Misunderstanding risk and internal audit
There are many voices urging people to act when it comes to the topics of risk management and the role of internal audit. Unfortunately, most of these voices are like sirens, tempting you to go the wrong way.
A recent piece on AcountingWeb entitled More boards count on internal audit to identify risks has good intentions, but could lead people astray.
For a start, it is not internal audit’s role to identify risks. That is most definitely management’s responsibility. Internal audit should:
- Audit and assess management’s ability to identify, assess, and manage the more significant risks that can affect (positively or negatively) the achievement of objectives. That assessment should be communicated formally to the board and top management on at least an annual basis
- Audit and assess the adequacy of the controls relied upon to manage the risks that matter to the achievement of objectives, reporting same to board
- Ensure the board understands where the controls are not adequate and that failure raises the level of risk to objectives to an unacceptable level. Internal audit should (but frequently does not) identify which objectives are affected
- Add value by providing insight and recommendations to management to improve the systems of risk management and internal control
Now, if internal audit is not doing the above there is a problem. Reading the article, it can be assumed that many internal audit departments are falling short – and that management and the board do not set the expectations for internal audit high enough.
Another assumption from the article is that many management teams do not have the capability to identify, assess, and manage risk. That is why some are defaulting to internal audit to step in. But, while internal audit can and should report situations where the risk is different to what management and the board believe, internal audit should not be the function relied upon to identify risk.
Yes, internal audit can take on additional risk management responsibilities – as a coordinator, facilitator, and evangelist. But, it must not assume management tasks such as assessing the level of risk or deciding what action is required – which would compromise its independence and objectivity.
Do you agree?
We can discuss this further in Chicago in April. See www.riskreimagined.com for details.