Home > Risk > What internal auditors should know about risk but don’t

What internal auditors should know about risk but don’t

This is going to be an unusual post.

I want to start a debate about what internal auditors should know and understand about risk and the management of risk within an organization – but don’t.

Please contribute by sharing your views and debating with those I express and others post.

My list is fairly short:

  1. Too few internal auditors understand the purpose of risk management, as expressed in both the COSO risk management framework and the global ISO 31000:2009 standard, is to help executives, managers, and decision-makers make better quality decisions – and thereby increase the likelihood that the organization will achieve its objectives and create value
  2. In fact, too few are truly familiar with both COSO ERM and ISO 31000:2009. The latter is easier to understand and use, which is why I prefer it
  3. Too few internal auditors understand that controls only require improvement if the level of risk is outside desired levels. Some risk is essential for efficiency and success
  4. Too many CAEs believe they cannot assess risk management because there is no formal risk management program. That in and of itself may be a serious risk that should be discussed with the audit committee and top management. But, what needs to be assessed is not the program per se but whether the organization is able to manage risks to the achievement of objectives

I will leave it there.

My ask is that all comments be constructive and point to solutions rather than using this as an opportunity to slam either the IIA or those that write about internal audit and risk management.

  1. August 13, 2013 at 2:20 PM

    Been my view as well and accordingly we have developed SAAS knowledge management, technology, tools and services platform to help the CAE’s, CRO’s and/or othe C suite members to design, implement, educate, evaluate, and evidence ERM programs and their related assessments. If I had to do this myself, it probably would not get done. If you want to learn more send me an email directly.

  2. August 13, 2013 at 2:42 PM

    Norman has asked specifically what I have seen. Only 4% of CAE’s planned to assess ERM in 2012, not sure what 2013. All the bank regulators blasted ERM and IAS programs at the largest banks in 2013. Not sure how you comply with the IIA Standards without trying. Requirement in some countries for management assertion on ERM and then assurance provided to the BOD. Not enough countries yet. S&P wants evidence to prove you have and ERM program when they rate governance and senior management and ultimately credit worthiness. Time to get after it!

    • Norman Marks
      August 13, 2013 at 3:03 PM

      Mike, is this because they don’t understand risk management? What additional knowledge is needed?

  3. August 13, 2013 at 2:46 PM

    Norman, You are right this is an unusual post. In this post I cannot see where you are coming from. I do not recognise the assertions being made. In my view the internal auditors I have met both in the UK and internationally are perfectly able to, and do, understand the areas you suggest that they don’t.

    If you are looking for areas we auditors could sharpen up on in terms of understanding risk management I would suggest: the difference between net risk and risk after the implementation of IA suggested controls; the conflation of issues and risks; the confusion of a lack of control as being a risk in itself; and the conflation of assurance levels with net risk levels (i.e. high net risk is not equivalent to low assurance).

    • Norman Marks
      August 13, 2013 at 3:02 PM

      Thanks for the comment that internal auditors in the UK have a solid understanding. May I say that I believe you are an internal auditor. Do the risk practitioners in the UK agree that internal auditors understand risk management?

      • August 13, 2013 at 11:41 PM

        I’m not sure if risk managers would agree necessarily. I would say the basics of risk management are understood by a majority of UK internal auditors.

  4. arnold schanfield
    August 13, 2013 at 3:49 PM

    I have more items to add to your list but in your list, whereas you pointed out what was missing, you did not point out the solutions to such problems which is precisely what you are asking everyone else to do

    Internal auditors as well do not know how to go about assessing the risk management system even should they wish to complete this task

    Internal auditors do not understand that it is not their job to perform the risk assessment but it is management’s job to do

    Internal auditors by and large do not understand the different components of the risk assessment process and how such components fit together

    Internal auditors do not have a clear understanding of the strategic planning process of the company, of the stakeholders in the company and as well do not have a clear picture of the internal and external context

    • Norman Marks
      August 13, 2013 at 3:56 PM

      Good point, Arnold.

      I think that just like with an Alcoholics Anonymous program, internal audit professionals need to recognize and acknowledge they need to improve their understanding and application of risk management principles and practices.

      There are many sources of knowledge, including training and publications from the IIA. Paul Sobel has a useful book, and you can purchase John’s Fraser’s book from the IIA Bookstore.

      I encourage people to check out the excellent training from the Institute of Risk Management, some of which is online training.

      Finally, people should read and reflect on ISO 31000:2009 and related guidance from the Standards organizations in Australia and Canada. UK has some guidance as well.

  5. August 13, 2013 at 4:38 PM

    Norman/Arnold, Alas, you do not get to root cause. The BOD does not understand ERM or ISO31000. The C-Suite does not understand ERM or ISO 31000. Thus, the root cause is that ERM and/or Internal Audit programs reflect their direct and administrative leadership lines and company cultures. Smart CAE’s step to the plate and make the business case and journey for change. The others follow along like sheep.

  6. Ben Thomas
    August 13, 2013 at 5:01 PM

    I have often wondered how one actually audits a risk management programme. Sure you can audit the ‘manual’ and the content of of a risk register if there is one but how does one audit its effectiveness and value? Presumably these are more important than ‘compliance’; “we are required to have a risk managment programme so here it is”.

    I do a lot of work in the area of Business Continuity Managment and often get the feeling that the audit process is, “Have you got a plan? Where is it? Bit dusty isn’t it? Tick the box.” I sometimes get asked to review an organisation’s BCP and I hate it because all I get is a mass of paper and no feeling for what has gone into it.

    This is not a dig at auditors; I genuinely wonder how one audits something like RM and BCM when their effectiveness and value come from the intangible things like culture and the enthusiasm of those within the organisation.

    • August 13, 2013 at 6:47 PM

      BCM, DRP, and the disciplines of IT Security can be measured from a business perspective leveraging the frequency of threats against assets to determine potential financial risk. Please Google fairiq and get back to me if you want to know more…

  7. Ken Chin
    August 13, 2013 at 5:44 PM

    How true: “3. Too few internal auditors understand that controls only require improvement if the level of risk is outside desired levels. Some risk is essential for efficiency and success”. Problem is sometimes, stakeholders including Board and Mgt don’t either. Find an exception or deficiency and management implements new controls and we get layer after layer of controls or procedures, some of it overlapping or duplicated leading to inefficiencies and frustrations.

    People in IA, Risk and Compliance that I meet can’t tell me what ERM is and all about. Financial, Operational and Business Risk but not ERM.
    One attend courses organised by even IIA and the ‘expert’ can’t properly tell you what is ERM all about or how it could be brought together. So, how do IAs and others learn ERM? Lots of literature doesn’t seem to be helping in practical or pragmatic ERM implementation. In an FI, sometimes ERM = Basel / Solvency which I think is not either.

    Regrettably my post has no solutions but I think it’s a practical problem and not just with IAs.

  8. August 13, 2013 at 6:38 PM

    Internal IT Auditors are typically unaware of IT Departments borderline fraudulent practices due an over reliance upon check lists and rhetorical interviews. Auditors, try asking who, what, when, where, why & how questions and spend one day a month with IT Security to better understand IT’s typical misdirections.

    • Joerieq
      August 14, 2013 at 7:12 AM

      As an IS auditor, I’d agree with the unawareness. The second part, no. That too tends to (!) degrade to form over function; procedural justice. As with all of the discussion here: risk management isn’t the drudging bureacratic little peoples’ dream — apologies, shouldn’t be… Risk management is having a feel (sic; no more concrete) about risks. ANY number put to risk is a deliberate attempt to defraud the general audience with a false (!) sense of certainty. Risk management is qualitative all the way to the core.
      Same with “IT” … 99,999% ;-] of “IT” is psychology/sociology, very inexact sciences…

  9. Mukundan K V
    August 13, 2013 at 10:02 PM

    I agree with Marks.

    Still the most of the activities are driven by regulations and banking, insurance, stock exchanges etc have established process in place for risk management. However, for large part of the manufacturing and service industries, there is no mandatory requirement for risk management and most corporates in developing / undeveloped countries are unwilling to invest on risk management. They believe in informal risk management process is sufficient and many of them are relatively small in size.

    It is time for us gear up ourselves to carry out risk management which can add significant value and appreciation from management. As CAE, I handle both internal audit and risk management profiles.

    Professional bodies on accounting and auditing can do the following:
    (i) Take up these issues with respective government and Chambers of commerce and other trade bodies for wider debates on risk management in non-regulated industries.
    (ii)Create capabilities within the profession for risk management.

  10. August 14, 2013 at 2:37 AM

    Building on the above observations made following the pointy message by Norman I do agree that the majority of Internal Auditors do not fully understand risk management. Where I need to point out that my view is biased by the Dutch population. Risk management is more seen as a “trick” than real business practice built into the organisation and practiced on a day-to-day basis.

    Knowledge and experience in this field is a prerequisite for Internal Audit to enable discussion with management to improve this, so more training and understanding is necessary.

    And I think also (more) courage is needed to step up as CAE and ensure that management is going to be serious about risk management and not implementing and practicing this because a regulator has asked / demanded this. (And actually showing that management does not want to).

    Also, again biased by Ducth views…, external auditors moving into internal audit need to recognise the difference between internal audit and external audit and not stick to their old habits.

    So to summarise:
    – eduication,
    – courage
    – management willingness

  11. John Fraser
    August 14, 2013 at 5:26 AM

    There is so much mis-information about ERM in circulation now, that it is not surprising that progress has been slow (it was easier back when there was only basic guidance such as AS/NZ 4360). Informed management and boards who have ERM will testify that you can not operate and govern effectively without it. Internal Audit can play a role in reporting or advising that it should be used, where it is not. The difficulty for some auditors may be that they have no clear vision of what “true” ERM is, what it looks like and why it is essential. Some of the questions/points that internal auditors may wish to raise with their management and boards are:
    Is there a common understanding of the strategic objectives of the organization/function?
    Is there commonly agreed criteria to assess and prioritize risks?
    Is there a common understanding of the uncertainties to achieving the objectives (i.e. are these captured and shared in a meaningful way)?
    Are resources allocated based on the priority of risks to achieving objectives?
    Given that COSO 1992 (and presumably 2013) requires a review of the risk assessment processes, these questions can and should be equally asked in every department or function audited.

  12. arnold schanfield
    August 14, 2013 at 6:24 AM

    Mike- this is correct that the Boards do not understand by and large risk management but we should deal with the root cause of this and there is a root cause and this has been gone through many times already

    Ben- there is a way to actually audit a risk management program. The most comprehensive approach I have seen to date and one that works was developed by Domenic Antonucci a CRO In Dubai and it is an excellent approach that can be well defended

    To all of you and I hope that others can comment, the type of education in risk management in the United States especially falls far short of what is needed. For example- to Norman’s point of above- internal auditors will typically recommend an internal control recommendation for every major weakness they see without regard to the bigger risk management picture. There is a comprehensive genesis for this and it starts with the COSO framework which I am not permitted to criticize in this posting and so will not. This is precisely why the program from the IRM should be promulgated aggressively in the United States

  13. Andrew Dix (Australia)
    August 14, 2013 at 11:19 PM

    Risk Management is a process and like other processes is a management responsibility, and should be subject to review by Internal Audit as required. Don’t get wedded to standards here, as while important, the key evaluation criterea of RM, is, is it helping managements ability to achieve its business objectives, and if not, where is it falling down, and what can be done better.
    Where Internal Audit also can fall down is not understanding the key risk factors of the organization. If it doesn’t, it audits areas that aren’t important and worse, requires management to put in additional controls or work into areas that aren’t important. This diverts management from doing what is important.
    Audit needs to keep in mind that management time is finite, and they are constantly needed to prioritise their work on the things that are of most importance. If an Internal Auditor requires them to do more work in an area that is not really critical, by definition the manager will have to stop doing something that is more important.
    Thus by doing an audit without understanding risk the auditor can actually increase risk.

  14. Andrew Wynoski
    August 16, 2013 at 11:56 AM

    IT Auditors, Risk Management and IT Executives should work together in developing a common view of IT Risks, enriched with different perspectives, thus enabling all to approach the Audit or Risk Management Committee of the Board with a consistent story. This allows the Board to reach better forward moving decisions.

  15. Karl Hutchinson
    August 19, 2013 at 9:13 AM

    Interesting comments by all. And some valid observations by Norman.

    With regard to points 1 &2; I would agree that as a foundational piece of understanding, all IA’s should have a good working knowledge of the RM standards. However, we must remember that these are “guidelines” or “principles” and if they’re going to work for your organization, you need to understand the culture of your organization and the risk language it speaks. Nobody is going to buy what you’re selling if it all sounds ‘pie in the sky’ talk. If you really understand what your organization does then you must be able to communicate the RM principles into language that the Board can understand and see value in. Very challenging, indeed.

    On point #4, I would only slightly disagree with Norman in that, the real fear with CAE’s trying to provide an assurance opinion on the overall RM of the company is that, one is never quite sure how much work is needed to give such an opinion. And so CAE’s aren’t going to put their you know what on the line when there are no definitive rules about what constitutes a robust and successful RM program.

    Having said that, anything worth doing is going to take a certain amount of trial and error and we must not sit here and play the ‘blame game’. IA is the 3rd line of defence (to use IIA language) and we must not lump all the responsibility here. A collaborative effort is needed by all three lines of defence for the RM program to work successfully.

  16. August 20, 2013 at 12:56 AM

    Norman’s first original point was that too few auditors understand the purpose of risk management. I see in many audit departments a disconnect between the types of risk assessed. ERM is about achieving business objectives, whereas most audit planning is still on the basis of the risk of error in the controls over accounting transactions. Is this because the mandate given to audit departments is limiting, or because the CAE is not confident enough in the other risk areas?

  17. FRCR
    August 22, 2013 at 8:41 AM

    The biggest gap in the last few yaers was in the finacial sector or how could it be that gambler played with other poeples money! Sorry but thats how I think.

  18. Bronislovas
    August 24, 2013 at 3:41 AM

    I think that this call for a constructive debate with the subjective topics is a little bit unfair. I’m sure that there are gaps in understanding risk management between internal auditors and risk managers at different lines of defense. But it does not deserve to be described as “too few understand or know”.
    Some colleagues have already indicated, that the internal audit is just a part of the internal control system. I would accent, that internal auditors should understand, that the internal audit is not the most important part of the internal control system as well. However, it can be a very sophisticated and smart tool for smart boards and management.
    I’m pretty sure that all of the mentioned standards give a good background, but they do not guarantee a success.
    I agree with Marcel (above), that the key is continuous discussions, self-education and communication between lines of defense and healthy top management position to the internal control system and ERM as well.

  19. August 25, 2013 at 6:49 AM

    Aside from the technical skills mentioned above, auditors need to appreciate the difference between ethics and compliance. By both training and reinforcement on the job, auditors tend to have a somewhat singular focus on the compliance side of the equation. However, being able to conceptualize, anticipate, and recognize ethical challenges is key to appreciating both the scope and management of risk, both negative and positive.

  20. Dennis
    August 28, 2013 at 4:14 AM

    The really good audit function will not only identify where process and procedure is broken or not being followed but will take it to the next level and distinguish those broken processes or non-completed boxes to the key control weaknesses that present a true and real threat to the business meeting it’s objectives and adding value to shareholders and interested stakeholders

  21. Scott J Webb
    September 2, 2013 at 4:02 PM

    ISO 31000 is a guidance standard (to allow different types of organisations to develop an ERM framework that is suitable for them, i.e. we’re not all NASA). It is not a compliance standard, so auditing against it is always going to be somewhat problematic. Also, people should not have a binary view of the ERM world, i.e. you either comply or you don’t, as building an effective ERM framework takes years of effort as most culture-change projects do.

    If you put these two items together it becomes apparent that reviewing risk maturity is an important element of auditing ERM in an organisation. There are a few tools out there (RIMS has one on line – not endorsing it, just letting you know) that can help you get started.

    I think the audit function has an important role in educating management and the Board about what effective ERM looks like. The best tool for that is by auditing it, thereby taking a snapshot of where we are right now, showing what the next level of maturity looks like and providing a cost/benefit assessment of whether it is worthwhile making the leap.

  1. October 14, 2013 at 6:01 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: