Home > Risk > Should the head of the internal audit function also direct the risk management program?

Should the head of the internal audit function also direct the risk management program?

For a number of reasons, management at several companies have asked the head of internal audit (CAE) to start up and manage their risk management program – in addition to internal audit. Reasons can include:

  • “It was your idea. Congratulations on the new job.”
  • “You really understand risk and risk management, so you are the best person to lead the department.”
  • “There is synergy between risk management and internal audit, and we have limited resources.”
  • “Risk management and internal audit fit together and we don’t have a better place for it right now.”

Back in 2004, The IIA issued a Position Paper on The Role of Internal Audit in Enterprise-wide Risk Management. That paper, which included the famous fan (below), distinguished between roles that are (a) core internal audit roles, (b) legitimate internal audit roles as long as certain safeguards are in place, and (c) roles internal audit should not undertake.

Activities related to providing assurance on risk management (the left side of the fan) were considered core, but those that involved taking ownership for how the organization assesses and responds to risk (the right side of the fan) are ones that internal audit should not take. The ones in the middle were determined to be acceptable activities as long as these safeguards were in place:

  1. It should be clear that management remains responsible for risk management.
  2. The nature of internal audit’s responsibilities should be documented in the audit charter and approved by the Audit Committee.
  3. Internal audit should not manage any of the risks on behalf of management.
  4. Internal audit should provide advice, challenge and support to management’s decision making, as opposed to taking risk management decisions themselves.
  5. Internal audit cannot also give objective assurance on any part of the ERM framework for which it is responsible.  Such assurance should be provided by other suitably qualified parties.
  6. Any work beyond the assurance activities should be recognized as a consulting engagement and the implementation standards related to such engagements should be followed.

Has this position paper stood the test of time? Can it be applied successfully to the current situations where the same individual (formerly the head only of internal audit) runs both internal audit and risk management?

I believe that the fan is in decent but not perfect condition. I would move two roles from the ‘legitimate with safeguards’ group to the group of roles internal audit should not undertake:

  • “Maintaining and developing the [enterprise-wide risk management] ERM framework”. Because this would typically include the organization’s risk management policy, at best internal audit should only be involved as a consultant and advisor when management develops and later maintains the framework.
  • “Developing [the risk management] RM strategy for board approval”. While internal audit can be a valuable contributor, the strategy for implementing risk management and growing its maturity should be a management responsibility.

I would add another element to the fan (on the right) to the effect that the processes of assessing and evaluating risks are also a management responsibility. I would also add a seventh safeguard:

7. Assuming responsibility for risk management activities should not adversely affect the level or quality of internal audit services. It is too easy for the CAE to shift her time and attention away from internal auditing to establishing the risk management function.

The following dictum in the Position Paper remains the ‘acid test’:

“The key factors to take into account when determining internal audit’s role are whether the activity raises any threats to the internal audit function’s independence and objectivity and whether it is likely to improve the organisation’s risk management, control and governance processes.” If a CAE was asked today to assume responsibility for risk management in addition to internal audit, my advice would be:

  1. Make it clear to management and the board that you cannot assume any responsibility that would represent a real or perceived threat to your independence or that of your team when it comes to your internal audit responsibilities.
  2. All of the safeguards described above, especially the first five, must be in place.
  3. All of the activities on the right side of the fan, plus the three I have added, are management responsibilities.
  4. In order to maintain both the reality and perception of internal audit independence and objectivity, I would separate the staff involved in internal audit tasks from those involved in risk management. If at all possible, I would hire a dedicated risk officer.

Some companies have positioned the internal auditing function under a Chief Risk Officer (CRO) who does not have the title of CAE or a background in internal auditing. The CAE in those companies reports functionally to the audit committee and administratively to the CRO.

Is this different from the situation where the CAE assumes responsibility for the ERM program? I believe the most important distinction is that there is a possibility that the CRO might attempt to influence internal audit’s reporting of deficiencies and the risk they represent. After all, in many companies the CRO is responsible for assessing the level of risk and ensuring it is within approved tolerances. So internal audit would be auditing their manager’s work.

I saw this in person when I interviewed for a position as CAE of a major credit card company several years ago. The position would have reported to the CRO and when I met him I was impressed with his knowledge of the business and his working relationships with the top executives and the board; I enjoyed his very personable style. But when the discussion turned to reporting the results of audits to the audit committee, I asked him what would happen if the risk office had assessed the level of risk as low and the internal audit found deficiencies implying the risk was high. He left no doubt that the risk level that would be reported to the audit committee would be that determined the risk office. In fact, he was clearly concerned that internal audit would want to report on risk levels at all.

Some internal audit leaders think that the CAE should only ‘own’ risk management in two situations:

  • When the company is starting the program, or
  • When the organization is too small to have a separate risk management team

I am going to disagree. If handling both areas meets all the tests described above, all the required safeguards are in place, and (especially) this is good for the organization, then I see no reason why the CAE should not take it on. It represents an opportunity for growth, not only for the CAE but also for the rest of the team. Moving into risk management is a new and interesting career progression opportunity for internal auditors.


What are your views? Do you agree with what I suggest, above/


Note: this article first appeared in the December 2011 issue of the Internal Auditor, in the Governance Perspectives column, which I edit.

  1. Michelle Doyle
    January 2, 2012 at 2:56 PM

    Absolutely not. Risk management is a second line of defence function. Internal Audit is the objective , independant third line of defence function. Risk management is a fundamental line of challenge and support for organisations and if internal audit ‘owned’ it where would be the challenge to internal risk assessment and risk management governance sit? Audit are there to independently challenge and advise where appropriate and report to the audit committee where appropriate.

  2. January 2, 2012 at 4:13 PM

    Michelle has said it all and I fully agree with her reply.

    I am surprised that this question was ever posed as it is such an obvious issue that has already been fully explored.

    Of course, Norman is just playing the role of an “agent provocateur” to test if we are awake after the New Year celebrations.

  3. Norman Marks
    January 2, 2012 at 4:45 PM

    Actually, I believe the CAE can also serve as CRO, as long as the right precautions are taken.

  4. Larry Brown
    January 2, 2012 at 6:56 PM

    Norman – I disagree (and agree with the previous commenters). Why not the CAE running HR, acting as the CFO, CCO, even CEO? Just because the skills are there doesn’t mean the “mash up” of roles makes sense.

    What does make sense is more guidance on the importance of the CCO, CRO and CAE roles and the interaction betwen these second (CRO, CCO) and third (CAE) line of defense positions.

    Keep up the good work!


    • January 2, 2012 at 10:05 PM

      Larry, I question even whether “the skills are there”. Today’s world is too specialized for a “one suit fits all type of Internal Auditor” as is a CIA qualified internal auditor to even be able to fully meet the demands and expectations of internal auditing. Is such an individual really expected to be a professional internal auditor and to provide advisory services and assurance, etc. It is one thing to be able to evaluate an organization’s risk management process, but another to actually perfom the function of risk management within a corporation.

      I believe it is better (and safer) to be one or the other, i.e. a first class auditor or a first class risk manager.

      I also believe, that internal audit failed during the last ten years to effectively perform one of its principal duties, namely to monitor and evaluate Internal Controls.

  5. Justus Ekeigwe
    January 2, 2012 at 7:15 PM

    Norman- the problem with the CAE also serving as the CRO lies in the last part of your statement: AS LONG AS THE RIGHT PRECAUTIONS ARE TAKEN. How do we know what the right precautions are since the direction and dimensions of the underlying risks is amoebic?

  6. Norman Marks
    January 2, 2012 at 7:32 PM

    The “precautions” are described in the post.

  7. Justus Ekeigwe
    January 2, 2012 at 8:21 PM

    I have seen the precautions now and they make sense. But still, I am not sold on CAE acting jointly as CRO. The assumptions and precautions are too many. You recognized the need to maintain IA independence and objectivity by separating audit and risk personnel. In addition, I also see administrative issues in managing two set of employees with different mindset and dimensional approach to the business.

    I agree though that IA involvement with risk management should extend beyond where it is right now as you noted in the two bullet points. We need further refinement in the guidance. Finally, I appreciated your experience at the interview. Thanks for sharing.

  8. January 2, 2012 at 8:41 PM

    Norman, I must agree with the commenters that it is a terrible idea for Internal audit to become head of risk management. However, I do not agree with the reasons that many have given. Risk management must and is evolving beyond the typical domain of checking the box and evaluating internal controls which has been the predominant role of audit and secondarily risk management.

    It is not surprising that many confuse the role of audit and risk management as some commenters have stated that internal audit is the objective and risk management is secondary. This is incorrect and does not reflect an understanding of risk management or the role of audit. Risk Management is the objective! Audit is simply one branch of the risk management tree with many branches in operations, technology, finance, sales, and human resources. MF Global did not fail because they failed their audit. The firm, like so many others failed because of a lack of understanding risks and managing them more effectively. In fact, the audit of MF Global and internal controls attestations passed external audit muster. How sad that many of your readers make the same mistake or share the lack of understanding about the true role of risk management!

    Did Arthur Anderson fail because of internal controls? Enron? Lehman? Tyco? Barings Bank? If audit has done such a good job a managing risks why have we seen an increase in corporate failures while the regulatory and structural requirements to have implement strong internal controls has never been stronger. Internal controls and audit functions are distracting from the real role of risk management.

    These questions are interesting but miss the real point. Does management understand risk management? Does management take responsibility for the risks it takes? Are there mechanisms in place to prevent unbridled risk taking under uncertain conditions with no checks and balances. Our founding fathers understood these concepts perfectly and set up separate powers of government to prevent a concentration of power with hard checks in place. Congress has managed to weaken and destroy those checks yet they prevent full scale override. Corporations should do no less and not allow CEOs and other powerful corporate players to have unchecked power to put their firm’s at risk. Have you ever heard of an Internal Auditor stopping an CEO from running a firm off a cliff? It won’t happen because the soft power implied in the role is just that. One of influence not control.

  9. Norman Marks
    January 3, 2012 at 7:06 AM

    Some organizations (including both very large and much smaller companies), right or wrong, have both internal audit and the risk management team report to the CAE. What they then do is hire a specialist risk officer to lead the risk management team (reporting to the CAE/CRO) and appoint an individual to lead the internal audit team. That way, they get the special skills and experience needed.

    Does that help?

  10. January 4, 2012 at 5:44 AM

    This is a “how many angels can you fit on the head of a pin” question. Theologically it is interesting, practically it is irrelevant. The answer will depend on the nature of the company, its culture and the willingness of the board and CEO to listen to challenge. I have long held the view that organisations really need a co-ordinated risk and assurance framework which means that “risk” and “IA” work together effectively. I am less interested in the purity of the position than the ability of the team to make it work. In some cases I see (in the UK) a director of risk and assurance who has a risky and an auditor reporting to him/her. I prefer that to haveing audit reporting to risk or risk reporting to audit. This was the position I recommended ages ago in my OECD paper.

    So, Norman, my sense is forget the theological purity and go with what works: holding the executive to account and ensuring that what is supposed to be done gets done!

  11. Jim Simon
    January 4, 2012 at 7:49 AM

    Norman’s chart deserves close examination.

    The green items are things everyone concedes a Risk Management group should do, and Norman’s point is that Internal Audit could do these as well. James Bone’s assessment seem on target to me. Mixing these two functions is an apples and oranges issue, but job sharing can work at small firms where people have to wear more than one hat.

    The yellow items are often ignored because they seem too specialized and can cost too much management time. These items suffer that same fate even in a dedicated Risk Management group. Here, Norman is making an excellent Internal Auditor’s point about ways Risk Management fails to live up to its potential.

    The red items are the ones that become highly political in many organizations. They’re the risks on which highly profitable transactions people may perversely overrule the organization’s controls. Read “The Smartest Guys in the Room” and “All the Devils Are Here” to see examples of how this happens. The scariest part is that Norm is telling us that when Risk Management doesn’t have the clout to tell management to make the traders toe the line, then Internal Audit can’t help either.

  12. John Fraser
    January 5, 2012 at 8:46 AM

    Some thoughts:
    As background and for transparency: In 2000 when I was asked to take on teh role of CRO in addition to CAE, I refused saying that it could be a conflict. On reflection, given that the company had failed on numerous attempts (four) to get ERM going, I agreed to do both but keep them distinctly separate, which has worked for us ever since. Everyone knows which of the two hats I wear at board, Audit Committee, managment meetings etc.
    It should be noted that the IIA re-issued the fan unchanged in their January 2009 “IIA POSITION PAPER:THE ROLE OF INTERNAL AUDITING IN
    While it may not be the perfect solution, it in my mind far less of a conflcit bthan the CAE reporting to the CFO (still a dominant fact despite most major financial reporting frauds being related to the CFO) or to internal auditors doing “consulting”.
    Barings and Enron were both classic cases of poor internal controls (along with poor governance)

  13. david craig
    January 11, 2012 at 3:07 PM

    No. Internal audit plays an important part on risk management, but true risk management is about looking for the “known unknowns” not the “known knows”. Lets not underplay the importance of audit, but audit’s job is to audit that the rules, procedures and standards have been followed – not to think about what “could happen” – happy to discusss

  14. Marcin Kicza
    January 24, 2012 at 8:49 AM

    No, no and no. The simple analysis for the safeguards is presented as:

    You can direct,
    You do not have responsibility for what you’re directing,
    You are not reponsible for managing what you are directing and
    You can’t provide any assurance on your direction,
    You need a secondary auditing body in place to audit you.

    Is that really good/leading edge practise?

  15. January 25, 2012 at 6:22 AM

    I don’t think there is a blanket answer here that will work in a majority of cases. Sure, there are synergies and overlap between Risk Management and Compliance and combining them might result in greater efficiency. But, at the cost of efficiency, splitting them up might result in greater coverage and a better chance that important things will not get overlooked at their peril. It all depends on how their people and their culture define their organization. If the tone at the top is strong and empowering, combining those functions might make sense. If not, there can never be enough overlaps and layers to facilitate value creation.

  16. Garry
    January 30, 2012 at 12:52 PM

    I agree that a person can not run Internal audit and a risk management department. Why not have the CAE, or any other qualified person in internal audit, leave internal audit and run the risk management department? Then if they want to, return to internal audit.

  17. February 12, 2012 at 10:19 AM

    Yes– if you want a useless risk function and a company heading for the corporate graveyard. Risk is not another level of Audit or Internal Control Function. Without an effective independent Risk Function, that can optimise risk, add value and build sustainable competitive advantage– you are not going forward.

  18. nader hanna
    May 4, 2012 at 4:12 PM

    I was Just wondering why the IIA in the fan diagram used the word ‘should not undertake’ instead of ‘must not undertake’? Has anyone thought about it?

  19. May 19, 2012 at 10:08 PM

    Thanks Norman, I’m preparing a paper for a conference and needed to lay my hands on the IIA fan in a hurry. Needless to say yours was the first site on Google images which came up.

  20. July 1, 2012 at 2:04 AM

    Risk Culture Building is defined as the process of growth and continuous improvement in the way each and every person in an organisation will respond to a given situation of risk as to mitigate, control and optimize that risk to the benefit of the organisation.

    No two people will respond the same way to a situation of risk, the way any person responds to risk is influenced by a number of factors, the main ones are:

    • Nationality & culture
    • Childhood experiences (and formative environment)
    • Work ethics, trust & honesty
    • Education (and the way it was obtained)
    • Work experience
    • Religion and other spiritual thinking
    • Attitude towards life (and death)

    Risk practitioners generally failed to address these underlying human aspects. Since the publication of the Basle accord, ISO 31000 and other standards and regulations, it has often been argued that compliance with these standards and regulations will mitigate and control risk, but this is only true if the standards and regulations are embraced in an effective Enterprise Risk Management Culture. Just like the policies, procedures and systems, these are worthless if human attitude, acceptance and desired response lack.

    Addressing the aspect of people risk is the only way an organisation can improve the results of how their people respond to a situation of risk and the effectiveness of their risk management function. No organisation can ever have a perfect risk management culture, but organisations can achieve a level of maturity where they have an effective risk culture process and every employee is risk-minded and does something on a daily basis to mitigate, control and optimize risk

    The development of Risk Culture Building is focused on awareness and training in business ethics and human behaviour, as mentioned, both the behaviours we want to encourage and the behaviours we want to avoid. Organisations should frequently evaluate the progress (or regress) they are making on the path to maturity and implement action plans.

  21. Eric Dlamini
    March 17, 2013 at 12:20 AM

    My view is that for organisations that are immature, Internal Audit is best positioned to start-up the Risk Management fuction. However, over time when the organisation is matured, Risk Management should be separated from Internal Audit.

  22. May 17, 2014 at 6:26 AM

    If Risk Management “STARTS” in the Internal Audit dept, you will work for years to get away from the perception that Risk Management is just another level of Audit.– Risk Management must be independent– so start it off that way and the chance of success is much greater

  23. Kaleem
    October 17, 2017 at 6:19 AM

    Great discussion everyone, thanks. I like the comment from Risk Culture Builder the most.

  24. September 7, 2021 at 6:20 PM

    Auditor’s independence should not be compromised by assuming some of management’s responsibility – that’s a solid principle. I concur that the two roles from the Legitimate IA roles with Safeguarding should not be performed by IA as these are management’s responsibility. With all the adequate safeguards to core IA roles in regards to ERM established, well-understood, and duly respected, IA could take on the ERM until such time that there is the assurance that management has attained that capability to fully manage it, and IA role in regards to ERD will simply fade away and do its core IA tasks and regain its full independence. It is known facts that as a human being, there would always be biases, and good principles at times are made to be broken for various reasons.

  1. February 14, 2012 at 3:41 PM
  2. April 19, 2012 at 8:30 AM
  3. November 4, 2017 at 9:51 AM
  4. November 28, 2017 at 1:13 AM
  5. November 29, 2017 at 11:46 PM
  6. December 28, 2020 at 10:37 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: