Author(s): Jacobus Young
Many organisations are suffering losses due to ineffective risk management and audit functions. Based on the principles of the three lines of defence, it is clear that the functions of risk management and internal audit should be separated. The concept of a risk-based audit is currently evolving in such a way to ensure that organisations experience the maximum benefits of each function in a mutually exclusive way. A literature review was used to identify criteria to clarify the roles and responsibilities of each function and to serve as a platform to identify determinants for a risk-based audit approach of an operational risk management framework, which emphasises the primary role of internal audit, namely to provide management with the assurance that risks are being managed according to approved policies and procedures. Descriptive analysis of the response of a survey confirmed the importance of the determinants and indicated the current applicability thereof in various organisations.