Home > Risk > The role of internal audit in risk management

The role of internal audit in risk management

The IIA has a paper on this subject that is important for all of us. While they have considered updating it from time to time, I think it’s still pretty good. I especially like the guidance on what is acceptable and what is not. For example, it stresses that IA can facilitate a risk assessment, but it is management’s responsibility to identify, assess, evaluate, and respond to risk.

There’s another paper that merits our attention.

Written by thought leaders in risk management (friends of mine), The Future Role of Internal Audit in (Enterprise) Risk Management is a few years old now (published in 2012). But that doesn’t mean that much if not most of what is says remains valid.

But, thought leadership has moved on and it’s a good idea to revisit the thinking of even the best.

Here are their ten conclusions, with my comments on each:

1. Risk management concerns reducing the magnitude and likelihood of detrimental consequences while enhancing and making more likely the beneficial consequences that might arise from decisions.

Comment: I think risk management thought leadership has progressed further. It is now considered as enabling informed and intelligent decisions that help the organization to set and then execute on strategies. In other words, it enables decisions that lead to the achievement of enterprise objectives. It’s less about managing the risks (the consequences) and more about achieving objectives.

2. The focus of internal audit and other monitoring and review functions should be to provide assurance on the effectiveness of risk management and not just on the effectiveness of controls.

Comment: This is an important distinction. It is insufficient simply to say that internal controls are inadequate (or adequate), or even to say that there are high risk deficiencies. Internal audit needs to communicate their assessment of whether management is appropriately addressing the more significant risks to the achievement of (specific) objectives. But, see additional comments later.

3. Processes for the management of risk must be integrated into an organisation’s system of management to be effective.

Comment: Consideration of ‘what might happen’ should be integral to decision-making. See additional comments.

4. Internal Audit should no longer assess risks on behalf of the organisation. Their role is to assist decision-makers in arriving at the most appropriate treatment of risks and then the monitoring and review of risks and controls.

Comment: I have never believed that internal audit should be relied on to assess enterprise risks. I cannot understand why some say that internal audit should be expected to identify emerging risks. NO!! Those are management responsibilities. Internal audit’s role is assessing how management does them. Internal audit can assess whether management is ‘treating’ risks with adequate and effective controls.

5. Internal audit will obtain planning information for an audit (and for their annual audit plans) from the risk management process done by decision-makers who own and are accountable for the risks.

Comment: That should be both the current and future state. Management should have effective processes for identifying, assessing, and evaluating what might happen as an integral part of decision-making. Once internal audit has assessed those processes as reasonably effective, it should use them as input to its continuously updated (they should not be annual) audit planning activity.

6. ERM and the ISO 31000 risk management standard have evolved cooperatively and will be the basis for risk management in organizations.

Comment: ISO 31000:2017 is useful but not complete (in my opinion) as it barely touches decision-making. ERM needs to evolve into effective decision-making, aka effective management.

7. Effective risk management requires clear expressions of intent and mandate by the Board and top management.

Comment: Risk management is not a siloed activity. The board and top management should insist on informed and intelligent decision-making. That will drive everybody to quality consideration of ‘what might happen’.

8. Evolutionary modifications to the role and practice of internal audit will occur as part of continuous improvement of the framework for the management of risk.

Comment: Both need to continuously improve. Certainly, as risk management is transformed into informed and intelligent decision-making, internal audit needs to rethink its approach. See additional comments.

9. The maturity of risk management should be evaluated and reported on at least an annual basis.

Comment:  Internal audit needs to provide its assessment to the board and top management of whether practices meet the needs of the organization, enabling informed and intelligent decisions. I cover this and the use of a maturity model in World-Class Risk Management. But, top management should first provide their formal assessment to the board.

10. Internal Audit has to update its roles and responsibilities to support continuous improvement of and implementation of more effective risk management.

Comment: Internal audit should provide assurance, advice, and insight to improve decision-making. It should remember not to penalize those working diligently to upgrade management’s processes, but instead encourage and be an evangelist for world-class practices.


Now for some additional comments.

Think about this.

If we are stressing that risk management is really all about effective, informed and intelligent decision-making, shouldn’t internal audit start focusing on the quality of decision-making processes?

I am not saying that internal audit should second-guess management’s decisions. I am saying that decisions are what lead to success or failure. So, shouldn’t internal audit assess whether management has reasonable processes to inform those decisions?

Internal audit can identify significant decisions, such as the setting of strategy, the pricing of products, or the hiring of key personnel. Understand how those decisions are made and by whom before assessing whether there is reasonable assurance that they will be informed and intelligent.

Controls come into this as we need them over the information used in decisions, and so on.

Risks come in as we should consider what might happen to prevent a successful decision, as well as what might happen under each option considered.

But the conclusion, what is being assessed, is at the heart of effective management and what provides reasonable assurance of the success of the enterprise: is there reasonable assurance that these critical decisions will be informed and intelligent?


Another thought: should internal audit address whether the board and top management have reasonable insights into what might happen in the next year or so (what risk frameworks refer to as changes in the internal and external contexts)? It is only by understanding what might happen can you start to consider how that might affect the organization (what some refer to as risk identification).


So what is the future for internal audit and risk management – or effective management, for that matter?

I think IA should be thinking about how they can provide the board and top management with the assurance, advice, and insight necessary for success.

That goes beyond the static processes for risk management and controls.

It includes the dynamic activity of management, and the core of management is decision-making.


What do you think?

  1. June 16, 2018 at 7:15 PM


    Its a while since I read what I and my colleagues wrote 6 years ago and you are right, some of us (maybe all of us) have moved on rather in our thinking. However, while you and I might think differently now than we did six years ago, the recommendations in that article are still not being followed by many (maybe the majority) of organisations who are struggling to see how internal audit and risk management really fit together. Some still seem to be auditing ‘risks’ (Lord knows how!) and many are preoccupied with exercises that check controls linked to a list of risks, revised on an annual basis.

    I also see the word ‘risk’ continually added to many natural aspects of business or the environment to make them somehow ‘special’ and therefore requiring special audits, reviews and controls. So called ‘cyber risk’ in one of many recent examples.

    In my case, I’ve not so much ‘moved on’ in my thinking, but rather completed the circle and I’m now back where I was 40 odd years ago – helping people make and maintain sounder decisions by getting them to focus on their assumptions.

    I can’t access the IIA paper (the server is down – or maybe its ‘cyber risk’!) but I suspect from what I read elsewhere from the IIA, there are still many members of that body who are still not quite up to speed on what we wrote in 2012. This is certainly true of the authors of ISO 31000:2017 and COSO ERM II! However, I can also recall that, initially, the IIA and many in the audit profession really did not want to get involved in any aspect of risk management. At best, they just wanted to use risk assessments (of some sorts) to provide the basis of their audit plans, and that was it. Maybe, it would have been better if they had not be seduced by the ‘R’ word after all?

    I can also remember the push back when we started saying that if risk management was truly integrated, that meant most of its artefacts would disappear: i.e., no risk registers, risk management policy statements, risk assessments etc. Auditors would confront me and say: “what are we going to audit now if these have disappeared”? “How can we do our job”?

    One of the consequences of seeing ‘risk management’ (whatever those words now mean) as just a small, anachronistic part of helping organisations make sounder decisions is that the word ‘risk’ (which has so many different meanings to so many people its almost worthless as a concept) is no longer needed – thank goodness. This then inevitably leads to the conclusion that the term ‘control’, which we could never agree was a verb or a noun, is also redundant.

    I’m bracing myself for divine retribution here, but controls aren’t really that special. They are just any features of an organisation’s environment which decision makers assume will help them achieve the outcomes they desire and which they assume will support their organisation achieving its purpose. Put simply, they are just assumptions – like all the others we reply on when we make a decision.

    So, if controls are not that special, really, why do we need to spend so much effort and time checking them? And if so, what should be the role of an IA in supporting sounder decisions? Do auditors have a role when the focus should be about enhancing the dynamic and continuous process of decision making? How can they realistically add value to that?

    Certainly, it seems time for the audit profession had a good long look at how it creates value – if it can no longer justify what it does on ‘static’ things it calls risks, and normal aspects of business it wants to label as ‘controls’. Maybe, like me, its time to go back to where it started and its original purpose.

  2. Gary Lim
    June 19, 2018 at 7:25 PM

    Dear Norman, in Malaysia IA is still No.1 when it comes to Public Listed Companies and the IA must be a trained accountant. Whilst Risk Manager can be from ANY discipline and cannot image the IA would want to surrender this top position in the PLC.
    As to ISO31000 imagine I am the ONLY Malaysian trained under the G31000 group as an Approved Trainer, the local IA has no inclination towards ISO31000, now its 2017. If your refer to BOD, worst they are clueless to ISO31000 and rely on IA. We are still a long way to go. My guess is no IA would want to share the TOP position in PLC even at a developed country.

  3. July 19, 2018 at 5:36 AM

    Hey Norman, Risk Management is something which should understand by all the people especially who are in Internal Auditor or in Business. This is the very informative article and is also very important for all. Thanks a lot for sharing this.

  4. August 20, 2018 at 10:36 PM

    Well Written Content. Keep it up.


  5. Anonymous
    February 3, 2020 at 3:56 PM


    I work for a corporate company in Las Vegas that is looking for a Risk Management auditing firm. Any suggestions? I’m a fan of your articles…

    • Norman Marks
      February 3, 2020 at 7:28 PM

      Sorry, I am not aware of any with proven abilities.

  1. June 16, 2018 at 2:24 PM
  2. December 28, 2020 at 10:37 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: