consulted on any gray areas. One interviewee, however mentioned that the impact was not positive as a result of the Internal Audit role within his organisation not being clearly defined resulting in Internal Audit having a low capacity to impact ERM policy within the firm. This appears to suggest that Internal audit has a positive effect on the implementation of ERM however Internal Audit should ideally have a defined role within ERM

4.3.3 To determine the roles of the Internal Audit function in Enterprise-wide Risk Management.

Figure 4.6: Roles performed by Internal Audit

Source: Processed data from questionnaires

Figure 4.6 above illustrates that 40% of roles performed are assurance roles. 32% are Consulting roles and 28% are Prohibitive roles as stated by Institute of Internal Auditors in 2004. These results are consistent with the Gramling and Myers study in 2006 which found that Internal Auditors performed more assurance roles in ERM than any other role. In this study however it is however a cause of concern that such a notable percentage equating to almost a third of respondents are performing prohibitive roles that potentially hinder their objectivity and independence status.

Interviewees noted that assurance roles which comprise of giving assurance on risk management processes, giving assurance that risks are correctly evaluated, evaluating risk management processes, evaluating the reporting of risks and reviewing the management of key risks where not a challenge to perform in an organisation with a ‘risk culture’(the drive to act on risk ). This was also the case with consulting roles which comprise of facilitating identification and evaluation of risks, coaching management in responding to risks, coordinating ERM activities, championing establishment of ERM and maintaining and developing the ERM framework The prohibitive roles comprising of setting the risk appetite, imposing risk management processes, management assurance of risks, taking decisions on risk responses and implementing risk responses on management’s behaviour were carried out despite knowledge of IIA guidelines. One interviewee noted that this was as e result of the role of Internal Auditors not being communicated and understood throughout the organisation thereby resulting in the assumption that prohibitive duties are in the scope of the Internal Audit Function

4.3.4 To determine if Internal Auditors really perform tasks particular to ensuring proper implementation of the ERM and add value towards organizational success

The researcher sought to determine if Internal Auditors perform activities particular to ensuring proper implementation of the ERM and add value towards organizational success. The data concerning this is analysed in figure 4.7 below.

Figure 4.7: Activities performed by Internal audit in ERM

Source: Processed data from questionnaires

Figure 4.7 above indicates that 29.5% of respondents felt Evaluating Risk Management processes was a key activity, this was followed by Co-ordinating ERM activities and Giving assurance that risks are correctly evaluated at 23.53%. 17.64% felt that identification and evaluation of risks. This appears to suggest that evaluating risk management processes is a key activity for Internal Auditors

The researcher sought to determine which tasks Internal Auditors perform in ERM that add value towards organizational success. The data concerning this is analysed in figure 4.8 below.

Figure 4.8: Tasks carried out by Internal Audit in ERM

Source: Processed data from questionnaires

As depicted in figure 4.8 was to determine the extent to which Internal Audit participated in any of the roles prohibited by Institute of Internal Auditors ERM guidelines.

The questionnaires revealed that all respondents participated in some degree in roles they should not undertake. 23% participated in setting the risk appetite of the organization, 12% in imposing risk management processes, 24% offered management assurance on risks while 6% took decisions on risk responses. All respondents felt they were to some extent accountable for risk management.

Interviews highlighted that respondents participated in these prohibited roles as there was no clear boundary within ERM for their activities. The respondents were aware that the participation was prohibited but also faced with the reality that if they did not participate in these roles, progress for ERM could possibly stagnate.

This appears to suggest a problem with roles that Internal Audit seems to have no choice but to perform.

4.3.5 Effectiveness of the Internal Audit Function

The researcher sought to establish the effectiveness of the internal audit function in relation to ERM. The data concerning this is presented in figure 4.9 below.

Figure 4.9: Effectiveness of the Internal audit function

Source: Processed data from questionnaires

Figure 4.9 showed that most respondents making up 64.71% of the sample rated their organization’s Internal Audit function effective in relation to ERM. 17.64% felt that there was no room for improvement and rated it very effective. 11.76% of respondents were unsure while 5.88% felt it ineffective and no respondents felt the Internal Audit function was very ineffective.

4.3.6 Improvement of Internal Audit Function in relation to ERM

After determining the effectiveness of the Internal Audit function, the researcher sought to determine if there was a need for the Internal audit function to improve in relation to ERM. The data collected is presented below in figure 4.10.

Figure 4.10- Need for Internal Audit Improvement

Source: Processed data from questionnaires

Figure 4.10 depicts data obtained when respondents were questioned on their organization’s need for improvement of the Internal Audit function in relation to Enterprise wide risk management. The responses indicated that only 11.76% felt a need to make improvements within the next 12 months. 17.65% where less pressed for the need for change and the timeframe was within 12 to 24 months. 29.41% felt improvements would be necessary at some point but not within the next 24months. Finally the majority of 41.18% felt no pressing need for improvements at all.

4.3.6 To establish the effects and benefits of a robust ERM Framework on an entity

To determine the effects and benefits of a robust ERM Framework on an entity, the researcher sought to determine the Importance of effective ERM in the achievement of your organisation’s objectives. Figure 4.11 shows the results of data collected.

Figure 4.11: Importance of ERM

Source: Processed data from questionnaires

Figure 4.11 showed that 46% of respondents rated ERM as very important in achieving an organisation’s objectives, 39% felt it important while 15% where neutral and no respondents deeming it irrelevant.

Interviewees noted that ERM was essential and had gained prominence after the global financial crisis. It was mentioned that ERM’s unique ability to aggregately analyze risks is what placed it a notch above traditional risk management.

This appears to suggest that ERM is an essential component of organisational success.

4.3.7 Ability of Effective ERM to improve organizational performance

Figure 4.12: Ability of Effective ERM to improve organizational performance

Source: Processed data from questionnaires

A 47% majority of respondents agreed that effective ERM can improve organizational performance, 35% strongly agreed and 15% where neutral. No respondents disagreed or strongly disagreed.

This appears to suggest that effective ERM is an ideal tool to employ in improving organizational success.

4.3.8 To establish whether incorporating and embedding Enterprise-wide Risk Management into an enterprise’s plans and business strategy is the appropriate mechanism to assist management in successfully executing their management duties

Face to face interviews were conducted with respondents in order to establish whether incorporating and embedding Enterprise-wide Risk Management into an enterprise’s plans and business strategy is the appropriate mechanism to assist management in successfully executing their management duties revealed that this was indeed the case.

It was noted from comments given that:

Embedding Enterprise-wide Risk Management allows a better understanding of the risk management process.

It is more effective as the implementers of the policy are actively involved in the process and feel they make valuable contributions towards its success.

All managers play a part that is recognised in mitigating identified risks.

Enterprise-wide Risk Management emphasises an all encompassing approach that motivates staff to work together to mitigate and avoid risks with the goal of meeting objectives and thus ultimately propelling the organisation towards success.

The only challenge as highlighted by one interviewee was "Lack of clarity as to how to effectively embed ERM into business strategy in a practical manner."

Interviewees highlighted that the biggest challenge was the manner in which to integrate risk information and data throughout the entire organisation. One interviewee noted that while ERM was widely understood as important across the organisation, there remained a need to have Internal Audit Assist in creating ERM methodologies that have the flexibility to evolve and respond to the rapidly changing risks that are understood throughout the enterprise by the various component members of the enterprise.

Culture of the organisation was also mentioned as a factor to consider in embedding ERM as the organizational culture was guaranteed to have an impact on the subsequent implementation of the ERM.

4.4 Conclusion

In this chapter the researcher collated and analysed the data. The collected data was scanned and sifted to ensure that it was complete, accurate, consistent and relevant to the study. The data was then organised, categorized and summarised by use of tables, graphs and pie charts.

The major findings of the research are summarised below:

It was confirmed that the Internal Audit function plays roles that fall into 3 categories which are core, legitimate and prohibitive roles.

Internal Auditors are playing prohibitive roles and thus compromising their objectivity and independence toward the ultimate goal of ERM.

While Internal Audit function was overall rated as effective to very effective and not requiring immediate improvements in many circumstances.

ERM is not being implemented as per best practice and there is room for improvement for Internal Audit to enhance ERM within organisations as many organisations with an Internal Audit function were not fully utilising the function in relation to ERM as they were at various stages of implementation.

Internal Audit was found to be a valuable instrument in an organization’s ERM implementation function. It can play a role in enhancing Enterprise-wide Risk Management which was deduced to be largely beneficial to an organisation.

Robust ERM that is enhanced by Internal Audit leads to a better understanding of risks and controls thereby fostering an enterprise that is intelligent about risk and enhancing its ability to maximise rewards versus risks face.

ERM had a positive impact of enhancing management's ability to minimise operational surprises and unexpected losses. by identifying any potential events, risks and responses in advance so that risks are managed and can no longer potentially threaten the entity.

The next chapter will present summary of findings, conclusion and recommendations

CHAPTER V

SUMMARY OF FINDINGS, CONCLUSIONS AND RECOMMENDATIONS

5.1 Introduction

This chapter consists of three sections. These are the summary of findings, the conclusions and recommendations. The conclusions were made in light of the research objectives and the findings. Recommendations concerning the roles of the Internal Audit function in the implementation of ERM are then made.

The research sought to analyse the importance of the Internal Audit function in enhancing the implementation of Enterprise-wide Risk Management (ERM). It sought to investigate whether Internal Audit effectiveness could positively influence the implementation of Enterprise-wide Risk Management by considering what roles Internal Audit plays in enhancing it. This study aimed at presenting the situation of the Internal Auditing function in Enterprise-wide Risk Management in a Zimbabwean context.

5.2 Summary of Findings

The following research questions were answered:

What are the roles of the Internal Audit function in ERM?

What tasks do Internal Auditors perform in ERM that make valuable contributions towards organizational success?

What is the impact of Internal Audit on Enterprise-wide Risk Management?

What are the effects and benefits of a robust ERM Framework on an entity?

To what extent is incorporating and embedding Enterprise-wide Risk Management into an enterprise’s plans and business strategy an appropriate mechanism to assist management in successfully executing their management duties?

5.2.1 Roles of the Internal Audit Function in ERM

The findings of the study were that the roles played are in line with the recommendations outlined by the Institute of Internal Audit and that the Internal Audit function has a legitimate assurance role that is also the most prominent role. The findings also indicated that prohibitive roles played by Internal Audit in ERM were quite significant.

5.2.3 Tasks performed in ERM by Internal Auditors that make valuable contributions towards organizational success

Based on the findings, the tasks played by Internal Auditors make valuable contributions towards organisational success and the degree of the Internal Auditors’ roles in the ERM has the ability to improve ERM implementation.

5.2.4 The impact of Internal Audit on Enterprise-wide Risk Management

The findings highlighted how Internal Audit has a positive impact on ERM. Internal Audit which possesses the unique advantage of being involved in every area of an organization was found to be best placed to identify risks of concern to the organisation.

5.2.5 The effects and benefits of a robust ERM Framework on an entity

The findings showed that ERM allows entities to develop a comprehensive view of all types of risks in multiple business lines and departments enabling the entity to efficiently mitigate risks. Furthermore ERM had a positive impact of enhancing management's ability to minimise operational surprises and unexpected losses.

5.2.6 Incorporating and embedding Enterprise-wide Risk Management

Findings indicated that Incorporating and Embedding ERM can improve an organisation’s management’s ability to strategize effectively, think ahead, assess potential risks and evaluate opportunities and allocate capital and resources to mitigate risks or seize opportunities and thus perform their duties to their fullest potential while delivering results that maximise the value of the organisation.

5.3 Conclusion

Conclusions were drawn after consideration of the findings as follows:

Enterprises are aware that effective Internal Audit can enhance risk management and is the ideal vehicle for the creation of added value to the organisation. Through Internal Audit’s core assurance and safeguarded consulting roles, Internal Audit is well positioned to add significant value to the ERM process.

Internal Audit’s close relationship with executive and senior management and the audit committee makes it very easy for them to push ERM to the forefront and gather their support.

Tasks of particular importance played by the Internal Audit include co-ordinating ERM activities, facilitating identification and evaluation of risks, giving assurance that risks were correctly evaluated and evaluating risk management processes. These tasks focus on the risk more than ever, and this develops Enterprise-wide Risk Management implementation.

Internal Auditing has been given multiple roles in Enterprise-wide risk management process and acts as a provider of assurance as to the effectiveness of enterprise risk management process, risks and internal controlling, as well as acts as an advisor to consult the management so as to improve key business areas.

ERM is a good way to manage complex changes and if embedded in an entity’s business strategy has the ability to assist management in successfully executing their management duties and facilitating good corporate governance.

5.4 Recommendations

The research has shown that there is still room for internal audit to improve its ability to enhance ERM implementation. As such, the following recommendations are made:

The role, tasks and responsibilities of Internal Auditors should be communicated throughout the organisation

Internal Auditing, as a means of risk management, should assist enterprises in implementing the Enterprise-wide Risk Management by offering specialised knowledge for challenging areas such risk data integration across the entity .

Internal Audit should closely cooperate with the management of an enterprise, the Audit Committee and external auditors in terms of providing assurance and consulting activities to aid organisations as they attempt to implement and are in varying stages of ERM implementation.

Internal Audit could also assist in the creation of the overall risk model to employ in Enterprise-wide Risk Management for the organization as the Internal Audit function has access to vast amounts of information about all aspects of the entity and can organize it in a way that makes it comprehensible to all parties that will be involved in mitigating risk.

Organizations planning to implement ERM or in the process of implementing it, should take note to cultivate a risk culture that supports the business’ objectives which can be done through guidance from the Internal Audit function, enlisting specialist support from an ERM expert and training and workshops.

Internal Audit can engage in to speed up implementation ERM by carrying out of risk assessments that encourage top leadership to implement and suggesting an ERM organizational structure as Internal Audit can add significant value in advising on the most efficient risk management structure.

As Internal Audit is carrying out prohibitive roles, it is important for the Internal Audit function to make sure adequate safeguards are in place in the organizational structure to guarantee the Internal Auditors are not assuming prohibitive roles as if they themselves are management.

5.5 Recommendations for Future Studies

This study’s results revealed that the internal auditors performed 28 percent of the prohibitive roles. The involvement of internal auditors in these roles has potential to affect their independence and objectivity. Further study could investigate the reasons why the Internal Auditors end up performing these prohibitive roles to discover if they voluntarily take up the prohibitive roles or have no choice but to assume these roles.