What internal auditors should know about risk but don’t
This is going to be an unusual post.
I want to start a debate about what internal auditors should know and understand about risk and the management of risk within an organization – but don’t.
Please contribute by sharing your views and debating with those I express and others post.
My list is fairly short:
- Too few internal auditors understand the purpose of risk management, as expressed in both the COSO risk management framework and the global ISO 31000:2009 standard, is to help executives, managers, and decision-makers make better quality decisions – and thereby increase the likelihood that the organization will achieve its objectives and create value
- In fact, too few are truly familiar with both COSO ERM and ISO 31000:2009. The latter is easier to understand and use, which is why I prefer it
- Too few internal auditors understand that controls only require improvement if the level of risk is outside desired levels. Some risk is essential for efficiency and success
- Too many CAEs believe they cannot assess risk management because there is no formal risk management program. That in and of itself may be a serious risk that should be discussed with the audit committee and top management. But, what needs to be assessed is not the program per se but whether the organization is able to manage risks to the achievement of objectives
I will leave it there.
My ask is that all comments be constructive and point to solutions rather than using this as an opportunity to slam either the IIA or those that write about internal audit and risk management.