Home > Risk > Should internal audit perform a risk assessment?

Should internal audit perform a risk assessment?

This is a simple question that has many non-simple aspects.

I am not going to deal today with the issue of whether internal audit should be performing a risk assessment when there is a perfectly adequate risk assessment made by management. I have shared my view before that internal audit should (after auditing management’s processes) rely on management’s work as much as possible. However, even when it is excellent, more needs to be done to determine what engagements to perform, as explained in Auditing that Matters.

I am also not going to deal today with the word “a” in the question. I have shared in this blog and in that book why any assessment has to be continuous. It is refreshing that the majority are moving away from relying on the obsolete annual assessment process, instead updating the assessment and the audit plan quarterly or (in a growing number of cases) monthly. But it needs to be continuous. Auditing at the speed of risk (or of the business, if you prefer that term) means updating your plans at that speed as well. Otherwise, you are likely to audit what used to matter, not what matters today or tomorrow.

Today, I want to talk about the four-letter word ‘risk’ in the question.

For most people the four-letter word refers either to events that might happen with an adverse effect on objectives; for others it’s the adverse effect itself. It doesn’t really matter which definition you choose. Both talk about adverse effects.

The point is whether we need to be identifying and prioritizing the possibilities only of significant adverse effects.

What are we trying to accomplish?

Our objective should be to perform the audit engagements that will deliver the greatest value to our organization.

Let’s break that down a little further.

The value we deliver from our work is derived from the assurance, advice, and insight we provide on the issues that matter to the leaders of the organization (hence the title of my book, Auditing that Matters). We provide them with information that helps them run and lead the organization for success. We don’t provide them with information that doesn’t matter to them, points they can leave to middle or lower levels of management; that has little positive value.

In other words, we want to perform the engagements that will provide leaders with assurance that the organization’s people, processes, and systems will function as needed to both create and protect enterprise value – so that the objectives of the enterprise are achieved – and advice and insight to make improvements where needed.

What is the relationship between ‘risk’ and the engagements we seek to perform?

In theory, you start with objectives and then identify risks to those objectives. From there, you see where those risks may arise and which are the controls that address them. At that point, you can decide which audit engagements to perform because you are assessing and testing the controls over the risks; you are not really auditing the risks per se.

But this is exclusively focused on the harmful things that might happen.

What about providing assurance over the good things that might and must happen if the organization is to succeed?

Why should we only provide assurance regarding preventing or mitigating bad stuff, in other words protecting value?

What can’t we provide assurance that opportunities to create value will be taken?

The IIA’s suggested Mission for Internal Audit starts with this key phrase:

“To enhance and protect organizational value….”

Do our ‘risk’ assessment processes help us define engagements that will provide assurance that organizational value will be not only protected but enhanced?

As CAE, I talked about a ‘risk and value’ assessment rather than simply a risk assessment. By value, I meant to identify the engagements that would have the greatest value to our leaders. What I had in mind was that for some high ‘risks’, management was not only well aware of them but was actively working to address them. In those cases, an audit engagement would be of little value. In addition, my plan included audits of the controls relied on to create value, not just protect it.

That’s better than a straightforward and traditional ‘risk’ assessment.

But there’s a better approach.

  1. Understand the business
  2. Understand the goals and objectives of the board and the management team
  3. Identify the challenges facing the organization today, tomorrow, and going forward
  4. Define the audit engagements that will provide the assurance, insight, and advice leaders need – the ones that will provide the information they need, when they need it

That approach doesn’t use the ‘r’ word at all.

What do you think? Do you agree with me that we need to stop thinking about a risk assessment; that instead we should be thinking about which audit engagements will provide the assurance, advice, and insight that leaders of the enterprise need?

POSTSCRIPT

After reviewing and responding to comments (thank you) here and on LinkedIn, I want to add some points:

  1. While value is created by an internal audit risk assessment in many cases, our objective is not a perfect risk assessment (however you define it). Our objective is to identify the audit engagements that we need to perform if we are to add the most value to our organization.
  2. If we focus on the identification of the best audits to perform, we might avoid spending unnecessary time creating and then updating a risk assessment.
  3. One of the challenges voiced by many in making sure we are focused on audits that address risks/opportunities/challenges facing the organization today and tomorrow is the need to update the risk assessment continuously. But if we replace questions about the risk assessment with questions about which audits should we perform next (considering changes in the business, both internal audit external), we can minimize that additional work.
  4. In my organizations, we replaced a static audit plan with one that had a fair degree of certainty up to three months ahead, but recognized the uncertainty in what might change in the business and therefore in our auditing further out. This was communicated to the audit committee; as experienced and sensible people, they acknowledged its wisdom.
  1. John Fraser
    May 9, 2020 at 5:00 PM

    Assuming that there is a credible ERM function/process in place, IA needs to provide assurance that the ERM processes are effective, and they also need to validate that the key controls that management assumes to be working in their RA are in fact effective, but also IA should be able to some extent opine on whether the company-wide RA done by the ERM and management teams are reasonably stated and that they are not aware of any major discrepancies. To your point about continuous, every internal audit according to the COSO framework should be concluding about the adequacy of management’s RA process for the area/function reviewed.

    • May 9, 2020 at 11:09 PM

      John, stripped of all the jargon and acronyms, the ultimate purpose of whatever ‘ERM’ and ‘IA’ are meant to mean or be, can surely only legitimately be that the organisation makes the best decisions it can. That is because the only way that organisations can pursue their purpose is to make (and implement) decisions to take advantage of opportunities, and the only way it can achieve its purpose is by ensuring that the decisions are the best that can be made. This has always been so (long before anyone uttered the ‘a’ or ‘r’ word) and always will be so (long after the ‘a’ and ‘r’ words disappear from the business lexicon …… hopefully, a milestone that is not too far away). And yet decision-making is not the focus of either ERM or IA and never has been.
      As Grant Purdy and I say in our recent book ‘Deciding’ (which Norman kindly introduced here in his 25 April blog) organisations will have more success in pursuing their purpose if they consistently make ‘even better’ decisions.
      In describing what we contend is a universal method of decision-making (i.e. the method used by all ‘Deciders’ whether they realise it or not) we have attempted to explain how to excel in applying each element of this method as it is this – decision-making skill – that is the only way organisations and their ‘Deciders’ can determine their success.
      All those responsible for governance need have confidence about, is how well this method is being applied by the many Deciders across the organisation. In the same way that sales, RoI etc are visible to the governance team (because they bother to look) so too is the quality of decision-making easily discernible especially if those involved in governance and management themselves, excel. Trying to contract-in reassurance, rather than looking themselves, is an easy (but generally unsuccessful) cop out.
      Ensuring consistently good decision-making is analogous to manufacturers or service providers achieving the intended levels of performance of their product (i.e. delivering ‘quality’). In the 80’s, those efforts switched from checking the final product and throwing out the duds, to focussing on design and execution of each of the steps of the process through which those products were made (in the understanding that dud products are the outcome of dud processes and good products are the outcome of good processes). So too must the focus of organisation performance monitoring, switch to the quality of decision-making.
      So the message is, whether it is the board and management (or the cop-out of using a hired gun – however they may be described) just look at the people who are making the decisions and their decision-making skills. As we say in ‘Deciding’, it is a tricky business being a Decider so helping them individually and institutionally to make decisions is where the effort should go. Not in irrelevant ‘r’ and ‘a’ stuff with the associated focus on failure and checking for duds at the end of the decision production line.

      • Norman Marks
        May 10, 2020 at 6:57 AM

        Roger, thank you for your comment,

        As I said in my reply to John, effective decisions are fueled by reliable, current, timely, and useful information. That is why I consistently use the phrase ‘informed and intelligent decisions’. Informed refers to having the information necessary and intelligent refers to having the decisions made by the right people using an appropriate process, etc.

        There is a place for a periodic list of specific things that might happen, not only for inclusion in reports to investors but also because of their potential to affect multiple aspects of the organization.

        So while ERM (or whatever it is called) has to fuel the decisions that are made at all levels of the extended organization every day, there is also a need every so often to (as John put it in a comment to me) “take stock” every so often and make sure we are prepared to address events such as a recession, flood, competitor action, or other event or situation.

        There is one more point I should make, which might be a topic for a second book by you and Grant: Deciders need to know whether they are likely to achieve their strategic objectives. In the book, you talk about achieving the purpose of the organization, but people measure success using objectives or similar for the next period. The long-term achievement of the purpose is commendable, but you measure that a step at a time, a period at a time.

        This is typically not part of an ERM program, but it probably should be and that is what I advocated in World-Class Risk Management and subsequent books.

        Leaders need to know whether, considering all the things that might happen (some call these risks) they are likely to achieve their objectives. Is that likelihood acceptable? What can be done to increase either/both the extent and likelihood of success?

        This is achieved by integrating ‘ERM’ and performance management. Where are we today against each objective and where do we project being at the end of the period? What are the likelihoods of falling short, achieving, and exceeding targets?

        Decisions every day are the tactics of the organization. But they have to be against the overall strategy and ensure that the likelihood and extent of strategic success are acceptable.

        Thank you for the book as well as your contribution to this discussion.

        • grantpurdy
          May 10, 2020 at 7:09 PM

          Norman,

          There is a lot here to discuss but I’ll just concentrate on one point you make. We chose to talk about Purpose because the word is used with its ordinary meaning – the highest expression of the reason an organisation exists.

          In an ideal world with prefect strategic and business planning processes, an organisation’s highest ‘objectives’ would be rolled down in a congruent manner to form fully consistent subordinate ‘objectives’. However, this seems rarely ever to be case.

          As a common example, although the only reason organisations undertake projects is to grow value and hence get a return on their investment, few projects measure or report themselves against investment return or value creation. Invariably project ‘objectives’ only relate to budget and schedule performance which rarely correlate with maximising value creation. This isolationist view is sponsored by project management professional bodies.

          Then there is the vexed question of what is an ‘objective’? I’ve found as many definitions of this word as there are strategic planners. For example, there seems to be no consistent view on what is an ‘objective’ or a ‘strategy’.

          It is surprising that in many organisations there seems no precise understanding of Purpose – that is shared across all of its Deciders and those involved in related conversations. This is the first stumbling block to having a coherent conversation about a decision – and is the reason we suggest that it is good practice to clarify Purpose at the beginning of these conversations. We also suggest a simple way to do this.

          We all know of organisations where there was not a shared view of Purpose and the inevitable, miserable outcome. As an example, I once worked for a very large resource company (mining, gas and oil) that also owned a development facility for rotary engines, an ‘outward looking’ adverting bureau, a couple of housing (for non-employees) companies, a few golf courses and an insurance company offering retail products. This was all at a time where there was massive destruction of shareholder capital.

          • Norman Marks
            May 11, 2020 at 6:58 AM

            Grant,

            I agree with you that many of not most are not good at setting and then communicating their objectives for the period. That’s a defect I have pointed out in this blog and in my books.

            But that doesn’t mean that they have not established metrics and measures by which they and the board measure their success – and based upon which their compensation is set.

            While it is wonderful in an ideal world to base decisions on the ultimate Purpose, that is not IMHO practical. But understanding how their decisions might affect the CEO’s bonus is.

            • grantpurdy
              May 11, 2020 at 5:36 PM

              Norman,

              I’m rather flummoxed by what you said here.

              Are you really suggesting that organisations progress by making decisions that are not aligned with them achieving their purpose? I would certainly hope the CEO’s bonus was also linked to the organisation achieving what it sets out to do – as recognised by its Board.

              Of course, as I’ve suggested, communications down the organisation and especially when planning occurs, might not be as effective as they should be. This is why we suggest that all conversations leading to a decision start with a discussion and agreement on Purpose.

              • Norman Marks
                May 11, 2020 at 5:44 PM

                Grant, that is precisely what I am suggesting. The Purpose is usually some aspiration while for each period the path to that Purpose is defined by SWOT objectives for the period.

                For example, the purpose for a bank I did work on in the Caribbean was along the lines of generating profits and increasing its services to its targeted customers.

                Each year, targets were established that included revenue, customer satisfaction, profits, and so on.

                A state government agency had a purpose of keeping the state’s financial assets safe with nominal growth.

                It also had objectives against which management performance was measured.

                It is so much more effective to consider a decision and whether it will help the organization achieve the objectives for the period, rather than some longer term Purpose.

                Those are what they managed to.

                • Norman Marks
                  May 11, 2020 at 5:45 PM

                  BTW, I still believe your book has great value and pleased to see so many people buying and praising it.

                  • May 11, 2020 at 11:13 PM

                    Thanks for your kind comment above Norman.
                    Just in relation to your previous comment concerning Purpose, it seems to me that it is axiomatic that every organisation exists for a purpose….which ultimately is what it is and, typically, is enduring. You might recall that our book has a cautionary word about spin-doctor drafted ‘vision’ etc statements which might sound great but don’t actually reflect the purpose which, as Grant has explained, is the highest expression of the reason for existence. (In statutory organisations, of course, the purpose is normally specified in its empowering legislation.)
                    For these reasons I have a problem with any contention that success is measured against targets. That’s what caused the GFC. The point is that whether it is strategies, targets or any other road markers, they are all the consequence of a decision. The disconnects between purpose and strategy that occur too often, are the consequence of lousy decisions. There can surely be no merit at all in achieving targets that don’t reflect Purpose.

                    • Norman Marks
                      May 12, 2020 at 6:48 AM

                      Roger, I heartily agree that if you set the wrong objectives, especially sacrificing longer-term Purpose at the altar of short-term profits, there;s a problem.

                      I would rather fix that first.

                      Making decisions against achieving Purpose when the CEO and his or her team are compensated on something else won’t work well in practice.

                      That’s my opinion and I respect yours.

    • Norman Marks
      May 10, 2020 at 6:52 AM

      John, I agree and have said the same thing for years,

      The trick is that any assessment of ERM has to be against whether it provides the information needed by leaders of the organization and (to use the term coined by Grant and Roger) Deciders.

      Unfortunately, most assessments (and too few assess ERM) are against the framework that management has determined is the basis for their ERM.

      While I can understand assessing against the principles in ISO 31000:2009 (which are better than those in the update; the COSO ERM principles are not only too many but not all are necessary), it is better to assess against one of these related questions:

      1. Does the ERM program meet the needs of the organization for information about what might happen, enabling informed and intelligent decisions?
      2. Does ERM make a significant and essential difference to leaders setting and then executing on strategy?

      In performing an assessment, I strongly recommend the use of a maturity model, such as I provided in my books.

  2. May 9, 2020 at 7:45 PM

    Another outstanding post, saying what should be said. The argument is good and important, and should be made regularly, as Norman makes it.

    At the same time, I feel it is necessary to mention some likely qualifications. Internal auditors must ask where they can provide the most value to their audit committee clients. The best answer will often include a focus on the negative side of uncertainty: assurance that the likelihoods of the worst outcomes are acceptably low. A common reason for that result is that the plus side gets a lot of other attention already, whereas the negative side gets less. It is important for auditors to ask and to answer questions about that negative side, when no-one else does.

    A further side qualification is that in my world, there are rarely management risk assessments (regardless of vocabulary) that are fit for any sort of reliance by auditors, with or without good intentions or an ERM function. ‘Risk management’ is generally not done the Norman Marks way in the real world, and generally does not deliver results fit for planning audit assurances. I expect the same applies in many places around the real world, not only in my real world. That isn’t to say that management don’t manage risks well – generally they do – but they won’t reveal their competence in a formal ‘risk assessment’, nor in the vocabulary of ‘risks’ and ‘controls’.

    So while the argument for a positive assurance approach is absolutely correct, the negative side of uncertainty must be considered as well. That consideration will very often lead to audits focusing on ‘risk’ as the possibility of unpleasant surprises, even if ‘risk’ properly includes all of the effects of uncertainty on all objectives.

  3. grantpurdy
    May 9, 2020 at 8:08 PM

    Norman,

    I know the True Believers will be calling me to be burnt at the stake but have to question why we have something called ‘Internal Audit’ at all.

    An organisation (only) achieves its purpose by making decisions based on opportunities and it is for decision-makers to decide what is monitored – while they are making a decision. This monitoring activity might involve using internal or external resources, but the decision maker has to decide what is monitored, by what means and by whom.

    Therefore the people who do monitoring should only focus on what they are told to look at, not what they think are the organisation’s ‘risks’ (whatever they are) or ‘controls’ (equally ambiguous and confusing). Why organisations continue to allow these monitoring ‘agents’ to invent their own work plans using a whacky process separate from that which drives value creation beggars belief.

    Monitoring by checking should be a dynamic activity driven by the need to ensure decisions are delivering desired outcomes and that those outcomes remain sufficient certain, even if elements of context and the assumptions change. Executing an ‘annual audit plan’ driven by a ‘risk register’ seems a pretty pointless and wasteful activity!

    Following this logic easily leads to the conclusion that ‘internal audit’, like ‘risk management’, is also a self-serving activity based on an exclusive ‘belief system’ where auditors are only answerable to some deity.

    • May 10, 2020 at 6:36 AM

      Grant, I disagree with your statement, ‘An organisation (only) achieves its purpose by making decisions based on opportunities and it is for decision-makers to decide what is monitored – while they are making a decision.’ If an organisation’s primary purpose is to stay in existence, it will achieve this both by pursuing opportunities and mitigating risks. If you follow your logic, an organisation wouldn’t bother with anti-virus software, for example, since it wouldn’t contribute to achieving its purpose.
      Following my logic easily leads to the conclusion that an internal audit department properly focussed on objectives, which reports to the board on the state of decision making and control of risks, ‘adds value’. As an internal auditor, I worked for many bosses – I can assure you they weren’t a ‘deity’.

    • Norman Marks
      May 10, 2020 at 7:21 AM

      Grant, I also disagree with your argument.

      It is true that if we never got sick, we wouldn’t need doctors or hospitals. If our cars never ran out of petrol/gasoline, we wouldn’t need service stations.

      In real life, things don’t always work as well as the board and top management want (or believe) them to work.

      Internal auditors can take the temperature of the organization body and identify symptoms of disease. It can provide advice on how to avoid getting sick or to recover from illness.

      You have had a long and outstanding career. I doubt that you have worked in an organization where internal audit was recognized by the board and management as making a significant contribution to their success.

      They may be relatively rare, but they exist.

  4. Pascal Duport
    May 9, 2020 at 11:08 PM

    Risk is implied in your sentence: « Identify the challenges facing the organization today, tomorrow, and going forward ». Since we don’t know the future and can therefore only speculate, we have to consider scenarios with various likelihood of occurring and positive or negative consequences associated to them. That’s risk analysis!
    I would rather take the time to explain risk concepts than try to get rid of the term just because some people doesn’t understand or feel uncomfortable with it. The investment will some day pay off.

    • Norman Marks
      May 10, 2020 at 7:22 AM

      I understand your point.

      Mine is that we have lost focus on what we are trying to achieve.

      We do better by focusing on identifying the right engagements than on producing and maintaining a perfect risk assessment.

      Do you agree?

  5. John Fraser
    May 10, 2020 at 3:26 AM

    Roger and Grant, I have the highest regard for you two gentlemen but maybe my 50 years in audit and of monitoring decision makers has shown me different experiences than it has you. It would be wonderful if management was as altruistic and able as your expectations suggest. However, I have seen incredible horror stories about bad or non-existent decision making by executives, as I am sure every competent internal auditor and CRO has, to defy belief. And all CAN be traced back to poor decision making for a variety of reasons. Just to name a few examples: having no business recovery plan, not patching cyber security issues promptly, fraudulently valuing of derivatives to increase bonuses, having no one responsible for the chaotic purchasing function, etc etc ad nauseam. Wise executives and boards do work with IA to ensure aligned objectives, however too many do not…

    • grantpurdy
      May 10, 2020 at 6:15 PM

      John,

      I fear I have just been unlucky to mostly encounter audit plans based on pseudo science (‘inherent risk’, anyone?) and ‘risk assessments’ developed in isolation of management and the board. IIA guidance on this has been pretty dreadful over the years.

      Then, of course, there is the resource issue, where audit companies (in particular) send in junior staff with little real experience to check ‘controls’ and to interview senior managers.

      It would be wonderful if we were able to deploy checkers of experience and calibre that can proactively examine decision-making processes, challenge senior decision-makers and bring about improvements through persuasion. However, in most organisations we only seem to do that AFTER a disaster and not before.

      I’m reminded that only about 5% of frauds are detected through an audit process. Most are detected after the event or through ‘whistleblowing’ processes.

      Maybe the problem here is non-wise and lazy executives and boards? Their decision-making on resourcing or outsourcing a checking activity and their decisions on and involvement with the direction and focus of it is what should be examined!

      • Norman Marks
        May 11, 2020 at 6:55 AM

        Grant, I concur that the external auditors send in teams where the most senior person (a senior manager) is in his mid-twenties and has no experience within an organization. Even the partner rarely has experience outside his or her firm and is an expert only in financial reporting.

        But that is not the case with the majority of internal audit functions.

        The majority have leaders and staff with practical experience and open minds.

        It is true that few frauds are detected by internal auditors, but then few are detected by controls!

        But that doesn’t mean that there aren’t many IA teams that do excellent work.

        • grantpurdy
          May 11, 2020 at 5:43 PM

          Norman,

          At one time the Head of Internal Audit is a very large company and I agreed a strategy to improve the ‘credibility’ of the Internal Audit team and avoid it becoming a career ‘backwater’. We suggested to senior management and to HR that a 1 – 2 year secondment in IA should be a necessary precondition to promotion for middle managers.

          This was based, in part, on a prior, successful policy to staff the RM team with people drafted from the business.

          The response from three separate groups was the same and was most illuminating. It was vetoed by senior management and HR – as a waste of valuable resources. It was also strongly opposed by the existing IA team for reasons we could never understand.

          • Norman Marks
            May 11, 2020 at 5:51 PM

            Grant, I am sorry that you never had the opportunity to work at Hydro One or Tosco, both of which had departments that had enormous credibility with not only the board but senior and operating management. I am sure John and I were not the only ones to run IA functions that were seen as hugely valuable.

            Having said that:

            Just as traditional ERM functions rarely rise to the level of being seen as essential to success, many traditional internal departments (for example, those who still perform cyclical audits) are similarly check-the-box activities in management’s eyes.

            Fortunately, significant progress is being achieved (faster than with so-called risk management).

            Maybe this is why I write my books!

    • May 10, 2020 at 8:45 PM

      Thank you John.
      I hope those who read ‘Deciding’ will appreciate that neither Grant nor I are evangelists driven by some altruistic desire for organisations to succeed. As far as I am concerned, every organisation can make its own choices. I have always thought that. I remember as a young fire engineer being asked by the owner of a factory with lots of rack storage whether I would recommend installing fire sprinklers. I said that it would depend on whether they wanted to have a big fire or small fire and that I could help with either. He blinked. But he got the point. Years later, when I headed up my country’s fire services I was asked by a journalist whether I thought people should install smoke alarms in their home. I answered by saying that I had no idea because I didn’t (and couldn’t) know whether they cared about the lives of their children and elderly parents. But I went on to add, that because of the speed with which dwelling fires develop, if they did care, they would need to know about the fire from the first appearance of flame because that would then give them just 75 seconds or so of survivable conditions to get out. This could only be assured with automatic detection and alarm (and a family contingency plan for making the most of the 75 seconds). That was our consistent public message. ‘Protect what YOU value.’ Such was the optional uptake of smoke alarms in single family dwellings from this campaign that within two years, the incidence of fatalities from accidental fires in dwellings dropped by about 60% nationwide.
      My experience has always been that the more you leave the problem where it belongs, the better decisions get made. So, if you want to make good decisions, acquire the skills – don’t hire someone to discover that you don’t have the skills.
      All we have attempted to do in our book is to write for those who wish to succeed in pursuing their purpose. We go no further in the advocacy stakes than pointing out that success is wholly dependent on recognising opportunities and making sound decisions to take advantage of those opportunities. Hopefully, for those who opt to become good decision makers, ‘Deciding’ will help. As you know, part of that guidance includes anticipating future variance and factoring that into the decision. Organisations (and Deciders) can take it or leave it – although not if they are seeking sufficient certainty of success.

  6. Norman Marks
    May 10, 2020 at 9:40 AM

    Please see the POSTSCRIPT and additional points at the end of the post.

  7. Marinus de Pooter
    May 11, 2020 at 3:23 AM

    Thanks for your thoughts, Norman.

    The better the quality of the available information, the better the quality of the decisions made. In practice, the decisive element in assessments is the fact that decision-makers have to deal with potentially conflicting needs and interests of their different stakeholders.

    Decision-makers always have to balance interests. Take for example a purchase transaction. What do key stakeholders value?
    Low prices, reliable delivery times, quality of goods and services, doing business with non-crimimal suppliers, low emission transportation, absence of slavery in the supply chain, products that do not harm the health and safety of employees and consumers?

    In my view the focus should be on the quality of the decision-makers in every assessment. To the extent that they lack competence and integrity, the quality of their decisions will be accordingly.

  8. Ammar Ahmed
    May 14, 2020 at 2:02 AM

    Thanks, Norman for yet another thought-provoking piece. I beg to differ with your last question and conclusion. In my view, whether you call it a ‘risk’, ‘value preservation’, or whatever, as long as IA professional understands what it means it serves the purpose. “What do you think? Do you agree with me that we need to stop thinking about a risk assessment; that instead, we should be thinking about which audit engagements will provide the assurance, advice, and insight that leaders of the enterprise need?”

  1. May 9, 2020 at 5:28 PM
  2. May 10, 2020 at 5:34 AM
  3. June 4, 2020 at 9:29 AM

Leave a Reply to dmgriff Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: