SHEBA UNIVERSITY COLLEGE

DEPARTMENT OF ACCOUNTING

ASSESSMENT OF INTERNAL AUDIT AND RISK

MANAGEMENT INPUBLIC ENTERPRISES
(CASE OF SOME PUBLIC ENTERPRIZES IN ADWA
TOWN )
A RESEARCH PROJECT SUBMITTED TO THE
DEPARTMENT OF ACCOUNTING IN PARTIAL
FULLFILMENT OF THE REQUIREMENTS OF BACHELOR
OF ARTS DEGREE IN ACCOUNTING

BY:
\
FIYORI WELDAY

JUNE, 2011 E.C

ADWA, TIGRAY
 SHEBA UNIVERSITY COLLEGE

DEPARTMENT OF ACCOUNTING

ASSESSMENT OF INTERNAL AUDIT AND RISK MANAGEMENT

IN PUBLIC ENTERPRISES
(CASE OF SOME PUBLIC ENTERPRIZES IN ADWA TOWN )

A RESEARCH PROJECT SUBMITTED TO THE DEPARTMENT OF

ACCOUNTING IN PARTIAL FULLFILMENT OF THE
REQUIREMENTS OF BACHELOR OF ARTS DEGREE IN
ACCOUNTING

PREPARED BY: FIYORI WELDAY

APPROVED BY:
ADVISOR: _____________________________ SIGN ___________

EXAMINERS
1. ____________________________________ SIGN ___________
2. ____________________________________ SIGN ___________

2
Acknowledgment

Firstly, I am indebted to the Almighty God with whose grace; I could satisfactorily
complete my researchpaper.

Then,I am deeply grateful to my advisor for his professional suggestions, guidance for
the research paper, that without his assistance, successfulaccomplishment of this
research paper would have been very difficult.

Next, my specials thank goes to my relatives and real friends for their valuable
comments and significant suggestion during the research process, and for giving
me referring materials and in general for their friendly support.

3
Table of contents
Acknowledgment............................................................................................................3
Table of contents .............................................................................................................4
List of figures and tables..............................................................................................6
List of Acronyms and Abbreviations ........................................................................... 7
CHAPTER ONE: Introduction.......................................................................................8
1.1Back ground of the study ................................................................................. 8
1.2Statement of the problems ............................................................................... 9
1.3Objective of the study ....................................................................................... 10
1.4Research Design................................................................................................. 10
1.4.1 Survey design............................................................................................. 10
1.4.2Sample selection and Data Collection........................................................... 11
[Link] Sample .......................................................................................................... 11
[Link] Data Collection instruments............................................................................ 11
1.4.3Data Analysis................................................................................................ 12
1.5. Limitation and scope of the study ....................................................................12
1.6Significance of the study .................................................................................. 13
1.7Organization of the paper................................................................................13
CHAPTER TWO : Review of Related Literatur e........................................................ 14
2.1 Control governance frame work ........................................................................... 14
2.2 Internal auditing: structure and activities .............................................................. 15
2.2.1. The structure of internal audit function ……………………………………………15
2.2.2The activities of internal audit function ............................................................. 16
2.2.3 Scope of internal audit function ....................................................................... 16
2.2.4Control models................................................................................................. 17

4
2.2.5 Types of internal audit......................................................................................19
[Link] Financial audit for public financial statement.................................................. 19
[Link] Operational audit .........................................................................................19
[Link] Compliance audit ........................................................................................ 20
[Link] Fraud investigation .....................................................................................21
2.3 Risk assessment ............................................................................................. 22
2.4 Control risk self assessment........................................................................... 24
CHAPTER THREE: Data Presentation and Analysis ............................................. 26
3.1. Main business of the organization................................................................... 26
3.2 Types of auditing ........................................................................................... 26
3.3 Usage and importance of control models.......................................................... 28
3.3.1 Usages of control models............................................................................. 28
3.3.2 Importance of control models....................................................................... 29
3.4 Risk assessment ...................................................................... ..................... 28
3.4.1 Application of risk assessment methods........................................................ 29
3.4.2 Main participants in risk assessment............................................................. 30
3.4.3Existence of risk management department..................................................... 31
3.4.4 The relationship between internal audit functions and risk management …...…32
3.4.4 Objectives of risk assessment....................................................................... 33
3.5Control risk self assessment........................................................................34
CHAPTER FOUR : Summary of findings, Conclusions and Recommendations…... 36
4.2. Summary of findings ..................................................................................... 36
4.2 Conclusions ................................................................................................... 38
4.3 Recmmendations........................................................................................... 39
Reference ……………………………………………………………………….….…40

5
List of Figures
Figure 3.1 Organizational type……………………………………………………... 26
Figure 3.2 Types of audit……….………………………………………………….27
Figure 3.3 Usage of control models………….……………………………….……. 28
Figure3.4 Application of risk assessment methods………..….………………...…30
Figure 3.5 Existence of risk management……………………….…..…..….………32
Figure 3.6 Application of control risk self assessment…..……….……………….. 34

List of Tables
Table 3.1 Descriptive statistics of importance of control model…………..…….… 29
Table 3.2 Descriptive statistics of mainparticipants in risk assessmen……….……30
Table 3.3 Descriptive statistics of Objectives of risk assessment……………..……33

6
List of Acronyms and Abbreviations
AC Audit Committee
BOD Board of Directors
COSO Committee of Sponsoring Organization of the Tread way Commission
CRSA Control Risk Self Assessment
CSA Control Self Assessment
CSRP Civil Service Reform program
ECIIA European Confederation of Institution of Internal auditors
ERM-IF Enterprise-wide Risk management-Integrated Framework
IAF Internal Audit Function
IARF Internal Audit Research Foundation
IC-IF Internal Control-Integrated Framework
IIA Institute of Internal Auditor
MSA Management Self Assessment
OECD Organization for Economic Cooperation and Development
PE Public Enterprises
PPESA Privatization and Public Enterprise Supersizing Agency
SOX Sarbanes Oxley Act
SPPIA Standards for Professional Practice of Internal Auditors
SPSS Statistical Package for Social Sciences
WTO World Trade Organization

7
 CHAPTER ONE
INTRODUCTION
1.1 Back ground of the study
The issues of globalization, transparency, integrity and improvement of service delivery
increase the need for governance and accountability. Consequently,
thisphenomenonleadstheincreasinginteresttointernalauditfunctioninorganizations. These
havebothshownthatinternal auditing is promising as an important component of
management and [Link], thenature
of the services sought from the internal auditors has been transforming
over the years from an emphasis on compliance audit where independence
hasbeenthecoreparadigm,tobothcomplianceandconsultingrolewherepartneringwithmanage
mentisaccordedgreatersignificance(ŢurleaandStefănescu,2009;NagyandCenker,2002;
SarensandBeel,2006;FraserandHenry, 2007).
Risk assessment is becoming valuable for success and survival of an organization(William
and Kinney,2003).Regulatory requirements diverted internal auditresources from other
important internal audit activities such as risk-based auditsto assurance work (Sarens and
Beel, 2006). Failure to address key strategic
andoperationalrisksaswellascomplianceriskinanannualauditprogramsundermines the
effectiveness of the IAF. It diminishes its strategic value to keystakeholders and
exposes the enterprise to internal auditors must not only beable to assess risks in their
organizations, but they must also be able to completecomplex risk analyses in their own
IAF. Being able to self evaluate is importantto the success of the IAF. To accomplish
this, internal auditors need to possessincreasing levels of critical thinking, analysis,
decision making, and logic.
The scarcity of information on internal auditing and risk assessment practice
inEthiopian context will make this research important for many stakeholders. Itcan be
for an initiation for those who are interested to conduct a detailed

8
[Link]
enablethegoverningbody,specificallythemanagements,thehigherresponsiblebody,andauditc
ommitteeofselectedpublicenterprises,tobeawareoftheimportanceuseofinternalauditforeffect
ive risk assessment and internal control, and gives insight how they use theinternal audit
service most efficiency.
By utilizing an analytical framework from the extant literature and empiricalevidence
from other countries context, the research elaborated in more
detailinternalauditingpracticesandriskassessmentandaimstodrawinferencesregarding the
use of control self-assessment methods and the use of risk-basedauditing within the
selected Ethiopian public enterprises context by using selfadministered questionnaire
distributed to internal auditors and reviewed somedocuments. According to
Proclamation No. 68/ 1997,“Public Enterprise”
meansawhollystateownedenterpriseestablishedpursuanttoProclamationNo.25/1992 to
carry on for gain manufacturing, distribution, service rendering orother economic and
related activities.
1.2 Statement of the Problem
Indevelopingcountries,therehasbeenincreasedinterestandgivemoreattention to IAF as one
tool to enhancing good governance system of the publicsector (Diamond, 2002). This
has arisen from a number of sources, in the
OECDandWTOmembercountriesandincountriesthatarehighlydependentondonationandloan
.Thereisacallforimprovedaccountabilityandgreatertransparency that resulted in more
information about government programs andservices that in turn requires improved
financial reporting system. At the sametime, the increased emphasis on accountability
and improving public enterpriseperformance has demanded management to “protect”
itself by improving theIAF procedures that will provide them some minimal
assurances of meetingthese external demands.
Internal auditing practice and risk assessment differ contextually (Arena andAzzone,
2006; Allegrini and D`Onza, 2003). Karagiorgoset al(2007) stated
thatinternalauditisanessentialfactorintheefficientriskmanagementandconsecutively in the
business survival and [Link], it is important tonotice that the Ethiopian

9
environment is different from the developed
countriesenvironmentwheretheinternalauditingprofessionismoredevelopedandwhere
companies are subject to more stringent corporate governance [Link] is better to
see the problem in developing countries context to enrich andextend the
understanding of internal auditing and risk assessment practices inEthiopian public
enterprises context.
1.3Objective of the study
The general objective of this study was to see internal auditing function and
riskassessment public sector organizations. In order to achievethe above intended
objective this study tried to answer the following specificresearch questions.
RQ1. What are structures and activities of internal audit function?
RQ2. To what extent internal audit functions use control models?
RQ3. To what extent internal audit functions use risk assessment methods?
RQ4. To what extent internal audit functions use risk-based auditing?
RQ5. To what extent internal audit functions use control risk self assessment
models?
1.4Research Methodology
The researcher used mixed method approach, the rationale for combining
bothquantitativeandqualitativedatainthisstudywastobetterunderstandaresearch problem by
combining both numeric values from quantitative researchand the detail of qualitative
research and to neutralize limitations of applyingany of a single approach and a means
to offset the weaknesses inherent withinmethod with the strengths of the other method.
This mixed method research had an objective to see the internal auditing practiceand risk
assessment in the public sector (for-profit) organizations in Ethiopia, in
respect of the current economic situationand international directions on thefield.
1.4.1 Survey design
Thisstudyhadintenttoassesstheinternalauditingandriskassessmentpractices in Ethiopian
public enterprises. To do this proposed study, the methodsthat will be employed are
survey design. Survey design provides a
quantitativeornumericdescriptionoftrends,attitudes,oropinionsofapopulationbystudying a

10
sample of that population. Its purpose is to generalize from a sampleto a population so
that inferences can be made and it is also economical andrapid turnaround in data
collection This survey was conductedby means of self-administered questionnaire, with
in selected public enterprises;questionnaires were distributed to internal auditors.
Questionnaire is a commonplace instrument for observing data beyond the physical
reach of the observer
1.4.2Sample selection and Data Collection
[Link] Sample
Survey sampling is the process of choosing, from a much large population, agroup
about which the researcher wish to make generalized statements so that the selected
part will represent the total group . The populationconsidered in this study was the
total public organizationwhich operate in Adwa, and purposely draw a sample from the
total to get rich [Link] are 24public sector enterprises in Adwa The sampling
design for this population was purposeful sampling. In which, four institutions
wereselectedbecause they assumed to have internal audit function and theymay use
sophisticated auditing activities. Thus,purposeful sampling method was very valuable
method to this study. Numbersof internal auditors in the offices were collected from
human resource ofeach organizationand a total of 10 auditors were included in the
sample.
[Link] Data Collection instruments
Twotypesofdatacollectioninstrumentswereusedinthisstudy:onequestionnaire for internal
auditors and document review.
Questionnaire
Toenhancevalidityquestionnairesmostlywereadaptedfrom(ArenaandAzzone, 2006;
Allegrini and D`Onza, 2003). Research evidence was
gatheredthroughasurveyconductedbyusingdetailedclose-endedandopen-
endedquestionnaires to internal auditors. Mixed Questionnaires have many merits;
[Link] regard to closed-ended
questionnaires, the respondents were asked toshow their level of agreement on a five
point Likert- scale with the followingratings: Strongly agree (SA; or 5), agree (A; or 4),

11
neutral (N; or 3), disagree (DA;or 2), and strongly disagree (SD; or 1). The number
indicated in the questionnaireto provide attitude of internal auditors for interval scale
measurement and [Link]-
endedquestioners, the respondents were requested to provide open-ended responses tothe
questions that require opinion and if they have opinions which they feel the researcher
would find useful.
Document review
Documentswerereviewedbyreferringmostrecentinformationfromauthorizeddocumentsandd
[Link],internalauditchartersandotherdocumentsrelatedtointernalaudi
[Link]
ected by questionnaires.
1.4.3Data Analysis
Both quantitative and qualitative data analysis method were used. First the data collected
through the questionnaires were analyzed with descriptive statistics byusing statistical
package for social scientists and qualitative method of analysis
isemployedforfeedbacksobtainedusingopen-endedquestionnaireanddatareviewed from
documents.
1.5Limitation and scope of the study
The scope of the study was limited to internal auditing and risk assessment
[Link] private organizations,
non-for profit organizations and budgetary
[Link] have
been more productive if it has been conducted on all
[Link],duetotimeandfinancialconstraint
s, it was out of the reach of the researcher to incorporate all in thisstudy. Due to
this, the research was limited to from for-profit Public Enterprises.
In the light of the limited research that exists on internal auditing practice and risk
assessment in public sector (for-profit) organization, within the
Ethiopiancontext,thestudywasbuiltonthecurrentbodyofknowledgeandstudiesconducted in
other countries context.

12
1.6Significance of the study
The study will have many advantages for all practitioners and academicians
byprovidingusefulinformationaboutinternalauditingandriskassessmentinAdwatown,s public
enterprises (for-profit) organizations. It will also be useful
fororganization`smanagementbyprovidinginformationaboutbestinternalauditingandriskasse
[Link]
gardtostatementoftheproblem.
The study could also be used as an initiation for those who are interested toconduct
a detailed and comprehensive study regarding the role of internal
[Link],specifically the managements,
the higher responsible body, and audit committeeof selected public enterprises, to be
aware of the importance use of internal audit,and gives insight how they use the internal
audit service most efficiency.
1.7Organization of the paper
[Link] of the study
which includes background of the study, statement ofproblems, objective of the study,
methodology of the proposed study,
limitationandscopeofthestudy,[Link] the
literature review regarding the research area of internal auditingand risk assessment
practices and therefore sets out the theoretical foundationsfor the research. The research
results were presented in chapter three. The finalchapter concluded the paper,
summarized the findings and introduced avenuesfor future research.

13
 CHAPTER TWO
REVIEW OF RELATED LITERATURE
2.1 Control governance frame work
In this section the researcher reviewed control activities within an
[Link],
financial and compliance which may prevent an organization
[Link],internalcontrolmustincluderiskmanagement(Cra
wfordandStein,2002).Goodgovernancepromotesrelationshipsofaccountabilityamongthepri
marycorporateparticipantstoenhance corporate performance (Rezaee, Olibe and Minmier,
2003). To meet thisresponsibility, organizations require adapting and combining the
expertise ofexisting internal audit with that of risk management functions and relate
theresulting effort to the business and operational needs of the organization.
Internalcontrolisaprocesseffectedbyanentity`sboardofdirectors,management and others
within an organization. It should provide reasonableassurance regarding the
achievement of objectives in the following categories:effectiveness and efficiency of
operations; reliability of financial reporting andcompliance with laws and regulations.
Until regulations and standards changedinternal audit is considered as part of internal
control system of a company, yetmust also remain independence (Protiviti Inc., 2009).
As per Rezaee (1995) COSO report has a significant impact on the increasing
roleandresponsibilitiesofinternalauditors,speciallytheirroleintheentity‟sinternal control
system. It is alandmark in the evolution of internal controlwhich refocuses public
attention on the need for public reporting on internalcontrols.
As per Beretta and Bozzolan (2009) an internal control process that effectively
supports risk management must:

 be able to identify the risks threatening the business;

 beintegratedintotheprocessesofstrategicobjectivessettingandofstrategic resources
allocation;

14
  be closely linked to the process of budgeting and assignment of objectivesto
management and
 Ensure the continuous monitoring of risk management strategies

Generally,approachestoguidanceandregulationonriskandcontrolareglobally diverse, and

the prospects for convergence are uncertain. The only firmpoint of agreement is that
risk management and effective internal control arefundamental prerequisites of good
corporate governance (Woods 2008).From the above discussion one can infer that
internal auditing provide valuablerole in organizations. It is one part of internal control
system of a company toinvestigate effectiveness and efficiency of management activity.
2.2 Internal auditing: structure and activities
2.2.1. The structure of internal audit function
Thestructureofinternalauditfunctionwidelydiffersamongdifferentorganizations. In some
organizations IAF have chief audit officer who is memberof senior management, but in
some other organizations IAF is as part of financeand accounting function. On the other
hand it maybe out-sourced or combinedwith other assurance functions (Prawitt, 2003).
The structure of internal auditfunction affects its overall activities, which, intends to
operate.
As per Mat Zain,et al.(2006)when the audit committeeis involved in keydecisions
such as the replacement of the chief internal auditor, there will
[Link],managementinfluence over
the internal audit function decreases and consequently
internalauditorswouldfeelmoreconfidentinundertakingauditinvestigations,particularly
when dealing with more sensitive issues that may involve seniormanagement.
Thus structure of internal audit function can be affected by; enacted
regulations,companystructure,ageofanorganization,organizationalstatus,activityitintends to
perform and others.
2.2.2 The activities of internal audit function
Activities of internal audit function differ among organizations depending on thesize of an
organization, the level of development of professional activities
withinagivencountry,corporategovernanceframework,[Link] (2002)
stated that internal audit changed through time from

15
[Link]
expectation not from the profession is self.
SawyerandVinten(1996)notedfourbenefitsmanagershavegainedfrominternal auditing
assistance. Internal auditors should first review and appraisethe soundness and
adequacy of the accounting, financial, and other operatingcontrols, and promote
effective controls at reasonable cost. Secondly, the
internalauditorsshouldascertaintheextentofcompliancewithestablishedpolicies,plans,
procedures, laws and regulations, which could have a significant impacton
thecompany‟s operations. Then the internal auditors review the means ofsafeguarding
assets and when appropriate, verify the existence of such assetsand appraise the
economy and efficiency with which resources are employed.
Lastly, the internal auditors review operations or programs to ascertain
whetherresultsareconsistentwithestablishedobjectivesandgoalsandwhethertheoperations or
programs are being carried out as planned.
Ţurlea and Stefănescu(2009) approach the internal audit in terms of its essentialrole and
the support granted to the managing board, “in order to handle theinternal control”.
This opinion consolidates the role of the internal audit, which
istoensurethequalityoftheexistinginternalcontrols,themannertheyareapplied, the
correctness and effectiveness of the implemented strategy, givingcourage and
confidence to the internal audit.
To sum up activities of internal audit function different among
organizationsdependingondifferentattributes,throughtimechangedfromtraditionalactivities
to consulting and value added service.
2.2.3 Scope of internal audit function
In contrast to external audit which mainly focuses on assessing historic
financialdata,internalauditfunctionencompassestheadequacyandeffectivenessofgovernance
, risk management and internal control processes in identifying andresponding to all the
risks facing the organization (ECIIA, 2005).
Public bodies in developing countries may want their audit effort directed athelping
to build better controls and deal with corruption issues. Companies
andbodiesthatareembarkingonalong-termreformprogrammaywanttheirauditors to help

16
build a capacity to self-assess risk and controls in line withawareness events and
facilitated self assessmentprogrammes.
Internal audit may undertake the following different typesof work:
givingassurancetotheboardthattheorganization‟sriskshavebeenproperly;identifiedandmana
gedinaccordancewiththeapprovedriskappetite;reviewing the activities undertaken by
management to implement the ethicalpolicy across the whole organization; giving
assurance that business continuityand disaster recovery planning, including that for
mission-critical informationsystems, is adequate given the risks facing the organization
and the risk appetite;giving assurance that the purchase process includes adequate
controls to ensureagreed levels of competitiveness, cost savings and quality performance;
assistingthe management team in evaluating the actual return on investments over
agiven period of time; carrying out an internal audit to verify an
organization‟scompliance with labour laws and regulations; giving assurance that
measuresareproperlydesignedandworkingeffectively
toaddresshealth,safetyandenvironmental
risksonindustrialsites;verifyingthatallpurchaseandsalescontracts comply with the
organization‟s policies; giving an opinion on theefficiency and effectiveness of the
customer complaints process; and providing
advice to management on the design and implementation of risk management
processes (ECIIA,2005).
Woods and Humphrey (2008) list out some of the tasks that have been found to fall
within the contemporary scope of internal audit:

 Auditofriskmanagementprocessesacrossthefullbreadthofanorganization
 Supporting and training staff in the area of risk identification, assessment and
monitoring
 Draftingofarisk-basedauditplan,whichfocusesonthekeyrisksidentified by senior
management?
 Drafting and co-ordination of the risk management reports submitted toboth the
Audit Committee and the Board of Directors
 Providingacommentaryontheeffectivenessofactionstakenbymanagement to
address control weaknesses identified by internal audit

17
  communicating good practice in risk management
 Providing a statement of assurance on risk and internal control for theAudit
Committee and the Board of Directors.
To sum up the scope of internal audit varies among organization depending on the
environment in which the organization operate
2.2.4 Control models
There are different control models companies can use to assess their risk; the most
important of this is the report of Committee of Sponsoring Organization of the Tread way
Commission (COSO). The issued the report called in internalcontrol–
[Link] of internal
controls in achieving anentity‟s objectives and providesthe impetus for entities to refocus
attention on their systems of internal controlsin an attempt to ensure responsible
corporate governance and reliable financialreporting [Link] recent scandals and
financial crashes that hit several large listed companieslaid bare the inadequacy of
internal control systems in directing managementattention and resources towards risk
management. An answer to the increasingdemand for a more risk-focused perspective in
the design and implementation ofinternal control systems has been given recently by
COSO through the EnterpriseRisk Management Integrated Framework (ERM-IF) (COSO,
2004).
In the 1992 report, the identification and assessment of risk were consideredstrictly
an aid in determining the adequacy of internal control systems. In fact,emphasis was
placed on the internal control system, risk assessment being
[Link](2004),riskmanagement is a
key governance activity and internal control is an element ofthe ERM system. In order
to appreciate its relevance and scope, risk managementmust be examined in connection
with:

Corporate governance, as top management is responsible for conscious

and effective risk management;
Performance measurement, as risk assessment is a key ingredient of risk-adjusted
return measures;
Internalcontrol,asinternalcontrolisconsideredacomponentof

18
Enterprise Risk Management systems.
2.2.5 Types of internal audit
Auditsperformedbyinternalauditfunctionare;financialauditforpublicfinancial statements,
audit of the management information system,
operationalaudit,complianceaudit,specialprojects,ITAudit,fraudinvestigation,riskassessme
nt and others.
[Link] Financial audit for public financial statement
An audit of financial statements is conducted to determine whether the overallfinancial
statements (the quantifiable information being verified) are stated inaccordance with
specified criteria. Normally, the criteria are the requirements ofthe applicable
International Financial Reporting Standards (IFRSs). The financialstatements most
commonly comprises of the Balance Sheet, Income
Statement,StatementofChangesinEquity,CashFlowStatement,andNotestotheaccounts. The
assumption underlying an audit of financial statements is thatthese will be used by
different groups for different purposes. Therefore, it
ismoreefficienttohaveoneauditorwhowillperformanauditanddrawconclusions that can be
relied upon by all users than to have each user perform his or her own audit. If a user
believes that the general audit does not
providesufficientinformationforhisorherpurposes,theuserhastheoptionofobtaining more
data. For example, a general audit of a business may providesufficient financial
information for a banker considering a loan to the company,
but a corporation considering a merger with that business may also wish to know
the replacement cost of fixed assets and other information relevant to
[Link] (Virtual
University of Pakistan, n.d).
[Link] Operational audit
An operational audit is a review of any part of an entity‟s operating proceduresand
methods for the purpose of evaluating efficiency and effectiveness. At
thecompletionofanoperationalaudit,recommendationstomanagementforimproving
operation are normally expected. An example of an operational auditis evaluating the
efficiency and accuracy of processing payroll transactions in anewly installed computer

19
system. Another example, where most accountantswould feel less qualified is
evaluating the efficiency, accuracy, and
customersatisfactioninprocessingthedistributionoflettersandparcels byacouriercompany
(Virtual University of Pakistan, n.d).Because of the many different areas in which
operational effectiveness can beevaluated, it is impossible to characterize the conduct
of a typical
[Link],theauditormightevaluatetherelevancyandsufficiencyoft
heinformationusedbymanagementinmakingdecisionstoacquire new fixed assets, while
in a different organization the auditor
[Link],therevie
[Link] of organization structure,
computer operations, production methods,marketing, and any other area in which the
auditor is qualified.
[Link] Compliance audit
Thepurposeofacomplianceauditistodeterminewhethertheentityisfollowing specific
procedures, rules, or regulations set down by some higherauthority. A compliance
audit for a private business could include determiningwhether accounting personnel are
following the procedures prescribed by thecompany controller, reviewing wage rates
for compliance with minimum wagelaws, or examining contractual agreements with
bankers and other lenders to
[Link]
sdistrictsschool,thereisextensivecomplianceauditingduetoextensiveregulationbyhighergove
[Link],[Link]
mpliance audits are typicallyreported to someone within the entity beingaudited
rather than to a broad spectrum of users. Management, as opposed tooutside users, is
the primary group concerned with the extent of compliance withcertain prescribed
procedures and regulations. Hence, a significant portion of
work of this type is done by auditors employed by the entity itself. There are
exceptions; when an organization wants to determine whether individuals or entities
that are obligated to follow its requirements are actually complying, theauditor is
employed by the entity issuing the requirements. An example is the auditing of

20
taxpayers for compliance with the federal tax laws, where the
auditorisemployedbythegovernmenttoauditthetaxpayers‟taxreturns(VirtualUniversity of
Pakistan, n.d).

[Link] Fraud investigation

It is not a primary role of internal audit to detect fraud. Internal audit‟s role is
toprovideanindependentopinionbasedonanobjectiveassessmentoftheframework of
governance, risk management and control. This will include theeffectiveness of the
processes put in place by management to manage the risk
[Link],internalauditorsmay:Reviewtheorganization‟sriskassessment seeking
evidence on which to base an opinion that fraud risks havebeen properly identified and
responded to appropriately (i.e. within the riskappetite). Provide an independent
opinion on the effectiveness of the fraudprevention and detection processes put in
place to reduce the risk of fraud.
Reviewnewprogrammesandpolicies(andchangesinexistingpoliciesandprogrammes)seeking
evidencethatfraud-riskhadbeenconsideredwhereappropriateandprovidinganopinionon
thelikelyeffectivenessofcontrolsdesigned to reduce the risk of fraud. Consider the
potential for fraud in everyaudit assignment and identify indicators that fraud might
have been committedor control weaknesses that might indicate a vulnerability to fraud.
Review areaswhere major fraud has occurred to determine how frauds were perpetrated
andmakerecommendationsaboutstrengtheninginternalcontrolswhereappropriate. Assist
with, or carry out, fraud investigations on
management‟[Link]
[Link]
dinvestigationworkisundertaken,management should be made aware that the internal
auditor is acting outside ofthe core internal audit remit and of the likely impact on the
audit plan. Providean opinion on the likely effectiveness of theorganization‟sfraud-
risk strategy(e.g. fraud policy, fraud response plan, whistle blowing policy, codes of
conduct)[Link]
asprimaryresponsibilityforensuringthatanappropriatestrategy is in place and the role of
internal audit is to review the effectiveness ofthe strategy. Consider whether to report

21
concerns of criminal activity that cometo light as a result of audit fieldwork to an
appropriate third party such as afraud or security professional within the organization
(HM Treasury, 2010).

2.3 Risk assessment

Both definitions of risk and our understanding of the term risk managementhave
changed over [Link] and McNamee (1999, p. 161) described as „majorparadigm
shifts in organizations‟ approach to risk management.‟ As per Woods(2008) in ancient
times risk was seen as a consequence of natural causes thatcould not be anticipated or
managed, but more modern, scientific-based thinkinghas led to the emergence of a view
that risk is both quantifiable and manageablevia the judicious use of avoidance and
protection strategies.
Risk is now viewed from a very broad perspective, it encompass issues such as corporate
reputation, regulatory compliance, health and safety of employees,supply chain
management and general operational activities and this changedperspective has led to
some rethinking of the approaches to the design of internalcontrol systems (Woods, 2008).
Risk management is a dynamic process for taking all reasonable steps to find outand deal
with risks that impact on our objectives. It is the response to risk anddecisions made in
respect of available choices that is important and the IIA has madethepertinentpointthat:
„Althoughorganizationsusethetermriskmanagementfrequently,ittooismisleading,becauseris
kisneveractuallymanaged. It is the organization that is managed in anticipation of the
uncertainty(and opportunities) presented by risk in the environment (Pickett, 2010).
Practitioners have long considered risk assessment as an activity to be
performedintheauditprocesswiththespecificaimtoidentifyareasofweaknessorsymptomsofpo
[Link],sincetheissuanceoftheCOSOInternal Control Integrated
Framework (IC-IF) (COSO, 1992), risk assessment isexplicitly regarded as one of the
components of internal control systems (Berettaand Bozzolan, 2009).
AsperRezaee(1995p.6)“Riskassessmentrequiresidentificationandinvestigationofbothintern
alandexternalrisksandacceptanceofprudentbusiness risk in achieving an entity‟s
objectives”.It assists managementandinternal auditors to be in control. Being in control
requires sustaining the

22
abilitytoidentify,understandandreactinatimelymannertoevents,conditions,challenges,oppor
tunitiesandriskspertainingtotheentity‟soperational,financialreporting,andcomplianceobjecti
[Link] determining the significance of the risk in
monetary terms or in terms ofthe image or reputation of the entity, the probability of risk
occurring, and howto mitigate the impacts of the risk to reduce exposures to acceptable
levels. TheCOSO report assists management and internal auditors to establish an
ongoingprocess of identifying changes in an entity‟s business environment and to
takeactions as necessary to manage risk
As per Ramamoorti, Bailey and Traver (2002) Risk assessment is a significantpart
of internal audit planning. As a systematic process for the identification andanalysis of
relevant risks threatening the achievement of an entity‟s objectives,risk assessment is
helpful for assessing and integrating professional judgmentsabout probable adverse
conditions and/or events. The process of risk
assessmentincludesidentificationofauditableactivities,identificationofrelevantriskfactors,
and determination of their relative significance. An efficient and effectiveaudit program is
responsive to risk assessment, and is designed to ensure thatproper controls are in
operation that minimize or eliminate risk and exposure(Sawyer and Dittenhofer,
1996). Risk assessment in auditing involves patternrecognition because an unexpected
deviation or variation is symptomatic of risk.
Comprehensive risk assessment is becoming valuable for success and survival ofan
organization (IARF, 2003). A survey conducted by (PwC, 2005A) showed thatregulatory
requirements diverted internal audit resources from other important internal audit
activities such as risk-based audits to assurance work. Failure toaddress key strategic
and operational risks as well as compliancerisk in anannual audit program
undermines the effectiveness of the IAF. It diminishes
itsstrategicvaluetokeystakeholdersandexposestheenterprisetointernalauditors must not
only be able to assess risks in their larger organizations, butthey must also be able to
complete complex risk analyses in their own IAF. Beingable toself evaluate is important
to the success of the IAF. To accomplish this,internal auditors need to possess
increasing levels of critical thinking, analysis,decision making, and logic (IARF, 2003).

23
Theinternalauditingprofessionneedsthat”theinternalauditingprocessprovides assurance to
management and the audit committee that risks to theorganization are understood and
managed properly” (IIA, 2000). This statementshows that the internal auditor requires
identifying and assessing the risk of
[Link],itrangesfro
mjudgmentalselectionmethodsandtraditionalaudituniverse coverage to using complex risk
assessment methods.
Goodwin-Stewart and Kent (2006) stated that internal auditors can add value to the entity
by providing assurance that its risk exposures are properly understoodand managed.
Internal audit should play a key role in monitoring a company‟srisk profile and
identifying areas to improve risk management processes.
To conclude Risk management is a dynamic process for taking all
[Link] is
viewed as very important part of internal audit function.
2.4 Control risk self assessment
CRSA is a tool that is used by businesses to promote risk management in teams,projects,
through processes and generally throughout the organization. This toolcan be used by
the executive board, partners, middle management, and workteams and, of course,
internal audit. In other words, CRSA is both a managementtool and audit technique
depending on what the CAE wishes to apply to theaudit process and the views of
thecorporatebody. In its purest form, CSAintegrates business objectives and risks and
control processes (Pickett,2010).All business systems have objectives, risks and ways
of managing these [Link] is a process for agreeing on the set objectives, identifying
the inherent risksthat stop one from achieving the objectives and then working out which
risks [Link](toassesstheirriskmanagementstrategy
leads to a better understanding of the specific risks and controls inquestion, to
more buy-in as people agree on their approach and to
[Link]
orcontrolslieswiththosethatoperatethemandthosethat

24
Manage the operations (Pickett, 2010).Control self assessment is a process through which
internal control effectivenessis examined and assessed. The objective is to provide
reasonable assurance by
[Link] process
allows management and work team directly responsible for abusiness function to:
participate in the assessment of internal control;
evaluaterisk;developactionplantoidentifiedweakness;assessthelikelihoodofachievingbusine
[Link]
tyusefulformanagementandinternalauditors (Protiviti Inc., 2009 and Pickett, 2005).
Control risk self assessment is a mechanism to the assessment of internal controlswithin
their work group. Based on this learning and adopting a shared visionwithin an
organization rather than command and control (the traditional auditapproach (Bou-
Raad, 2000).
Control and Risk Self-Assessment (CRSA) is a derivation of CSA. It is a
processspecificallyfocusedonriskidentificationandassessment).Typically,CRSAchanges
the focus of an audit review from a structured, objective appraisal of
anorganization‟scontrolsystems,whereinternalauditorsanalyzeandtesttransactions, to a
workshop-based forum for discussion and understanding ofstrategic and business risks
(Beretta and Bozzolan, 2009).
But it is not without disadvantage, particularly, higher management
involvementrepresentsoneofitsmostsignificantlimitations,asitcancompromisetheobjectivity
of the assessment. In order to limit this risk, overlaps between CRSAprocesses and
internal auditing activities must be reduced by carefully
definingthepurposesandcontentsofeach,inordertopromoteintegrationwithoutconfusionofrol
[Link],somecompanieshaveoptedforacleardistinctionbetweenstaffresourcesdedic
atedtointernalauditingandthoseassigned to CRSA activities, even creating two
separate teams with
differentresponsibilities,tasks,skillsandmethodologies,bothreportingtotheChiefInternal
Auditor(Beretta and Bozzolan, 2009).
To conclude, control risk self assessment are used by business to promote risk

25
management in teams. Control risk self assessment is both management tool
andaudittechniquedependingonwhattheCAEwishestoapplytotheauditprocess.

CHAPTER THREE
DATA PRESENTATION AND ANLAYSIS
3.1. Main Types of the organizations.
According to the figure below from 20 respondents 2(10%) were from the towns finance
office, 2 (10 %) were from the town’s hospital, 3 (15%) were from office of water
supply, 5 (25 %) were from the educational organizations , 6 (30 %) were from micro
finance institutions and the remainingwerefromtelecom branch,whichconsistedof 2 (10%)
of total respondents.
Figure 3.1 Organizational type

Adwa town Office of

Finance
Telecom branch 10%
10% Adwa
Hospital
10%
Micro finance
30%

Water
supply of-
fice
15%
Public Colleges
25%

Source: Survey results

26
3.2Types of auditing
The survey also aimed at analyzing planned annual auditing activity is devoted to (in
percentage) the following audit types:

 Financial audit for public financial statements

 Audit of the management information system
 Operational audit
 Compliance audit
 Fraud investigation
 Risk assessment

Results in Figure 3.2shows that operational audit generally prevails (28% of

auditresources and time); especially in where there are large internal audit function. The
scope of internal audit generally regards the suitability of procedures from the
perspective of economy, effectiveness, and efficiency. Compliance audit is
thesecondrelevantscopeofauditingactivities(27%);particularly,infinancialinstitutions and
in smaller companies, auditors review the systems, which havebeen established to
ensure compliance with legal and regulatory
requirements,[Link]
ty for external auditors; in fact, internal audit departments allocatesmall resources for
the review of the reliability of public financial statements(8%). Instead, the review
of management information systems, Audit of MIS andFraud investigation receives a
higher percentage of resources (11%, and 10
%respectively).Thesizeofauditresourcesdevotedtoriskassessment(12%)reveals the
relevance of this kind of activity, especially in large publicenterprises.
Generallyitwasfoundthatoperationalauditrequiresmostresources,withcompliance
auditsecond important audit type . The amount of auditresources devoted to risk
assessment reveals the relative relevance of this kind ofactivity. Public enterprise internal
audit guide line require all of audit activitieslisted above to be performed, but many
public enterprises specially smaller
onewereperformedcomplianceandoperationalauditintheirannualauditactivities.
Figure 3.2 Types of Auditing (Planned annual auditing in percentage)

27
 32%
30% 27%

20%
11% 10% 12%
10% 8%

0%

Source: Survey results

3.3 Usage and importance of control models

Theresearcherwantedtoassesstheawarenessandapplicationofcontrolmodels (COSO, and
ERM, etc.) in public enterprises. Control modelshave broadened the view of internal
control and have strengthened the
conceptofcontrolenvironment,riskassessment,monitoringandcontinuousimprovement as
key control principles.
3.3.1 Usages of control models
Figure 3.3Usage of control models

Percieved response on effectivness of control

models (i.e COSO or ERM)

Disagree
35%

Agree
65%

Source: Survey results

28
As shown in figure above, (34.6%) of respondents do not believe that control models
provide an
effectivebasisfordesigningtheinternalcontrolsystem,andthereforetheyhavenotintegrated
(COSO or ERM) into their audit process. Their control system seemsto follow the
traditional foundation of specified control process, procedure andstructure, and the focus
is entirely addressed to monitoring and assessing controlactivities.
Manycompanies(65.4%)wereincorporatedCOSOorERMprinciplesintheinternalcontrolpolic
[Link]
ernalcontrolsystem.

3.3.2 Importance of control models

Table 3.1Responses on the importance of control models
No Questions related to control models N Average
(in %)
1 Control models provide an effective basis for 18 90
designing the internal control system
2 Control models provide an effective support for the 18 90
reporting of internal auditing findings
3 Control models are used widely in your organization 17 85
4 Internal auditors in your organization address 15 75
qualitative issues in their work

Source: Survey results

Note:N- number of respondents
Based on table3.1 results internal audit units in public enterprises agreed with
theimportance of control models. It is worth mentioning that the relevance of
thecontrol models for designing the internal control system, for effective
controlsystem review, to support the reporting of internal audit function and to
addressqualitative issue in audit work, even if there is subjectivity involved in this
kindof audit. Some respondents stated that informal controls are not tangible
and,therefore, are not subject to the verification demanded by traditional
auditingmethodology.

29
3.4 Risk assessment
Risk assessment is a method of identifying, measuring and prioritizing risk. It isa
prerequisite of risk management, which is the process of determining whetheror how
much of the risk is acceptable and what actions should be taken in order to avoid, to share
or to control the risk.
To protect and add value to the organization, different steps of risk
[Link]
heapplicationofriskassessmentmodels,themainparticipantsinvolved and the objectives
pursued.

3.4.1 Application of risk assessment methods

Figure 3.4Application of risk assessment methods

On the way To im-

plement
6%

Not implementing
26%

Implementing
68%

Source: Survey results

As one can see from figure 3.4 vast number respondents which consists of 67.9% of
usableresponsessaidthattheirinternalauditfunctionimplementedformalriskassessment
process. 25.6% revealed that their unit not yet implement formal risk management
process. The remaining6.4% said they are on the way toimplement it.
The implication of result in figure 3.3 is that many public enterpriseswere introduced
formal risk assessment process in their internal audit

30
function,andfewenterpriseswereonthewaytointroduceformalriskassessmentprocess, which
shows that higher attention is given to risk management.
3.4.2 Main participants in risk assessment
There were four questions under participants in risk assessment process and risk based
auditing. With respect to main actors of risk assessment in organizations only two
questions out of four, which were internal auditors in co-operation withthe line
management and management during the control risk self assessmentfacilitated by
internal auditors, had a mean response of more than 3.0.

Table 3.2Descriptive statistics of main participants in risk assessment

No Options of participants in risk assessment N Mean

1 Internal auditors in co-operation with the line 20 3.3

management
2 External consultants in co – operation with the line 19 2.8
management and ith the support of internal auditors
3 Management during the control assessment facilitated 20 3.3
by internal auditors
4 20 2.6
Internal auditors in cooperation with
externalconsultants but without the involvement of
the line
Management

Source: Survey results

Note:N- number of respondents

Theremainingtwoquestionshadameanresponseoflessthan3.0. Thisshows that internal

auditor‟s role is vital but the response was far way from oneother.
The implication of the above result showed that internal auditors in co-
operationwiththelinemanagementandmanagementduringtheControlRiskSelfAssessment
facilitated by internal auditors provide a vital role. But, externalconsultants in co-
operation with the line management and with the support ofinternal auditors, internal

31
auditors in co-operation with external consultants butwithout the involvement of the line
management have little or no role.
3.4.3Existence of risk management department
Fromsixpublicenterprisesconsideredinthisstudy
2 (33.3%)haveriskmanagementdepartmentandtheremaining4
(66.7%)[Link]
kmanagementdepartmentthreeofthemwerefrombankingsectorandtheremaining two were
from service sector.
The data implies that risk management is very important in banking sector
[Link],Risksinbankinghaveincreasedmanifoldrecentlydue
toseveralphenomenalikeglobalizationofbankingservices, introduction of wide range of
complex banking products, complexity inbank operations, and increasing adoption of
information technology in banks.
Riskmanagementandmitigationtechniqueshave,therefore,acquiredparamount importance in
banks. Banks are also interested in risk management asit can reduce the regulatory
capital requirement under Basel II, which is in theprocess of implementation in the
banks . In organization where,there no risk management department, internal audit
department perform allactivities related to risk management.

Figure 3.5Existence of risk management

32
 Existence of risk management department

Exist
25%

Doesn't exist
75%

Source: Survey results

3.4.4 The relationship between internal audit functions and risk management
The relationship between risk management and internal audit department
differamongpublic enterprises under [Link] were two different opinions
with respect to banks; one respondent statedthat, actually the two departments have no
strong relationship; this is becausethe risk managementunits‟task is to identify the
level of risk and providesassurance for each department and branch but internal audit
department givesassurance to the management committee. On the other hand, other
respondentrespond that, the internal audit process might prepare audit plans based on the
reportsofriskmanagementprocessreport;ontheotherhand,theriskmanagement process may
assess the risk based on internal audit process reportand feedback of the management.
With respect to service providing public enterprise a respondent said that
therelationshipbetweeninternalauditandriskmanagementisnotassuchintegrated and a
respondent further stated that, there is risk management andinsurance team in the

33
organization. However its relationship with the internalaudit team is not formally set
and clear. But, the internal audit team recognizesthe risk and insurance team as an
auditee.
But, other respondent stated that they have risk management department knownas risk
and insurance management department. The relationship between thedepartments is
that internal audit department uses information from risk andinsurance department to
assess risk and to issue reports and recommendationsrela Finally, a respondent from
another service organization stated that there isno risk management department in their
organization; however there is
[Link] other than
identified by internal audit function is also used as aninput for risk based audit activities.
The above discussions revealed that the relationship is not uniform betweenthe two
departments. In some organizations there is little relationship but
[Link] there is no
risk management department; however there isrisk management committee level. The
risks identified by the committee areused as an input for risk based audit activities.
ted to risk of the organization.

3.4.5 Objectives of risk assessment

Table 3.3Descriptive statistics of Objectives of risk assessment
No Questions related to control models N Mean Deviati
on
1
The risk assessment activity have implemented
in allthe functions and processes of the
organization 20
3.23 1.09
2
Developing a systematic approach that
management
20 3.21 1.02
3 could use in dealing with the risk Identifying
most critical areas to define the audit plan
(macro risk assessment)
20 3.33 1.00

34
 4
Embracingrisksinindividualaudit(microriskassess
ment) 20
3.35 0.92
5
20
Complying with the regulatory requirement 3.59 0.86
6
External risk reporting and Value creation
20 3.26 0.90
Source: Survey results
Note:N- number of respondents

There were six questions under risk assessment objectives. All questions had amean
response of more than 3.00. Standard deviations of the first three questionswere more than
1.00, which were the risk assessment activity have implementedin all the functions and
processes of the organization, developing a systematicapproach that management could
use in dealing with the risk and identifyingmost critical areas to define the audit plan
(macro risk assessment). This indicatesthat the respondents perception were far way
from one other. The
remainingthreequestionswhichwereembracingrisksinindividualaudit(microriskassessment),
complyingwiththeregulatoryrequirementandexternalriskreporting and value creation had
standard deviation of less than 1.00. On
theotherhandstandarddeviationoflessthan1.00showedthatrespondent‟sperceptions were
closed to each other. The result in table 3.3 revealed that onaverage the respondents
agreed up on the objective of risk assessment.
3.5 Control risk self assessment
The last section of theanalysis aimedat determiningthe state of the art of Control
Risk Self Assessment (CRSA) in Ethiopian public enterprises. CRSA is asystematic and
participative technique used to identify, classify, assess measure and evaluate risks and
controls.
Actually, different techniques are used in the organizations to identify and assessboth risks
and controls, called Control Self Assessment (CSA), Control Risk SelfAssessment
(CRSA), Risk and Control Self Assessment (RCSA), Business

35
SelfAssessment(BSA),ManagementSelfAssessment(MSA).Eachofthesetechniques is
based on a different methodology and has a different focus, but forthe purpose of this
paper, the researcher does not attempt to identify whichmethod is adopted by
Ethiopian public enterprises and the research use the termCRSA (to include both
CSA/CRSA and the other techniques).
Figure 3.6Application of control risk self assessment

Response on effectivness of control risk self as-

sesment
Agree
37%

Disagree
63%

Source: Survey results

However, a number of respondents (37.2%) do not believe that control risk selfassessment
provide an effective basis for designing and implementation of goodinternal audit
function and internal control system, and therefore they have notused control risk self
assessment into their audit process. Their control systemseems to follow the traditional
foundation of specified control process, procedureand structure, and the focus is entirely
addressed to monitoring and assessingcontrol activities. Most companies (62.8%) were
incorporated control risk selfassessment principles in the internal control policies and
procedures.

36
37
 CHAPTER FOUR
SUMMARY, CONCLUSIONS AND RECOMMENDATIONS
4.1. Summary of findings
Theresultsshowedthat75%ofenterprisesinternalauditfunctionsunderconsideration have
less than 10 internal auditors. Banks have by far a largeinternal audit function than
other firms; this is due to the nature of
[Link] and
in absence of the Board they ultimately reported to senior executivemanagement.
Itwasalsofoundthatoperationalauditrequiresmostresources,withcompliance audit second
important audit type. The amount of audit resourcesdevoted to risk assessment is
11%, which reveals the relative relevance of thiskind of activity. Public enterprise
internal audit guide line require all of auditactivities listed above to be performed,
but many public enterprises speciallysmaller one were performed compliance and
operational audit in their annualaudit activities.
27(34.6%) of respondents have not integrated control models (COSO or ERM)
into their audit process. Their control system seems to follow the traditional
foundation of specified control process, procedure and structure, and the focus
[Link] 51(65.4%)
were incorporated control models in the internal
[Link]
[Link]
theinternalcontrolsystemandeffective control system review.
Risk assessment is a method of identifying, measuring and prioritizing risk.
ThequestionnaireresultsshowedthatmanyEthiopianpublicenterpriseswereintroduced formal
risk assessment process in their internal audit function, and
few enterprises were on the way to introduce formal risk assessment process,
which shows that higher attention is given to risk management. The internal
auditors in co-operation with the line management and management during theControl
Risk Self Assessment facilitated by internal auditors provide a vital role to implement

38
formal risk assessment process. But, external consultants in co-operation with the
line management and with the support of internal auditors,internalauditorsinco-
operationwithexternalconsultantsbutwithouttheinvolvement of the line management
have little or no role in risk assessmentprocess.
Risk management is very important in banking sector than other sectors. This isdue to
the fact that, Risks in banking have increased manifold recently due to several
phenomena like globalization of banking services, introduction of
widerangeofcomplexbankingproducts,complexityinbankoperations,andincreasingadoption
[Link]
departmentdifferamongorganizations under consideration.
To implement risk based internal auditing successfully the following conditions play a
vital role: clear definition and communication of objectives, culture andattitudes
towards controls and risks, clear identification of processes and theirowners,
Management support at top level and Development of a formal riskassessment
model.
Thus data analysis showed that risk assessment is very important to develop
asystematic approach that management could use in dealing with the risk, toidentify
most critical areas to define the audit plan (macro risk assessment), toembrace risks
in individual audit (micro risk assessment), to comply with theregulatory requirement,
and for external risk reporting and value creation.
The result of the study also revealed that internal audit functions in Ethiopian
public enterprise use; requests of senior management, risk-based and control-based
approaches to plan their annual audit. But risk based approach is the
mostimportantascomparedtorequestofseniormanagementandcontrol-basedapproach.
Impact of activities on the corporate image and adequacy of internal controls are very
important factors in risk based internal auditing.
Finally a number of respondents 29(37.2%) do not believe that control risk self
assessment provide an effective basis for designing and implementation of good internal
audit function and internal control system, and therefore they have not used control risk
self assessment into their audit process. Their control systemseems to follow the

39
traditional foundation of specified control process, procedureand structure, and the focus
is entirely addressed to monitoring and assessing
control activities. Most companies 49(62.8%) were incorporated control risk
selfassessment principles in the internal control policies and procedures.
4.2 Conclusions
Most prior literature on aspects of internal auditing and risk assessment hasfocused
on empirical evidence from the Anglo-American world, Europe andAsian pacific
countries. The evidence the researcher report from Ethiopia Africancountry should be
timely and facilitate comparisons of internal auditing practicesin other domains. More
importantly, the evidence the researcher reveals
[Link]
ofcontrolgovernanceframeworks,internalauditfunctionstructureandactivities,auditdepartme
ntsize,auditdepartmentpositioninorganization structure and reporting lines, types of
auditing control models, riskassessment, risk assessment models, main participants in
risk assessment , risk-based auditing. Knowledge of these factors should help
stakeholders to
assessthenatureofinternalauditingandriskmanagementinEthiopianpublicenterprises.
The implementation of a formal process of risk management by an entity helps itto obtain
an overview of the different risks (and risk interdependencies) towhich they are
exposed, reduces the reaction time of a business to risk-
relatedissues,createsapositivecultureofrisk,andimprovestheprocessofriskmitigation. Risk-
based internal auditing helps companies to practice
effectiveriskmanagementbecauseitincorporatesprinciplesofriskmanagementthroughoutthea
uditprocess,bothintheannualplanningprocess,andinplanning each audit engagement.
Privatizationandpublicenterprisesupervisingagencyrequiresallpublicenterprisestohaveinter
nalauditfunctionandallenterprisesunderconsideration have internal audit unit. But,
Banks have by far a large internal
audit function than other firms; this is due to the nature of operation. Majority ofthe
respondents indicated that they report directly to Board of Director and inabsence of
the Board they ultimately reported to senior executive management.

40
The amount of audit resources devoted to risk assessment reveals the
relativerelevance of this kind of activity. Results also showed that many
Ethiopianpublicenterpriseswereintroducedformalriskassessmentprocessintheirinternal
audit function, and few enterprises were on the way to introduce formalrisk assessment
process.
4.3 Recommendations
Public enterprise internal audit guide line require all of audit activities listedabove to
be performed, but the study revealed that many public enterprises wereperformed
compliance and operational audit in their annual audit activities ascompare to other
audit types. On average 11% of their annual audit plan isdevoted to risk
assessment. To get the benefits of risk based auditing and tomanage an organization
properly it is better to increase the amount of budgetand time devoted to risk
assessment.
Therelationshipbetweeninternalauditfunctionandriskmanagementunitdifferisveryminimali
[Link] also found that the interaction is
not as such to implement proper
[Link],properintegrationshouldbeneeded between
the two departments in order to manage organizational risksproperly.
Internalauditfunctionsunderconsiderationagreedwiththeimportanceofcontrol models for
designing the internal control system review. Therefore it is better to incorporate
control models for those who are not used it before foreffective risk assessment.

41
References

Allegrini, M. and D‟Onza, G. (2003), “Internal auditing and risk assessment in

large Italian companies: an empirical survey”,International Journal of Auditing,
Vol. 7, pp. 191-208.
Allegrini,M.D‟Onza,[Link],[Link],[Link],G.(2006),“TheEuropean literature
review on internal auditing”,Managerial Auditing Journal,
Vol. 21, No. 8, pp. 845-853
Arena, M., and Azzone, G. (2009), „Identifying Organizational Drivers of InternalAudit
Effectiveness‟,International Journal of Auditing, Vol. 13, pp. 43–60.
Beretta, S. and Bozzolan, S. (2009) “From Internal Auditing to Enterprise
RiskManagement:TheCaseoftheTelecomItaliaGroup”,InternationalRiskmanagement
Carcello, J. V., Hermanson, D. R. &Raghunandan, K. (2005a), „Factors
associatedwithUSpubliccompanies‟investmentininternalauditing‟,AccountingHorizons, Vol.
19, pp. 69–84.
Carey, P Subramaniam, N. Wee Ching, K C. (2006) “Internal audit outsourcing in
Australia”, Accounting and Finance,Vol. 46 pp. 11–30
Committee of Sponsoring Organizations of the Tread way Commission (2004),
Enterprise Risk Management Integrated Framework, AICPA New York, NY.
Diamond,J.(2002),„theRoleofInternalAuditinGovernmentFinancial
Management‟: An International Perspective, Working Paper Retrieved on
January 17, 2007
Elliott, M. Dawson, R .and t Edward, J. (2007), „An improved process model for internal
auditing‟, Managerial Auditing Journal Vol. 22 No. 6, pp. 552-565
Fadzil, FH, Haron, Jantan,M. (2005), `Internal auditing practices and internalcontrol
system`,Managerial Auditing Journal, Vol. 20, No. 8, pp. 844-866
Frase,(2005),InternalAuditorsandEnterpriseRiskManagement,availableat:http://
[Link]/auditing-best-practice/internal-auditors-and-enterprise-risk-
management?full

42
FraserandHenry,
(2007),`Embeddingriskmanagement:structuresandGoodwin,[Link],P.
(2006),“TheuseofinternalauditbyAustraliancompanies”, Managerial Auditing Journal,
Vol. 21 No. 1, pp. 81-101.
Hass, S. Abdolmohammadi, M.J and Burnaby, P. (2006), “The Americas literaturereview
on internal auditing”,Managerial Auditing Journal, Vol. 21 No. 8, pp.835-844.
HM Treasury (2010), Fraud and the Government Internal Auditor
Rezaee (1995),„What the COSO report means for internal auditors‟,ManagerialAuditing
Journal, Vol. 10, No2,pp. 5-10.
Sarens, G. (2009), “Internal Auditing Research: Whereare we going?”,
Editorial,International Journal of Auditing,Vol. 13, pp.1–7.
Sarens, G. and De Beelde, I. (2006), “Internal auditors‟ perceptionabout their rolein
riskmanagement:A comparison between USand Belgian companies”,Managerial
Auditing Journal, Vol. 21 No. 1, pp. 63-80.
Sawyer L. and Vinten G. (1996), the Manager and the Internal Auditor Partners for
Profit, [Link].
[Link].
(2008)“FromInternalAuditingtoEnterpriseRiskManagement:TheCaseoftheTelecomItaliaGr
oup”,InternationalRiskManagement Systems, Internal Control and Corporate
Governance: CIMAedited by. Kajüter P. and Linsley P pp.49-77
Sharma, G.V. (2004), Risk Based Internal Audit in Banks, auditing,
[Link],M,Normah,HO,Zulkarnain,SI,andIthnahaini,B2001,`„Auditors‟perceptionoffra
udriskindicators‟:MalaysianEvidence`,ManagerialAuditing Journal,Vol. 20, No.1, pp. 73-
85.
SOX. (2002). Sarbanes-Oxley Act of [Link] Hundred Seventh Congress of the
United States of America. HR 3763.
Spencer Pickett K .H (2003) „the Essential Handbook of Internal Auditing‟, John
Wiley and Sons, Ltd
Spencer Pickett K .H (2010) „the Essential Handbook of Internal Auditing‟, John
Wiley and Sons, Ltd
Zwaan,StewartandSubramaniam(2009),Internalauditinvolvementin

43
Enterprise Risk Management: Discussion Papers Accounting, Griffth Business

44