Home > Audit > Can Internal Audit be a Command Center for Risk?

Can Internal Audit be a Command Center for Risk?

This is the question that Deloitte asks in a recent CFO Insights issue.

The article has some useful comments on the use of technology by internal audit, such as “leveraging innovative techniques, such as data analytics and predictive modeling, to identify emerging risks and allocate resources to maximize coverage. I agree with the authors when they say:

“[It] behooves finance to equip the function with capabilities to deliver more-informed audit reports. And given the continuing desire of CFOs to play more-strategic roles, having a forward-looking IA department can be a valuable weapon in their arsenal.”

“As in most areas of an organization, new technologies are increasing the speed of delivery and allowing better insights. In IA, in fact, the use of technology is increasing the impact of audit findings through, for example, data visualization. In addition, other techniques are making reports more timely and accessible.”

“The data captured by new technologies can help IA and the business know where the risks are, how to prioritize them, and how to better focus audits and management’s efforts to mitigate risks. For example, regression testing and predictive modeling can allow CFOs and auditors to quickly identify anomalies. Specifically, advanced-analytic and data-modeling techniques that use self-learning algorithms can automatically categorize anomalies within a wide range of variables to identify higher-risk audit entities. Analysis of this nature can then help direct audit activity toward areas of greatest risk. Particularly effective across geographic locations and overseas operations, it has also been used to analyze areas as diverse as revenue leakage, compliance risks, and other enterprise risks.”

“Specifically, to be a command center for risk, IA has to add the necessary modeling and analytical skills to its working knowledge of internal controls and risk management approaches. In addition, IA professionals need to move out of their comfort zone and focus on identified risks and resolve not to be satisfied with average performance. Moreover, finance and the audit committee should both expect IA to perform at a higher level and equip it with the resources and the mandate to do so.”

“Audit committees and senior management rely on internal auditing for objective assurance and insight on the effectiveness of risk management and internal control processes. Armed with their support, IA can leverage technology and data to better partner with finance—and contemporize its governance role to one that identifies and tackles the risks most relevant to the organization.”

However, the underlying premise of the piece is that internal audit is responsible for identifying and assessing risk, bringing that assessment to the executive leadership team. For example, they say “there is an opportunity for IA to move beyond its scouting role and serve as an integral part of the team for identifying and combating risk.”

This is not correct.

IIA Standards make it very clear that management is responsible for identifying, assessing, evaluating, and managing risk. The role of internal audit is to provide assurance that those risk management practices, including the design and operation of related controls, are up to the task.

So when Deloitte says that “IA can help the organization better understand its preparedness by using analytics to detect breach patterns and reviewing cyber-controls in a regular cadence”, that use of analytics should be part of internal audit’s responsibilities to assess management’s assessment of risk and to ensure its audit engagements are designed to address the more significant enterprise risks.

Internal audit should not step into management shoes and take on management’s responsibilities for identifying and assessing risk.

Internal audit can continue to identify and report areas where management’s identification and assessment of risk is flawed – as part of their responsibility to provide assurance on management’s processes and controls.

Deloitte has published some excellent papers in the past (especially their Risk Intelligence series) and I am sure they will provide us with excellent ones in future.

However, my wish is that they join internal audit executives in making it clear to boards, CFOs, and other executives that management is responsible for managing risk. Internal audit’s role is one of assurance and advice.

Can the risk management function report to the CAE? Yes, but with safeguards – as discussed in the IIA Position Paper, The Role of Internal Auditing in Enterprise-Wide Risk Management.

I welcome your comments.

  1. Mike Corcoran
    April 25, 2014 at 5:24 PM

    I disagree with this mania called risk management. This is a waste of time and resources. We need good governance to focus on creating value by solving problems and meeting needs then wants and enabling people and technology to perform. If this wrong, I welcome your thoughts. Thanks Norman

    • April 30, 2014 at 12:12 PM

      Mike, I would argue good governance is good risk management. Problems arise however when each functioning is managing its particular risk within its own silo. Without a common risk management methodology, whose to say which governance function gets the resources to enable that problem solving?

  2. Norman Marks
    April 25, 2014 at 5:26 PM

    Mike, would you agree that you need information about what might or is even likely to happen if you are to make better decisions, if you are to solve problems, and if you are going to have people perform?

    • Mike Corcoran
      April 25, 2014 at 6:25 PM

      Yes Norman, This best problem solvers and business builders don’t start with what is it that can go wrong. It is what do we need to do it right? That should be the attitude and culture. The big 4 culture may/is unduly influenced by external audit failures according to the PCAOB. It may dominate firm thinking stifiling innovation.

      • William Lau
        April 29, 2014 at 12:45 AM

        My view is risk management is needed because of moral hazard.

        Sure, business managers need to focus on creating value, solving problems, making money, but without some requirement for risk management, reckless risk-taking by these same people will doubtedly continue to occur.

  3. Prakash Rajan
    April 26, 2014 at 4:30 AM

    Deloitte’s paper is right practically. While IIA standards may prescribe independence of IA from direct participation of risk management, company managements and Audit Committees generally expect IA to take the initiative on data mining to determine anomalies, outliers etc. IA’s failure to do this either in adherence with the IIA standard or due to lack of knowledge, resources etc. could be one of the reasons for the perceived lack of value with IA, as published by one of the BIG 4 recently. However, it should be also stated that there is a vested interest in such papers – the internal audit service practices of the accounting firms have burgeoned in the past decade or so aided by the outsourcing wave.

  4. Mukundan K V
    April 26, 2014 at 5:53 AM

    There is significant difference in addressing this issue in developed and developing countries. Particularly in family driven organisation in developing countries, expectation from promoters who are at helm of affairs and Audit Committee are in line with Deloitte’s paper. Moreover, where risk management and internal audit cultures is being built, it takes significant time to educate the management and achieve desired level of maturity. Till such time if such aspects are left to the management, it will die from dayone.

    Most of the developed countries, I did not see this problem and IIA approach paper can be implemented. In both cases it will be a good idea for IA to drive an aspirational timeline to handover the process to the management.

  5. April 26, 2014 at 8:45 AM

    Thanks, once again, Norman, for holding the line that Internal Audit is not, and never should be, subordinated to either the CFO or the risk management function. Those activities (finance and risk management) rightly belong to management, and IIA standards are very clear that a properly positioned IA function provides truly independent assurance over the “G”, the “R” and the “C”. I’m repeatedly saddened when I see insecure internal auditors feeling the need – or (more annoyingly) being told by external consultants – to take on more on behalf of management. Yes – of course we must constantly strive and innovate, and support management where we can, but let’s never lose sight of our core mandate, which is the provision of objective and independent assurance to the Board and other key stakeholders “beyond” management. Thanks again, and keep up the good work!

    • William Lau
      April 29, 2014 at 1:10 AM

      Agreed! Regrettably there’s usually also pressure on the IA function from the rest of senior management to “add more value”. Independence is a valuable thing to have, and difficult to sustain.

  6. mohammed swais
    April 27, 2014 at 5:14 AM

    i agree with delottie paper the management has to know and assure the effectiveness of risk role and the risk methodologies but in my opinion that the question should be how to educate this one who is responsible about this role (internal audit) to know the risk structure and the risk methodologies based on what?

  7. April 27, 2014 at 9:32 AM

    Norman, I have always had a problem when anyone starts out an open discussion quoting a professional practice, such as “IIA Standards make it very clear that….” The value you have brought in the past articles that I have read is in your ability to challenge the status quo.

    I believe there is a problem today with the role on internal auditors, and much of it is around the question, why does it exist in any organization? It seems to me if the company has implemented the IA department because it wants an independent view of the organization’s ability to identify risks and advise on the management of risk then there is less issues within that company, and reporting tend to be more flexible and activities focused on solving problems together. Where the IA department exists because of some regulatory requirement and IA is expected to operate within a predefined standard (e.g., IIA) that limits its activities and prescribes its methods of operating, then it usually results in a less collaborative environment that wastes more time on politics then it does on solving problems.

    I do agree that no one group should be responsible for all risk management activities, as I don’t believe no one group, or person, is responsible for the success of a company.

  8. Norman Marks
    April 27, 2014 at 10:43 AM

    Jose, thanks for the comment. In this case, I believe the IIA position paper on the role of internal audit is right.

    The value of IA is primarily derived from its ability to provide objective assurance. That is impaired if it is responsible for management decisions.

    So I think we are aligned.

  9. Rakhi Henderson
    May 4, 2014 at 9:00 PM

    I agree with you. IA must remain independent and objective. It makes more sense that Risk acts as the Command Centre for IA.

  10. Ricardo Atencia
    July 1, 2014 at 4:17 PM

    Back to basic principle again: Audit should not be involved in operational matters, so with risk management. IA must, however, assess the effectiveness of the RM mechanism, and emphasize again that it is management’s responsibility to have an effective RM mechanism. The use of technology by the auditors should be geared towards the assessment of RM, not spoon feeding management such as identifying, managing or mitigating the risks.

  11. Je-Anne
    June 12, 2016 at 6:33 PM

    I was beginning to worry when you were quoting the Deloitte report. But the ” ahh!”moment came when u referred to the IIA standards. IA must be careful not to conflict their objectivity and independence. Risk management is the responsibility of the business/process owner. Not IA and not even the risk manager. Business units must take responsibility for their risks.

    I agree with you!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: