Home > Risk > Misunderstanding risk and internal audit

Misunderstanding risk and internal audit

February 2, 2016 Leave a comment Go to comments

There are many voices urging people to act when it comes to the topics of risk management and the role of internal audit. Unfortunately, most of these voices are like sirens, tempting you to go the wrong way.

A recent piece on AcountingWeb entitled More boards count on internal audit to identify risks has good intentions, but could lead people astray.

For a start, it is not internal audit’s role to identify risks. That is most definitely management’s responsibility. Internal audit should:

  • Audit and assess management’s ability to identify, assess, and manage the more significant risks that can affect (positively or negatively) the achievement of objectives. That assessment should be communicated formally to the board and top management on at least an annual basis
  • Audit and assess the adequacy of the controls relied upon to manage the risks that matter to the achievement of objectives, reporting same to board
  • Ensure the board understands where the controls are not adequate and that failure raises the level of risk to objectives to an unacceptable level. Internal audit should (but frequently does not) identify which objectives are affected
  • Add value by providing insight and recommendations to management to improve the systems of risk management and internal control

Now, if internal audit is not doing the above there is a problem. Reading the article, it can be assumed that many internal audit departments are falling short – and that management and the board do not set the expectations for internal audit high enough.

Another assumption from the article is that many management teams do not have the capability to identify, assess, and manage risk. That is why some are defaulting to internal audit to step in. But, while internal audit can and should report situations where the risk is different to what management and the board believe, internal audit should not be the function relied upon to identify risk.

Yes, internal audit can take on additional risk management responsibilities – as a coordinator, facilitator, and evangelist. But, it must not assume management tasks such as assessing the level of risk or deciding what action is required – which would compromise its independence and objectivity.

Do you agree?

We can discuss this further in Chicago in April. See www.riskreimagined.com for details.

  1. February 2, 2016 at 1:45 PM

    Norman. Yes spot on. I would add that strategic risks as considered by most boards are so esoteric as to be difficult to link to objectives, assess or meaningfully audit.

    • Norman Marks
      February 2, 2016 at 2:29 PM

      Hmm. If risks are not linked to objectives, how can they be assessed properly? They may be more or less important than the board believes.

      • Daniel G
        February 10, 2016 at 2:24 AM

        Normally when we refers to risk assessment, at least from an Internal control over financial reporting, there are groups of Internal controls performing this activity on behalf management as a second line of defense

  2. February 2, 2016 at 2:36 PM

    Indeed! The reality for most organisations is that a single ‘strategic’ objective actually is a web of risks and a web of sub objectives. Hence they are difficult to assess. I like to think of risk like tree roots. To meaningfully assess risks from a few top level objectives you need to appreciate the web of roots leading up to it. So an example. A university may say a strategic objective is to enrol enough students to maintain its financial viability. But this will differ for under grad, post grad, subject, campus, taught or research etc. The risk mitigations, to be meaningful, need to engage in this detail to have organisational traction.

  3. February 2, 2016 at 2:45 PM

    I totally agree with what had been written on the roles of Internal Audit in regards to risk management. If some members of Management do not know how to initially identify the risks they are facing, and even assess these, in my opinion, they should not be handling any management position, not at all.

    • February 11, 2016 at 4:31 AM

      Looking at this from a SME/MSB perspective, it is common for there to be a lack of resource and often the time to stand back and look at risks. While one would hope that managers are attuned to the key risks, they may not have the skills to prepare a structured risk assessment. The lack of time to stand back is in itself a risk and the facilitator role of Internal Audit can be invaluable.

      Having said that while Internal Audit can challenge and encourage, ultimately decisions should be made by management. Ownership is an important factor in having effective management.

  4. Robert Kasaija
    February 3, 2016 at 2:35 AM

    Indeed-how do you manage without ability to understand the risks you a trying to mitigate. In the spirit of objectivity, Management should undertake risk management and internal audit should objectively audit and provide an independent opinion on risk management.

  5. Gary Lim
    February 3, 2016 at 5:31 AM

    Internal Auditor MUST be a qualified accountant, whilst Risk Manager can be of any professions. I guess this makes a significance difference when it comes to their ability relating to RISKS of a company.

    • Norman Marks
      February 3, 2016 at 7:58 AM

      Gary, why must the internal auditor be a qualified accountant? Traditionally yes, but in reality I am not persuaded.

    • Bryan Lethcoe
      February 3, 2016 at 8:15 AM

      Speaking for my company, we have had multiple non-accountants on our Internal Audit staff – including me. For the four bullets mentioned above, insert “operational” or “technical” and the concepts apply in the same manner as “financial”. You don’t need an accountant to fulfill those activities for areas outside of financial – in fact I would argue that limiting your audit staff to accountants probably would bring more harm than good for non-financial areas…

    • Eng. Misana Mutani
      February 6, 2016 at 4:35 AM

      Strongly disagree! The internal audit unit is required to have proficiency in several disciplines for them not to miss the bigger picture. You should also remember that accounting information provides lagging indicators only and may not be a good help to an organization to meet its target

  6. February 3, 2016 at 10:31 AM

    Norman, I feel that your opening statement that “For a start, it is not internal audit’s role to identify risks” is too broad. If Internal Audit as a profession is to become a strategic player, we must continue to look around (insight) and forward (foresight). When we limit our involvement to only assessing how others perform this work and prohibit ourselves from actively finding risks, internal auditors tuck ourselves squarely back into a defensive position. Company leaders find a way to participate on offense. The progress internal audit has made in raising our profile started with internal auditors’ actively participation in enterprise risk assessments. To me, this discussion should begin with the thought that management should not rely solely on internal audit to identify risks. Rather, management and internal audit should actively identify, assess and reach decisions on how to best support the achievement of our company goals. Thanks as always for a thought provoking post!

  7. Harish Kumar
    February 4, 2016 at 1:47 AM

    It is often called risk-focused audit plan. Internal audit needs to assess and identify risk for audit plan and complete the audit in a timely fashion. IA is not the one stepping out of bound in conducting the audit. The risk originally not identified in the audit plan was found during the performance of the audit should be discussed with the management. Why this is an issue whether IA’s objectivity was met or not met here?

  8. Richard Carleton
    February 4, 2016 at 3:29 AM

    It’s easy to criticise managers for not properly understanding risk. But that is in large part the fault of the risk management ‘industry’, which has been extremely effective in convincing us all how important risk management is. It has been considerably less effective in explaining in simple terms what is meant by ‘risk’. One only needs to consider the ISO31000 definition of risk: “the effect of uncertainty on objectives” (last time I looked), which seems to have been devised by the same committee that tried to design a horse and came up with the camel. It’s hardly surprising if people with risk management responsibilities don’t fully understand what their role is.

    Norman, in similar vein, is it possible that the term “internal audit” is being extended (rather like “risk management”) to cover a much greater range of business activity assessment than was traditionally the case? In other words, “internal audit” is being used in contexts where the broader term “critical scrutiny”, which would cover areas not normally the domain of accountants, might be more suitable?

  9. Byrdman
    February 4, 2016 at 7:02 AM

    Granted it is Management’s job to identify risks and that should not be punted to Internal Audit in any respect. That being said, think it is still Internal Audit’s job to make sure to the best of its knowledge that Management has not missed any risks during that process.

  10. derek foster
    February 6, 2016 at 2:15 AM

    Thank you Norman, as always. I guess a good starting question is: what problem are we trying to solve? If it is that the article points to a place where management effectively “abdicates” the responsibility for risk identification to IA, then no question, we need to challenge that.

    I think world view is evolving – 2014 Code emphasises how management should focus not just on risk identification (i.e., a given) but on how they get assurance on those risks – this is welcome.

    Lastly, I’m comfortable that we should be clear on our prime responsibility, but I’m also mindful that we can add a lot of value as part of (albeit independent) the senior executive level, by contributing to richness of thinking on risk identification using our knowledge of business, outside network, etc.

  11. Kevin
    February 9, 2016 at 1:25 AM

    Risk management is a line responsibility. To rely solely on IA to identify and assess risk, there’s a danger that we will miss out the big picture or the strategic issues. Also the management and operation level risks are not just control issues or procedural gaps, there are strong correlation between employees risk awareness and the ability for the company to manage its risk. There is a general lack of understanding on how risk management function should be utilised in many Asian firms. We must avoid the easy way to push this responsibility to the IA departments.

  12. Lalit Dua
    February 10, 2016 at 3:56 AM

    I would like to highlight 2 points which each IA department must and has been following while planning its activities
    a. IA has to have understanding of business and changes happening from time to time. So for this the source of information for IA are
    i. Annual Business/strategic plan of a company, where Entity and department level objectives are also defined
    ii. Be Part of the team to evaluate performance of achieving annual objectives by conducting periodic performance reviews of department objectives

    b. IA has to defined risk and control based audit schedule

    If IA has adopted both the points, it is involved in risk assessment (to define schedule) and risk mitigation (through audit observations and recommended action plans).

    It is true that in many organisations either company does not have an ERM frame work or expecting IA to support management in assessing and mitigating the risks.

    However to me, management has prime responsibility to define and implement a robust ERM and IA can support in the process with defined responsibilities, which should not affect its independence.

  13. Ken
    February 11, 2016 at 8:21 PM

    I agree 👍

  14. February 12, 2016 at 2:26 PM

    Audit Committees of Boards play a role especially if a company does not have an IA department. I am interested in your comments on this area.
    Thank you

    • Norman Marks
      February 12, 2016 at 2:31 PM

      The audit committee can challenge management when it comes to defining risk, but can never have sufficient knowledge to define the risks themselves.

  15. Soubhagya Parija
    April 3, 2016 at 5:58 AM

    I agree with the view. The reason why the risk management function needs to be different from Internal Audit is that while risk management is about finding the appropriate risk reward balance based on the organization’s risk preferences and helping management with strategic decision making, Internal Audit is about ensuring that the organization’s defined processes are working well. Think about a race car driver who needs to think about a strategy of winning based on the track, on the competition, the weather etc. She will also need to depend on different sensors and dashboard that will tell her when the engine is heating up or tire pressure so that she can make a decision about the right risks she will need to accept. Before she gets into the car, she will need to be assured that the car is in good shape and all the required tests have been performed to make the car race worthy. In the organizations, the CEO or the senior management team is the driver, risk management is like the sensors and dashboard and audit is about making sure the organization is business worthy.

  1. March 11, 2016 at 7:18 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: