The Role of Internal Audit in Risk Identification and Management: The Case of a Publicly Funded University in Ghana

Risk management is an integral part of the organizational process effected by an entity's management and personnel. It is designed to identify and address risks and to provide reasonable assurance in pursuit of the entity's mission. Risk management is to an organization’s strategic management as it raises the probability of success, and reduces both the probability of failure and the uncertainty of achieving the organization’s overall objectives. This study is set to ascertain the role of Internal Audit in risk identification, analysis and management in a Public University in Ghana. This single case study is situated at University of Mines and Technology (UMaT), Tarkwa. The research goes beyond the evidence in the public domain and includes questionnaire and interview of key personnel for data collection. The research revealed that, Internal Audit function plays an important role in making risk management at UMaT effective by carrying out activities such as pre-audit, revenue checking, updating procedures, provision of recommendations, and ensuring policies and procedures are complied. These go a long way to contribute to the achievement of the University objectives. Financial risk is found to be the major risk that threatens the operations of the University. The questionnaire administration indicated more than 77% of respondents agreed that the Internal Audit helps to reduce risk, conducts regular evaluation and review of risk, has qualified staff and management considers recommendations made by the unit as valuable. Respondents were, however, critical regarding professional training of staff, low percentages of respondents (30% and below) agreed to assertions in areas such as professional training of staff, adequate logistics and staff strength. It is recommended that there should be a documented risk management policy and when possible size of the Internal Audit staff should be increased to enable wider coverage of audit activity within the University be carried within the shortest possible time to ensure timeliness and relevance. In addition, staff should be encouraged to attend professional training periodically.

activities within the public sector. In support of this, a former Minister of Finance and Economic Planning, made a statement saying "Public sector organizations have been directed to establish functional internal audit unit by March next year" (Anon, 2007). By the Internal Audit Agency Act, it is therefore expected that every entity in the public sector should have an internal audit unit which seeks to further facilitate the prevention and detection of fraud in the sector.
Most public institutions, including University if Mines and Technology (UMaT), have organizational functions such as Administration, Finance and Auditing. Although the Audit Unit functions properly, most of the time, there are still more areas in the system exposed to risk. Risk normally affects operations such as strategic planning, finance and total operations of the system, which generally lead to issues such as fraud, waste, abuse and mismanagement. Therefore, through risk management system, management is able to identify, manage and implement measures to mitigate these risks. Dealing with these risks includes the role of the internal audit, which exists to examine and report on risk exposure and the organization's risk management efforts. In light of this, it is expedient to find out more about the risks that threaten the operations of most public institutions. This will reveal the risk management that is in place; and how these control measure facilitates the smooth running of the institution in achieving its vision and realizing its mission.
This paper seeks to explore the role of internal auditing in risk management in Tertiary Institution. UMaT, a relatively young engineering based university was chosen as a case study. The focus was on risks that threaten operations, risk management processes and challenges facing the internal audit function.

RESEARCH METHODOLOGY
Primary and Secondary data were utilized in this study. Primary data was obtained through interviews and questionnaires administered to personnel in the field of account/finance, internal audit, administration and human resource.
To explore the risk management strategies, open ended interviews were conducted with the Principal Officers, Heads of Departments, Internal Auditor and Faculty Accountants. The details included how the internal audit unit evaluates and improves the effectiveness of these risk management and governance practices at the university. The sources of secondary data included the University Status, Code of Ethics, Management Letters, Audit Reports, Financial Administration Act 2003 (Act 654), Financial and Stores Regulations, and Public Procurement Act 2003 (Act 663).
The population of this study was approximately 112 persons comprising those elements that frequently interact with internal auditors and whose duties view internal audit function as indispensable. These included the Finance officer, Accountants, Bursars, all Heads of Department, some Lecturers, Assistant Registrars, Administrators and Internal Audit of UMaT. Within this population a sample of 40 respondents (36%) was taken purposively due to their positions within the organization and whose duties internal control and risk management is indispensable. The responses were good representative because they helped achieve the research objectives. The Statistical Package for Social Scientists (SPSS), was employed to analyze the results of the questionnaire while the qualitative research data (interviews results) were analyzed descriptively.

RESULTS AND DISCUSSIONS
As part of the study, the educational background of the respondents was assessed as there is some level of relationship between educational background and the degree of effectiveness of risk management process in an organization. The data indicated respondents have high educational levels and that there is a positive relationship between the level of educational background of personnel and the level of awareness of risk management. For instance, out of the 40 respondents, only five were diploma holders (pre undergraduate) and the rest are from first degree (undergraduate) up to post graduate. The responses from the questionnaire clearly revealed that the more educated employees are, the higher their comprehension of risk management process as well as the role of internal audit.

Risk Management Process
According to Chow (2005), the awareness of risk management policy involves understanding organizational objective, identifying the risk associated with achieving the objectives, developing programmes to identify the risks, monitoring and evaluating the risk. The study thus sought to assess the University's documented risk management policy and the awareness of staff.
According to the study, 28 respondents representing 70% indicated that there was no documented risk management policy of the University while 30% indicated that there was a documented management policy. It was revealed through interviews that the University performs risk management through internal control systems but not documented risk management policy. This makes it difficult for the University staff to become aware of how risk is managed in the University.
The analysis above indicated that the responses gathered from the respondents of the University is in the alignment with the statement made by Chow (2005) that when risk management policy is not properly documented can affect factors such as strategies, operations, finance, technology and environment which posse threat and exposes organizations to risks. According to Pickett (2005), when risks are properly identified and recorded then it can be reduced to the lowest minimum level so the study sought to identify the known risks. The risks threshold the University is exposed to include operational, reputational, infrastructural and financial. As shown in Figure 1, the highest risk was financial (75%). 15% indicated operational and 5% each indicated reputational and infrastructural.

Figure 1. University Risk Exposure
When the question was posed if the university conducts comprehensive and systematic identification of its risks relating to each of its declared aims and objectives, 90% responded the University carries out a comprehensive and a systematic identification of its risk relating to each of its declared aims and objectives. Further responses reveal the responsibility for risk identification lies with Central Management, Finance Officer, Internal Auditor, and Heads of Department through auditing and physical inspection. It could be deduced that management of UMaT has put effective and efficient mechanisms in place in identification of risk as espoused by Pickett (2005).

Internal Audit Function in Risk Management
As explained by ISA (2000), the process of the internal audit involves checking, vouching and verification. It is a means by which auditors seek to establish the accuracy or otherwise of the financial records and of the balance sheet or other statement of figures. The study assessed the internal audit functions of the University, evaluating, reporting and the effectiveness of risk management processes. Figure 2 shows the results of the study and the percentages that affirmed the functions.  Vol.11, No.12, 2020 About 82% indicated the internal audit conducts regular monitoring, evaluation and reviews the effectiveness of internal control systems as well as risk management process through its auditing processes and procedures and report to management with recommendations where possible for attention and necessary action. Therefore, the statement made by ISA (2000), about the internal audit function is in alignment with the Universities assertion to the responses from the respondents.
Information gathered revealed Internal Audit monitors, evaluate and reviews the effectiveness of internal controls system and risk management and report to management with some of the control weaknesses found during auditing. 62.5%, testified to the fact that Internal Audit reports are timely enough to enable management to take appropriate action and 87.5% confirmed that recommendations from the Internal Audit are taken into consideration.
Some of internal audit functions that would be useful at all levels include reporting weaknesses in the control systems, performance and recommending improvements, providing counsel to managers and boards of directors and useful to all levels of management as espoused by Sawyer and Vinter (1996). 90% of the respondents agreed that Internal Audit function help reduce risk of the University.
The interview conducted also revealed Internal Audit of the University initially as system based. This comprises evaluation, verification of assets as well as goods purchases and ensuring compliance. With the introduction of recent Risk Based Audit, there has been a dramatic change to the scope of Internal Audit function at the University. Risk Based Audit was explained by the Internal Auditor as the system of identifying and assessing key risk areas and incorporating those risks into audit programmes and engagement plans so that Internal Audit reports/findings focus on key risks. The intention is to ensure those risks could be managed and maintained at an acceptable level by management.
Internal Audit of the University ensures all payments to the University are done through direct bank payment and bankers draft. And also, all payments to outsiders by the University are made by cheque with the exception of items procured through imprest. This is to ensure prevention of fraud of skimming.
It was also revealed that in order to control overspending of funds of the University, Internal Audit ensures emphasis is placed on budgeted expenditure. Furthermore, the Internal Audit ensures all fixed assets are safeguarded through labeling to assist easy identification and accountability.
An interview conducted with the Internal Auditor also revealed that basically, areas of risk management in the University include internally generated funds, cash management, procurement, fuel for official vehicles, human resource, projects and contracts, insurance issues and budgeting among others. There is no documented risk management process to be followed by Internal Audit, however, through its professionalism, risk is assessed periodically in terms of likelihood of occurrence and impact which is factored in its audit engagement with the help of internal control procedures which are documented.

Staffing and Logistics
As shown in Figure 2, 77.5% of respondents indicated Internal Audit of the University had appropriately qualified staff and at the time of the study, the minimum qualification of Internal Audit staff was first degree in Accounting. 75% however indicated that the staff strength was inadequate as at the time of the study, only five workers covers all the trust areas of the University. Looking at the size of the University, the five staff was not adequate to meet wide coverage within the shortest possible period. Internal Audit staff ratio to trust areas or internal customers/clients was proportionately less. In addition, 70% asserted that staffs do not undergo professional training and 82.5% specified that the Internal Audit does not have adequate logistics. The lack of logistics included a dedicated vehicle, computers, audit software and access to internet to ensure effective internal control and risk management process.

CONCLUSION & RECOMMENDATION
staff, adequate logistics and staff strength. It is recommended that there should be a documented risk management policy as non was available and when possible increase the size of the Internal Audit staff. This increase in number will enable them increase coverage of audit activities on the University Campus. In addition, staff should be encouraged to attend professional training periodically.
Additionally, the study projects three implications namely: implication to Tertiary Institutions; Implication to Regulators and Implication to Policy Makers within the tertiary education space. Publicly funded Universities must heed to the financial administration Act and ensure strict adherence to the implementation of audit roles as well as the functions to the Unit. The Audit Units of Publicly funded Universities must be funded appropriately so they can perform their functions to help reduce risk if not eliminate permanently.
To add to the above, regulatory implication is crucial as the role of Ghana Audit Service with supervisory role of the Publicly funded Universities must be enforced and the frequency of external audits be increased to quarterly basis. This will help give credence to the role of the Audit Units in the Universities.
Finally, it is imperative that policy makers through the Ministry of Education will make a policy to resource the Audit Units of the Publicly funded Universities because of their key role in ensuring compliance and reduction of funds dissipation as well as exposure to reputational and operational risk.