The most important audit committee demand of internal audit
Last month, Richard Chambers shared an outstanding article, Audit Committee Chairs Are Loud and Clear: Internal Audit Must Communicate Better. He said he would provide his own comments later on the major points made by the audit committee chairs he interviewed, but I would to add my own here.
His very first is that audit committee members want internal audit to be “An objective source of assurance on risk management and controls”. He adds as a second point that they need to be “Capable of connecting the dots and expressing overall opinions on the effectiveness of risk management and controls”.
This has been a hot issue for me for years. Richard will remember that I pronounced at a conference that “if internal auditors don’t assess and provide assurance on risk management, they deserve a seat at the children’s table”. His initial reaction was opposition, but then he switched and embraced and even repeated my point.
- Risk management helps leaders “pierce the fog of uncertainty” (Felix Kloman) about what lies ahead as they make decisions and endeavor to achieve enterprise objectives.
- Risk management helps them make the informed and intelligent decisions necessary for success after seeing the “big picture”, and balance downside risks and upside opportunities.
- When there are flaws in risk management, there is an unacceptable likelihood of poor and ill-informed decisions, making it far less likely that enterprise goals and objectives will be achieved.
Roll the time machine back to 2010, when I organized and chaired a meeting at the Breakers in West Palm Beach, Florida for IIA leadership about risk management and internal audit. Until that time, the IIA had paid scant attention to risk management in its standards, education, or certifications. I and several others felt that this was because its leaders didn’t have a sufficient understanding of effective risk management.
I brought together major thought leaders from around the world, together with representatives of the Big Four CPA firms, to share their insights. Speakers included (photos below – Grant Purdy joined by phone):
- Richard Anderson (then director and later chair of the Institute of Risk Management based in the UK)
- Brian Barnier, who has written a book on operational risk management
- Jim DeLoach of Protiviti, who led their work on risk and governance
- Mark Frigo, Director and Professor – Center for Strategy, Execution and Valuation; Strategic Risk Management Lab
- Rick Funston, Deloitte National Practice Leader for Governance and Risk Oversight
- Dorothy Gjerdrum, chair of the North America ISO 31000 Standards Committee (of which I was a member)
- Michael Parkinson, KPMG Australia and a member of the Australia ISO 31000 risk management standard committee
- Grant Purdy, a CRO and the chair of the Australia/New Zealand Committee on the ISO 31000 risk management standard (and its godfather)
- Paul Sobel, later to be IIA chair, COSO chair, and the author of a book on risk management
I am happy to say that the IIA responded promptly, adding the CRMA certification and expanding its discussion of risk management.
However, I for one would like to see it move further. It’s been 14 years, everybody!
But coming back to Richard’s article and the point about assurance on risk management…
How many CAEs are providing that assurance to their boards?
How many know enough about effective risk management to perform the necessary work, assess its effectiveness, and report to the board?
Not nearly enough!!
When the majority of CRO’s, executives, and boards assess their organization’s risk management maturity as lacking (see multiple posts by me on that topic), why is almost every CAE not informing their boards of this major (or material) weakness?
How is it that when so few CAEs provide assurance on risk management that their departments pass the IIA’s Quality Assessment Review?
There are more great points in his article, but I will leave this post here. This is such a fundamental and essential issue.
What’s more important than effective risk management, helping you take the right risks for success?
How do you audit it? That’s a topic for another post, but it entails asking these questions and more. It’s not about looking at risk registers or a risk appetite statement, or auditing compliance with risk policies.
- Does risk management meet the needs of the organization?
- Do decision-makers have the information they need about what might happen (both risks and opportunities), when they need it, to make the informed and intelligent decisions necessary to achieve enterprise goals and objectives?
- Do the board and management know what is the current likelihood of achieving enterprise objectives, and do they know what they have to do (regarding risks and opportunities) if that likelihood is not acceptable?
- Is risk management seen as something people have to do or want to do?
I welcome your thoughts.
Do we need another conference to understand effective risk management?
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
I wonder why there is lack of assessment of the maturity of organizations’ risk management. Is it hard to measure or lack of tools to measure?
There are tools, such as the maturity model in my book
Hello Norman. I would be interested in a blog post by you discussing “How do you audit it? That’s a topic for another post, but it entails asking these questions and more.” David Tate
At certain organisations and in certain environments, there appears to be a gap between AC and management expectations. Management is sometimes cagey about IA looking into ‘strategic’ aspects of business including risk management, either out of lack of confidence (which is remediable) or sense of privilege (which is not). And, while (rightly) assuming that providing assurance on risk management is the core function of IA, the proffered solution to the second kind of situation – looking for greener pastures, if sincere ‘lobbying’ efforts fail – may not always be feasible for all.
Fair point Norman, be interesting to dive deeper why assurance is not being provided and why organizations are not investing in mature risk management processes. I would not blame internal audit for the poor state of risk management but they have a role to play to push the agenda. You raise internal audit not understanding risk management as a cause, I would like to add that it is in many instances also not well understood by boards and executives too. I also don’t believe the concept of the 3 lines model helped the cause either, except make them believe having a risk office means they have it all in place.