Home > Risk > A new role for the risk office?

A new role for the risk office?

November 19, 2017 Leave a comment Go to comments

I was privileged to attend and speak at the MISTI SuperStrategies conference this week in Las Vegas. Chaired by the inimitable and incomparable Joel Kramer, as usual it was an excellent event.

I heard a couple of internal audit leaders from large organizations, with correspondingly large internal audit departments, talk about their use of predictive analytics and related tools (such as IBM Watson).

One called it anticipatory auditing, finding the fires before they get started.

The accounting and consulting firms have been pressing internal audit to use analytics to monitor and even identify emerging risks for a few years.

But I do not see that as an internal audit role.

Simply stated, it is management’s job to identify, assess, and address risk – including emerging risks.

Internal audit should not perform a management function, except in those few cases where they are directed to do so by the board because of their special skills. I view fraud investigation as one such activity.

No, it is management’s responsibility to use predictive analytics and related technologies to identify risk and changes in risk patterns.

It is internal audit’s job to provide related advice and insight, including reporting to the board and top management when the management team is not able, for whatever reason, to monitor risk.

Why then do I say there is a possible new role for the risk office?

While I believe that operating management should monitor risk with advice and mentoring from the risk office, there may well be situations where the risk office should be more directly involved.

For example, one bank uses analytics to detect trends or patterns in customer complaints.  They also periodically track the results of exit interviews (interviews by HR of staff when they resign their position).

Rather than establishing a data analytics unit in internal audit, with both software tools and data science expertise, I would consider putting that in the risk office. That would be especially useful when predictive analytics can be used across departments or functions to identify or monitor risk.

What do you think?

Do you agree that internal audit should get out of the risk identification and monitoring business and ask management (and/or the risk office) to do that job?

I welcome your perspectives.



I believe that internal audit should have all the tools necessary and appropriate to fulfill its mission.

Technology, such as advanced analytics and so on, can be of immense value and I used them frequently.

Its the use of such technology to perform the management function of risk identification and monitoring to which I am objecting.

If I was the executive responsible for any area of the business, I would believe it would be my responsibility to understand the related risks and changes in them. I would not want to be told about new or changed risks by internal audit.

  1. Jai Ram
    November 19, 2017 at 7:54 PM

    I agree wholeheartedly.

    November 19, 2017 at 10:28 PM

    I fully disagree because one would encroach into another’s area and there may be information critical to the success of the plan in a launch (not detrimental to the company’s business) which would be within the 4 walls which they do not want to share. Furthermore do you think the Risk Office has the capabilities to understand all the functions of the other areas. I have worked in an American MNC, no such thing department is very protective of their turf.

  3. Alisa
    November 20, 2017 at 1:33 AM

    I do not think risk office has a proper skills to manage cross-functional risks. I think the better way to enhance internal control function.

  4. November 20, 2017 at 1:53 AM

    When I returned to an internal audit department as CIA, it was running some IDEA interrogation programs for the Payroll Department. I persuaded that department to buy its own copy and run its own interrogations. When I was promoted to manager in charge of the payroll, AP, AR and fixed asset departments. I considered it was my responsibility to anticipate problems and set up systems accordingly. It is IA’s responsibility to provide opinions not get tangled up in day-to-day administration.

  5. Hans Læssøe
    November 20, 2017 at 2:41 AM

    I agree that management is – fully – responsile for ensuring risks are properly identified, prioritized and managed, and that predictive analytics etc. may very well be a valuable tool in doing so.

    I also agree that the risk management function should be one user of this, and use this to turbo-charge their experience into identifying emerging risks … and ensure there are addressed properly.

    I do NOT agree that internal (or external) audit should be hampered in their efforts by not be able to use analytics. True – they are NOT responsible for managing, and should not be requested to give input as to where the next issue may be (albeit, Internal Audit being a part of the organisation, may share their insights to enable efficient handling) … but they should have the option of using intelligent systems to enhance their efficiency in finding the holes in the cheese.

    • Norman Marks
      November 20, 2017 at 5:52 AM

      Please see the Clarification I added to the post

  6. November 20, 2017 at 4:25 AM

    Thank you, thoughtful as always (my first time commenting).
    I agree wholeheartedly that it is management’s (the 1st line of defense = 1LD) responsibility to identify risks, and therefore such analytics should *primarily* be tools for them to use.
    However, it is a 2LD and 3LD role to poke and prod for robustness, completeness, and of course integration. And to prioritize where their attention is most needed. And I think there is where such predictive analytics, operated by 2LD or 3LD, can be most useful, even though “anticipatory auditing” as term is a bit of a buzzword.
    And (and I know I’m preaching to the converted here), Risk and Audit have important roles to play as centres of expertise, so to the extent such techniques should see more than niche adoption across an institution, they probably need to be champions and advisors in their deployment.

  7. Norman Marks
    November 20, 2017 at 5:51 AM

    Please see the CLARIFICATION I added at the end of the post.

  8. John Fraser
    November 20, 2017 at 6:16 AM

    A few years ago, ‘continuous auditing’ (CA) was being promoted as the way to go. On delving into CA I found it consisted merely of CAATs which was not new and designing reports to identify problems ( as promulgated above). The latter is clearly management’s responsibility to do continuously but IA can and should recommend analytics that management should monitor to improve controls. In many cases I would develop the reports (anyone remember Easytrieve?) and then turn the reports over to management to monitor continuously.

    • November 20, 2017 at 8:15 AM

      Yes, I remember ‘Easytrieve’ (and punched cards)!. ‘Flunk’ (fetch next record) was one of the most useful commands around.

  9. GSosbee
    November 20, 2017 at 7:54 AM

    Agree totally. Everything in the organization, from employee morale to customer service to shareholder concerns to asset loss to third party actions should be quizzed at least annually with the results scored; inputted into the organization’s risk matrix; and included in the annual report (or interim report if exposure if requested or is shown to be spiking) to management and the Board.

    The real issue is in the financial services industry where the CRO is a defined statutory position, but that position is really an analytical position not a risk management position. In these instances the CRO’s work product should be included in the risk matrix and the CRO should be reporting to the Chief Risk Executive.

  10. Jeff
    November 22, 2017 at 2:18 PM

    I think risk and internal audit need to achieve a synergy by working very closely together and collaborating. Expecting internal audit to always wait to investigate issues may soon make the function redundant and as we know there’s evolution going on. I think the two functions should even share stuff it’s just there’s a time of year when perhaps they focus on internal audit but otherwise waiting to react-think of the companies that have a separate Fraud investigation department, what then would the roll of internal audit in such a place be?

    • Jeff
      November 22, 2017 at 2:22 PM

      *Sorry for the typos*
      I think risk and internal audit need to achieve a synergy by working very closely together/ collaborating. Expecting internal audit to always wait to investigate issues may soon make the function redundant and as we know there’s evolution going on. I think the two functions should even share staff splitting times such that there’s a time of year when perhaps they focus on internal audit and continuously on risk and other continuously on changes in risk. Otherwise waiting to react may not be very useful-think of the companies that have a separate Fraud investigation department, what then would the role of internal audit in such a place be?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: