Should the head of the internal audit function also direct the risk management program?
For a number of reasons, management at several companies have asked the head of internal audit (CAE) to start up and manage their risk management program – in addition to internal audit. Reasons can include:
- “It was your idea. Congratulations on the new job.”
- “You really understand risk and risk management, so you are the best person to lead the department.”
- “There is synergy between risk management and internal audit, and we have limited resources.”
- “Risk management and internal audit fit together and we don’t have a better place for it right now.”
Back in 2004, The IIA issued a Position Paper on The Role of Internal Audit in Enterprise-wide Risk Management. That paper, which included the famous fan (below), distinguished between roles that are (a) core internal audit roles, (b) legitimate internal audit roles as long as certain safeguards are in place, and (c) roles internal audit should not undertake.
Activities related to providing assurance on risk management (the left side of the fan) were considered core, but those that involved taking ownership for how the organization assesses and responds to risk (the right side of the fan) are ones that internal audit should not take. The ones in the middle were determined to be acceptable activities as long as these safeguards were in place:
- It should be clear that management remains responsible for risk management.
- The nature of internal audit’s responsibilities should be documented in the audit charter and approved by the Audit Committee.
- Internal audit should not manage any of the risks on behalf of management.
- Internal audit should provide advice, challenge and support to management’s decision making, as opposed to taking risk management decisions themselves.
- Internal audit cannot also give objective assurance on any part of the ERM framework for which it is responsible. Such assurance should be provided by other suitably qualified parties.
- Any work beyond the assurance activities should be recognized as a consulting engagement and the implementation standards related to such engagements should be followed.
Has this position paper stood the test of time? Can it be applied successfully to the current situations where the same individual (formerly the head only of internal audit) runs both internal audit and risk management?
I believe that the fan is in decent but not perfect condition. I would move two roles from the ‘legitimate with safeguards’ group to the group of roles internal audit should not undertake:
- “Maintaining and developing the [enterprise-wide risk management] ERM framework”. Because this would typically include the organization’s risk management policy, at best internal audit should only be involved as a consultant and advisor when management develops and later maintains the framework.
- “Developing [the risk management] RM strategy for board approval”. While internal audit can be a valuable contributor, the strategy for implementing risk management and growing its maturity should be a management responsibility.
I would add another element to the fan (on the right) to the effect that the processes of assessing and evaluating risks are also a management responsibility. I would also add a seventh safeguard:
7. Assuming responsibility for risk management activities should not adversely affect the level or quality of internal audit services. It is too easy for the CAE to shift her time and attention away from internal auditing to establishing the risk management function.
The following dictum in the Position Paper remains the ‘acid test’:
“The key factors to take into account when determining internal audit’s role are whether the activity raises any threats to the internal audit function’s independence and objectivity and whether it is likely to improve the organisation’s risk management, control and governance processes.” If a CAE was asked today to assume responsibility for risk management in addition to internal audit, my advice would be:
- Make it clear to management and the board that you cannot assume any responsibility that would represent a real or perceived threat to your independence or that of your team when it comes to your internal audit responsibilities.
- All of the safeguards described above, especially the first five, must be in place.
- All of the activities on the right side of the fan, plus the three I have added, are management responsibilities.
- In order to maintain both the reality and perception of internal audit independence and objectivity, I would separate the staff involved in internal audit tasks from those involved in risk management. If at all possible, I would hire a dedicated risk officer.
Some companies have positioned the internal auditing function under a Chief Risk Officer (CRO) who does not have the title of CAE or a background in internal auditing. The CAE in those companies reports functionally to the audit committee and administratively to the CRO.
Is this different from the situation where the CAE assumes responsibility for the ERM program? I believe the most important distinction is that there is a possibility that the CRO might attempt to influence internal audit’s reporting of deficiencies and the risk they represent. After all, in many companies the CRO is responsible for assessing the level of risk and ensuring it is within approved tolerances. So internal audit would be auditing their manager’s work.
I saw this in person when I interviewed for a position as CAE of a major credit card company several years ago. The position would have reported to the CRO and when I met him I was impressed with his knowledge of the business and his working relationships with the top executives and the board; I enjoyed his very personable style. But when the discussion turned to reporting the results of audits to the audit committee, I asked him what would happen if the risk office had assessed the level of risk as low and the internal audit found deficiencies implying the risk was high. He left no doubt that the risk level that would be reported to the audit committee would be that determined the risk office. In fact, he was clearly concerned that internal audit would want to report on risk levels at all.
Some internal audit leaders think that the CAE should only ‘own’ risk management in two situations:
- When the company is starting the program, or
- When the organization is too small to have a separate risk management team
I am going to disagree. If handling both areas meets all the tests described above, all the required safeguards are in place, and (especially) this is good for the organization, then I see no reason why the CAE should not take it on. It represents an opportunity for growth, not only for the CAE but also for the rest of the team. Moving into risk management is a new and interesting career progression opportunity for internal auditors.
What are your views? Do you agree with what I suggest, above/
Note: this article first appeared in the December 2011 issue of the Internal Auditor, in the Governance Perspectives column, which I edit.